Data security is one of those problems that consume vast amounts of time and effort in most IT departments. Secure it too tight and people cannot access what they need to do their job. If you are a listed company, however, there are plenty of other concerns. Regulation, compliance, business threatening fines. So what can companies do about this?
Enterprise Times editor Ian Murphy talked with Paul Mountford, CEO of Protegrity. On the agenda was the need for encryption, access control and AI. Mountford started with an interesting challenge for many organisations, how to protect data through mechanisms like encryption but still make it usable.
One reason for Mountford’s statement was data from Protegrity’s recent State of Data Security Optimisation and Monetisation report (registration required). The report states, “Although nearly all respondents (99%) said sensitive data is classified but accessible, it is not necessarily that easy to access. 32% of respondents said it could take 3-6 months to access data, with 37% citing 1-2 months for access. Only 2% said that they could access sensitive and classified data in less than a week or fairly instantly.”
Time to secure at the attribute level, but beware AI
Mountford believes that organisations need to think about how they secure their data. That means not securing the entire record just because of some PII. Instead, the sensitive data should be secured, leaving the rest available for analytics. When asked about encrypting data, he commented, “We do fine grain tokenization and pseudo anonymisation.”
That granular approach is about more than just freeing up data. Mountford talked about the need for attribute-based access control. It delivers access control with precision and, more importantly, is flexible enough to adapt to the way an organisation wants to access its data.
But there is a snag with attribute-based access control, and that is AI. Mountford remarked, “We see that AI will render it fairly useless or unusable. We’re looking at how we can clean data before it goes into the big data models for AI.”
This is about far more than just clean data. One comment that Mountford says he hears is organisations saying, “We’re not going to tokenize all of our data because there’s too much change involved. And so, therefore, we’re only going to protect the PII.” The challenge here is defining that PII. Different countries and trading blocs are all defining different items as PII. This is where Mountford believes that better education on data security is needed.
From attribute to context-based access control
Even identifying, cleaning and then protecting PII before AI gets at it might not be enough. And, according to Mountford, it opens up a new model for securing and sharing data.
First, Mountford would like organisations to use AI to automate the discovery of any possible instances of PII. Given the speed with which data grows, this makes sense but must be flexible. One reason for the flexibility is the risk of poorly formatted data that isn’t easy to pattern match. Another is making sure it doesn’t lock down data too tight.
Perhaps the biggest gain from using AI for discovery is that it can search all the data storage platforms an organisation uses. It can also check new data items as they are stored. This allows it to deliver a cohesive policy across all platforms.
But look beyond AI as a search and protect tool; there is something else here. Context is key with AI, especially generative and conversational AI. It is possible for someone to ask a question in several ways to uncover hidden or protected data by exploiting context. But context can also help the user.
Role-based and attribute-based access controls require someone to assign access and to revoke when no longer required. That takes time and process. It is one reason why people often end up with far more access than they actually require. Mountford sees AI as providing a new security access model – context-based access. It would understand why people need access and grant it based on its controls.
Who should be in charge of data?
Over the last five years we have seen data bounce around through different roles. Until the arrival of the Chief Data Officer (CDO), it was looked after by the Chief Information Officer (CIO)or the Chief Information Security Officer (CISO).
The problem for the CISO is that their focus is on data protection, not data usage. Mountford comments, “In the past, it would have been primarily on the CISO. They have limited budgets, they’re not normally tuned into the business. They’re there to hold ground and be the policemen nationwide.”
The CIO has similar problems. While they are more business-focused, they, too, are often concerned about security over access.
However, the role of the CDO is not widespread. Interestingly, Mountford says that most of his conversations start with the CDO. The CDO tends to be a more business than technology focused role. They understand the business needs access to data to be more effective.
Importantly, those same business users, despite popular belief, understand the risks in their data. As Mountford points out, “They also know that their brand and everything else goes to hell in a handbasket if they don’t have any protection and security.”
He continued, “But in reality, people don’t share data, certainly not sensitive data. And we think we’ve got a more balanced view there. And, of course, we can show the business advantage they get.”
You need to understand the use cases for data sharing
An interesting challenge for organisations is understanding the use case for capturing and using data. This is now, again, just about privacy laws. It is about knowing what value there is in data and where that value comes from.
Mountford talked about the health insurance business in the US. Protegrity works with most of the big health insurers and has many use case studies as a result. One is the ability to anonymise data to share it properly for research. Analysis of the data is also required to maintain and improve service levels.
There is also a battle for consumer trust. In the UK, there has been a lot of effort to share data across the NHS, with various methods proposed for keeping it secure. The problem, however, is that each health authority is a different body; within that, even hospitals and surgeries don’t share data.
In the US, the use case that Mountford talks about is different. There is a monetary incentive for the healthcare insurers to share data with their entire network. Sharing data is also about managing costs and monetising data. And that is where compliance becomes critical.
In Protegrity’s report, less than 50% of respondents believe that adhering to compliance and regulations such as GDPR, NIST2, and DORA will ensure data remains safe. They see the solution, once again, as tokenisation and pseudonymisation.
Choose a solution that allows cross-border data sharing
Tokenisation and pseudonymisation are also ways to solve wider data-sharing issues. For example, sharing across the organisation can be challenging if it is a global company. It can be equally challenging when the frameworks and compliance rules call for very specific ways to protect data.
Data sovereignty is one restriction for data sharing. Even when the data is encrypted, some countries make it hard to share it across borders. This, again, is where Mountford sees tokenisation and pseudonymisation coming into play.
He cites the work that Protegrity has done in Switzerland within the finance market. Data is identified as it is created and PII is automatically protected. Mountford commented, “We protect the data from the core on-premises. It can go to the cloud, but they must protect the sensitive PII. We already do that and meet those compliance needs.”
He says about cross-border data sharing, “Today, if you don’t have tokenization, or you don’t have some form of data security that can’t be breached and is safe in use and travelling, you’re breaking those rules.”
Enterprise Times: What does this mean?
Data security is often seen as part of cybersecurity. Mountford believes that is a mistake and that organisations must focus on data security separately. The biggest issue he sees today is money spent on cybersecurity that protects the network and ignores the data. Yet data is what everyone wants, and they will continue trying to get at it.
From the data in the Protegrity report, that lack of investment is starting to change. For example, just over 11% believe that 12-20% of the IT budget will go towards data security. The majority see between 6-15% of the IT budget being spent. For Mountford, this is still not enough. He believes some, at least, of the money being spent on cybersecurity should be reallocated to data security.
He also wants organisations to adapt to using AI to discover and protect data to enhance their security. Mountford also says that it’s an area that Protegrity is investing in for the future.
