As data evolves, so does the threat landscape. Facing the possibilities of targeted breaches from external players, risky or negligent activity from insiders, and mounting pressure from the informed public, organizations need to be more intentional than ever with how they protect their data.
At the same time, both data security and privacy have become central to modern data-driven goals. In one TDWI survey, data security and privacy were ranked as the second highest priority for modern data management initiatives. Even so, they are often either used interchangeably or assumed to be entirely separate approaches to defending data. In this blog, we’ll define data security and privacy, and demonstrate how their interrelationship enables modern organizations to protect sensitive data.
What are Data Security and Privacy?
Data security encompasses a range of methods for protecting data resources from the evolving threat landscape. The National Institute of Standards and Technology (NIST) defines security as a “condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems.” This demonstrates the active nature of data security, as it is based on the tools, platforms, and processes that organizations enforce and maintain to defend their resources. Some measures that fall under the data security umbrella include data access controls, modern data governance, and dynamic data masking.
Data privacy, alternatively, is less active than it is prescriptive. Instead of activating protective measures, data privacy is the overarching ability of individuals to determine why, when, how, and to what extent their personal information is collected, shared, and accessed for use. NIST defines privacy as both the “assurance that the confidentiality of, and access to, certain information about an entity is protected,” and the “right of a party to maintain control over and confidentiality of information about itself.” This is evidenced through the growing number of data compliance regulations that are enacted to protect the privacy of individuals and their data.
Imagine that a streaming service has a large data set full of contact and credit card information for billing their subscribers. This data is from 2013, and is therefore no longer up to date with the current customer base. The organization needs to decide how best to protect this sensitive information from any potential leak or breach.
Considered in isolation, data privacy and data security would take different approaches to protecting this data. The privacy-oriented approach might focus on data retention policies, standards that dictate how data should be stored and archived, and for how long. If the data set falls outside of the retention period, it may need to be moved to secondary storage platforms or deleted by the organization to avoid unnecessary risk. From a security perspective, the organization would focus more on proactive measures–like data access controls and masking–that would actively protect the data from unauthorized access or breach. While each pursuing effective data protection, privacy measures are prescribed in advance while security controls are applied operationally.
How Data Security and Privacy Operate in Tandem
Understanding the active nature of data security and the prescriptive nature of data privacy, one might assume that they operate individually. However, it is through their mutual goal–the protection of sensitive data and the data subjects–that data security and privacy reinforce one another and strengthen defenses against data misuse. Some of the specific overlaps of security and privacy initiatives include:
Data Masking and Encryption
Data privacy regulations set standards around the confidentiality of personally identifiable information (PII) in an effort to protect individuals from being identified and targeted following a data leak or breach. These standards are evident in regulations like the GDPR, which states in Recital 26 that the “principles of data protection should apply to any information concerning an identified or identifiable natural person.” This means that information that is altered and can no longer personally identify individuals is an overall lower risk to personal privacy.
Enter data masking and encryption, practices that actively secure data in compliance with these kinds of regulatory standards. Data masking is an umbrella term that describes a range of specific methods for creating fake but convincing versions of data. These methods include nulling, pseudonymization, k-anonymization, redaction, and other processes aimed at de-identifying sensitive data. Similarly, encryption de-identifies data by scrambling its values so that only a decryption key can re-identify data for use. This adds another layer of security over data resources, which in turn protects their privacy in compliance with laws and regulations.
Data Access Management
Data access management refers to the processes of efficiently collecting, storing, securing, and facilitating access to data. This is no small task, as streamlined access to data is paramount to the user’s ability to complete their objectives. But this access should not come at the expense of data privacy. It needs to be achieved in compliance with privacy standards so that the wrong people are not seeing protected sensitive personal data. For example, would you want someone in the marketing department of a rideshare app to have access to your credit card information? Likely not–but the finance and billing departments need to have this number so you can continue to pay for their service.
This is where data access control helps balance compliance with efficient access. Using methods like attribute-based access control (ABAC) and purpose-based access control allows teams to implement dynamic policies that determine user access at query time. These decisions are based on a range of user attributes and contextual purposes, rather than static roles that can become outdated or limiting. When access policies are implemented consistently across the modern data stack, they can help to ensure data use is compliant and in line with privacy requirements.
Data Breach Response
In the event that a data breach or leak does occur, organizations must be prepared to respond quickly and decisively in order to best protect individuals’ privacy. At a base level, this first requires teams to have some form of data breach detection in their data ecosystem. Through consistent data monitoring, teams can be on the lookout for anomalous or fraudulent data access and activity. If this kind of behavior is identified, they can be immediately notified of a breach and organize a swift response.
To do this, teams need to preemptively create a data breach response protocol to follow once a breach is detected. This plan should be heavily informed by data privacy standards, and built in a way that complies with them as closely as possible. Any breach response should include steps like containment, assessment, notification, investigation, remediation, and evaluation in order to holistically identify, stop, and address the cause and impact. Data privacy comes into play, especially in the notification and remediation process, as reporting policies and other regulations provide legal guidance for who must be informed and how the breach should be repaired.
Data Security and Privacy in Action
It’s clear that data security and privacy, while their own distinct concepts, are often intertwined. But how can teams implement security measures across their data in a way that clearly adheres to privacy standards?
By integrating a data security platform (DSP) into their data stack, teams can ensure that dynamic data security controls are both comprehensive and compliant with privacy requirements. By subjecting data sets to sensitive data discovery and classification, sensitive resources can be tagged appropriately and privacy-enhancing technologies, like masking and encryption, can be applied. Dynamic access control policies can then be created in accordance with compliance needs, and applied universally on any query. Meanwhile, continuous monitoring and detection capabilities help maintain a watchful eye over sensitive data and notify teams of any breach that could affect data privacy.
To learn more about how the Immuta Data Security Platform enables these capabilities and protects sensitive data through the combination of data security and privacy measures, request a demo from one of our experts.
