What Are the Different Types of Privacy Protection?

Data privacy protection refers to measures to protect sensitive data of enterprises.

Data privacy protection

Right!
Data privacy protection refers to measures to protect sensitive data of enterprises.
Chinese name
Data privacy protection
Pay attention
Protecting sensitive data
the reason
The need for data protection
comply with
· Comply with current regulations and industry standards
The need to protect sensitive corporate, employee, and business data is growing, no matter where such data is located. So far, most data thefts have originated from malicious intrusions by individual hackers into production databases. In view of the significant legal liability and negative reports caused by a series of well-known and costly thefts for the victims, the protection measures and methods for such attacks are rapidly becoming mature and advanced, but the attackers are also pressing harder.
Although the industry has responded to the most sinister data theft, many computer systems still have vulnerabilities at some levels. Today's new data security disciplines have not actually touched and protected an important data layer: non-production systems for development, testing, and training. In enterprises of all sizes, these systems often fail to provide adequate protection, leaving huge holes in data privacy. These environments use real data to test applications and store some of the most confidential or sensitive information in the enterprise, such as ID numbers, bank records, and other financial information.
Confidentiality, integrity, and availability are the foundation of data privacy and good business practices. Following these business practices is critical to achieving the following:
· Comply with current regulations and industry standards
Provide reliable and accurate high-performance services
Favorable competitive positioning
· Enterprise reputation
Customer trust
"Best practices" can vary greatly in different situations, even for certain types of controls such as passwords. The word "best" in this article is not its literal meaning. It is more like a combination of concepts such as "good", "common", "prudent", "industry standard" or "recognized".
Please note that frameworks such as IS027001, COSO, COBIT, and ITIL provide a wide range of control objectives, but do not provide specific information protection controls. Although there is no established framework that your business can use to implement best practices, there are various data protection controls that are generally accepted as reasonable, basic, and good practice. In the end, your management team, disciplinary staff, and industry standards are the true authority that determines what best practices are applicable to your business.
Every business has sensitive data: trade secrets, intellectual property, critical business information, business partner information, or customer information. All such data must be protected in accordance with company policies, regulatory requirements, and industry standards. This section discusses several elements for protecting such data.
Any business that collects, uses, and stores sensitive information should develop information classification policies and standards. The classification policy and standard should include a few classification levels according to the needs of the enterprise. Most businesses have at least three categories: public, internal use only, and confidential.
Many companies have long-standing guidelines for data classification. However, with the development of a growing number of new regulations and industry standards, the existence of corporate policies is no longer sufficient. Some companies have invested a lot of time and energy in realizing their data protection policies into information technology (IT) infrastructure by deploying different controls and tools to minimize the risk of violations. Data leak detection, prevention, and protection technologies that have emerged over the past few years are now widely adopted by IT organizations.
Data governance, risk management, compliance, and business requirements should determine the number and definition of each data category, as well as requirements for data identification, storage, distribution, disclosure, retention, and destruction. Obviously, regulatory and industry rules and standards will play an important role in the definition process. Other data also needs protection, including trade secrets, research results, formulations, findings before patent applications, and various forms of customer and employee information.
Another important aspect of data protection is to understand how data is used in business operations and how it is stored (such as hard copies, electronic documents, database storage). In addition, protection requirements vary in different types of operating environments such as production, production support, development, quality assurance (QA), or third parties.
The protection requirements for sensitive or confidential data must be clearly defined, and specific requirements must be reflected in corresponding regulatory and industry rules and standards or business policies. Certain data elements must be marked as sensitive and should never be used in a real-world form for development, warranty, or other non-production environments. Data classification policies should clearly identify data masking requirements.
Finally, companies must implement audit processes that regularly provide independent reviews to ensure compliance with best practices.
Companies must establish a full set of policies and procedures for the classification of all privacy, sensitive and confidential data, in order to provide adequate protection for their critical data assets. In addition, companies should implement the following steps:
1. Provide regular training to employees, contractors and third-party service providers to raise their awareness of data classification
2. Integrate protection procedures into daily business processes and automate processes as much as possible
3. Periodically conduct independent audits and report results to senior management
Sensitive data comes in two forms: structured and unstructured. Structured sensitive data exists in business applications, databases, enterprise resource planning (ERP) systems, storage devices, third-party service providers, backup media, and external storage facilities. Unstructured sensitive data is scattered throughout the enterprise's infrastructure, including desktops, laptops, various removable hard drives and other endpoints.
Companies must define, implement and enforce their data classification policies and provide procedures and standards for protecting structured and unstructured sensitive data. For unstructured data, enterprises can use endpoint security tools to control the use of portable devices and media, content analysis tools to detect the presence of sensitive data, and encryption tools to prevent unauthorized access to these devices. For structured data, enterprises can use encryption and data masking software.
A data breach is the intentional or inadvertent disclosure or loss of data to an untrusted third party. Business partners, customers, and employees believe that companies holding data about them will take reasonable steps to protect the confidentiality and integrity of their sensitive data, and these companies must foresee and protect sensitive data from intentional or unintentional errors Use, leak or steal.
Available technologies range from simply blocking devices, paths, ports, other forms of access, and large-scale encryption of devices, media, and connections, to more complex or selective blocking. Existing technologies can monitor content in real time to determine selected information, status, personnel, permissions, and operations, thereby blocking, isolating, encrypting, logging in, alerting, or purifying data. There are two methods: scanning static data and analyzing dynamic data. These technologies can be deployed in multiple parts of the infrastructure, but are more common in endpoint devices and external gateways. Endpoint devices usually include removable digital storage devices, hardware devices, and various forms of network connections. These connections provide access to many internal network resources. In some cases, they can circumvent internally managed network gateways and extend beyond the enterprise. These devices often become channels for data leakage.
Some of the main drivers of data leakage prevention come from regulatory regulations, such as the Financial Services Modernization Act (BLBA), the Medical Insurance Distribution and Accountability Act (HIPAA), and 37 state anti-leakage laws, or from industry requirements, such as payment card industry data Security standards (PCI-DSS), in addition to national security agencies such as NERC Network Security Standards (CIP), DHS, NIST, and corporate policies.
Prevent data leakage
Deploy and integrate technologies and processes throughout the infrastructure to detect and / or prevent leakage of sensitive data from the enterprise. These steps will require physical and logical controls and technology, changes to routine business and operational processes, and continuous monitoring and evaluation of those who access sensitive information.
Sensitive data and data desensitization
It is important to have a common definition of "real data" and what we call "non-informative but real data" or "masked data."
For example, in SAP ERP, data characteristics are defined by data elements, including type, length, and business terms such as "first name", "last name", or "city".
The data contained in the actual form may be true (such as a real social security number) or untrue (such as a combination of random numbers that conforms to the data definition for that particular data element). Data elements such as "customer" or "order" are often related to each other through the use of key fields. Protecting a single data element becomes complicated when it is associated with many data elements. In individual cases, some data elements may not contain sensitive data, but once connected with other data elements, all become sensitive data. Therefore, data masking software must reach a high degree of precision quickly to ensure protection (shielding) for all sensitive data, while still maintaining the contextual value and reference integrity of the data.
Sometimes companies develop their own data masking tools, but the efficiency of these tools varies. However, due to urgent pressure from regulatory requirements and the risk of fines, adverse effects on goodwill, and the possibility of criminal convictions, companies have turned to third-party data shielding technologies that are regularly updated in accordance with evolving standards and regulations.
Data desensitization best practices
Use proven commercial solutions to shield sensitive data in production and non-production environments such as development, quality assurance, sandbox systems, training, production support, and production. Select a vendor that includes the following in its solution:
Supports multiple databases and applications
Proven track record of success
Data discovery
· Out-of-the-box data masks raw data to speed project completion time
· The conversion logic is straightforward and easy to understand
Scalable high-performance data masking server
Data masking rules are easy to use and reusable
Built-in separation of duties
Audit and verification functions
Make data masking part of your standard data provisioning process, eliminating sensitive data in non-production environments.
Never provide unscreened sensitive data to third parties or offshore teams.
Developers or other unauthorized personnel are never allowed to access production data without dynamically masking sensitive data.
The requirements for protecting sensitive data may vary depending on the country in which your business does business. Data privacy laws exist in almost every country, so it's important that you perform a comprehensive review of each relevant law and its support requirements. You will find, at least in terms of its substance or intent, that such regulations have a lot in common. This white paper will focus on some of the most commonly used regulations in North America.
Regulation industry requirements
Although each regulation is unique, following one will help you comply with the other (or minimize the risk of violations). In general, data security technologies can be applied to a wide range of these regulatory requirements as well as a variety of industries. Best practices developed in one industry are likely to help others.
Many financial services companies have long been waiting for data security issues. Most of the controls required by regulators are only seen as good business practices to win customer trust. And the latest regulations just added a few new concepts. Many companies will find that they are familiar with compliance.
As such testing and monitoring should be performed by parties to facilities or operations that are not directly related to control measures, it is clear that a new business function called "IT Risk Management" or "IT Data Governance" is a new best practice increase. The financial services industry bears the brunt, but other industries are following suit.
Many regulations and industry standards have special requirements for third-party service providers. These service providers include IT outsourcers, third-party software vendors, and providers that perform specific business process steps (such as businesses that need to obtain customer names and addresses to send promotional emails for companies).
Just because the information involved is handled by someone else doesn't mean that your business can do everything without having to take responsibility for protecting sensitive information.
Regulations and industry standards either imply or state that companies must adjust to actual changes. Your business must keep up to date with changes in business risk profiles, business processes, employee training, all types of threats, technology, software errors, and a steady stream of software application patches.
General compliance best practices
One of the most important aspects of data privacy is the use of risk management methods. If your business handles health, financial or other personal information, then you should use risk aversion as a risk model, so your interpretation of these requirements should tend to adopt higher standards of control.
Privacy is a sub-category of confidentiality, and in the essence of these regulations and industry standards, you must protect them from unauthorized access by adopting the latest industry security technology products and solutions.
Some best practice techniques squeeze content at hosts and network gateways, encrypt or mask data at rest, network segment sensitive data storage, and log all access attempts to sensitive data at the infrastructure and application level. Data at rest must be encrypted in all environments and shielded in non-production environments. One of the new best practices is the use of tamper-resistant technology in data storage environments.
Portable device encryption is now an industry standard best practice, and non-encryption of portable devices containing sensitive information can be considered a negligence by regulators, courts and the public.
Perform real-time and frequent testing of your security infrastructure and IT control environment. Disaster recovery and business continuity plans should be tested at least once a year by physically switching to their respective sites. Some companies test their disaster recovery plans on a quarterly basis.
As long as the risk assumption decision is made by the right people, and as long as those people have enough information, any risk is assumed to exist.
Risk can lead to potential consequences that increase the cost of doing business. Controls are no exception. They may also add obvious costs (such as new processes, IT equipment or software licenses), and may also introduce quality costs (such as inconvenience to customers or employees, or processing overhead). It is only reasonable if the cost of control is less than the cost of harm avoided.
No matter how much you pay, perfect control is not possible. This is another balancing act. Strict controls are often more costly and almost always cause more disruption to processes and people. Least privilege and "know-how" principles are widely accepted best practices, but they are not always easy to implement. If you limit the permissions required for a user to complete their work to a minimum, you can minimize the risks associated with accessing your environment to that user. Some companies believe that all employees should be given the ability to serve customers in any way. This business choice has more or less limited access to rights. People either maintain or undermine security, and no amount of technology can remedy bad practices and behaviors.
In the final analysis, each control relies on some kind of artificial process that can go wrong: to establish, configure, manage, and use the control.
Securing data during development
Data that is processed by and / or stored in applications and databases must be protected. Therefore, applications and databases must be secured. For application and database security, infrastructure security is necessary, but not enough to guarantee foolproofness. Applications and databases should help with the overall security model and complement dynamic data masking software.
In non-production environments, applications and databases are more open when application-layer security is not applicable. Some might argue that tightly protecting the infrastructure hosting the application is sufficient, but this is far from the truth. Applications are at the top of the IT food chain: they are at the core of the business lifeline and a channel to consumers, business customers, and business partners. Control measures started in the IT department, but in the development and quality assurance environment, due to the nature of the user's job function, it is impractical to adopt strict control measures. To fulfill their responsibilities, developers, testers, and trainers will require access to many different types of data across the enterprise.
The data desensitization method used by Informatica is based on the end user's network permissions in real time and works seamlessly with existing ActiveDirectory, DAP, and IdentityAccess Management software to ensure that each user's personal network login will target the type of information the user has access to Data desensitization rules that trigger the response. This verification process can be easily extended to additional databases as the number of end users grows, resulting in a delay of only 0.15 milliseconds and hardly any noticeable impact on network resources [1]
In today's competitive market, data security and fast performance are indispensable. With dynamic data masking, organizations will be able to quickly upgrade and expand to provide real-time protection for sensitive and private information without having to force IT departments to make costly and time-consuming changes to applications and databases, thereby avoiding impacting productivity and more importantly, Without compromising the ability of employees to perform their duties.

IN OTHER LANGUAGES

Was this article helpful? Thanks for the feedback Thanks for the feedback

How can we help? How can we help?

RELATED ARTICLES