Data protection is the process of protecting sensitive information from damage, loss, or corruption.
As the amount of data being created and stored has increased at an unprecedented rate, making data protection increasingly important. In addition, business operations increasingly depend on data, and even a short period of downtime or a small amount of data loss can have major consequences on a business.
The implications of a data breach or data loss incident can bring organizations to their knees. Failure to protect data can cause financial losses, loss of reputation and customer trust, and legal liability, considering most organizations today are subject to some data privacy standard or regulation. Data protection is one of the key challenges of digital transformation in organizations of all sizes.
Therefore, most data protection strategies have three key focuses:
Elements of a data protection program
The basic tenet of data protection is to ensure data stays safe and remains available to its users at all times. These are the two key principles of data protection: data availability and data management.
Data availability ensures users can access the data they need to do business, even if the data is corrupted or lost.
Data management encompasses two main areas of data protection:
The latest trends in data protection policy and technology include the following:
With the advent of hyper-converged systems, vendors are introducing devices that can provide backup and recovery in one device that integrates compute, networking, and storage infrastructure. Hyper-converged systems are replacing many devices in the traditional data center, and providing cloud-like capabilities on-premises.
Ransomware is a type of malware that infects a system, encrypts its data, and demands a ransom fee to release it. Traditional backup methods are useful for protecting data from ransomware. However, new types of ransomware are able to infect backup systems as well, rendering them useless. This makes it very difficult to restore the original version of the data.
To solve this problem, new backup solutions are designed to be completely isolated from the corporate network, and use other measures, like data encryption at rest, to prevent ransomware from infecting backups.
Disaster Recovery as a Service (DRaaS) is a cloud-based solution that allows an organization to create a remote copy of local systems or even an entire data center, and use it to restore operations in case of disaster. DRaaS solutions continuously replicate data from the local data center to provide a low recovery time objective (RTO), meaning they can spring into action within minutes or seconds of a disastrous failure.
CDM solutions simplify data protection by reducing the number of copies of data stored by the organization. This reduces overhead, maintenance, and storage costs. Through automation and centralized management, CDM can accelerate development lifecycles and increase the productivity of many business processes.
Every organization needs a data protection strategy. Here are a few pillars of a robust strategy:
Before adopting data protection controls, you must first perform an audit of your data. Identify data sources, data types, and storage infrastructure used throughout the organization.
Classify data into sensitivity levels, and see what data protection measures already exist in the organization, how effective they are, and which can be extended to protect more sensitive data. Often, the biggest potential is in leveraging existing data protection systems that are “lying around” or are not used consistently throughout the organization.
The security team in the organization should regularly assess security risks that may arise inside and outside the organization. Data protection programs must be designed around these known risks.
Internal risks include errors in IT configuration or security policies, the lack of strong passwords, poor authentication, and user access management, and unrestricted access to storage services or devices. A growing threat is malicious insiders or compromised accounts that have been taken over by threat actors.
External risks include social engineering strategies such as phishing, malware distribution, and attacks on corporate infrastructure such as SQL injection or distributed denial of service (DDoS). These and many most security threats are commonly used by attackers to gain unauthorized access to sensitive data and exfiltrate it.
Based on the organization’s analysis of its data assets, and the most relevant threats, it should develop a data protection policy that determines:
With respect to data protection, an organization’s security strategy should:
Finally, a data protection strategy must consider compliance obligations. Organizations or specific business units may be subject to a variety of regulations or industry-specific compliance standards. Below are the most significant regulations affecting data protection today.
European Union (EU): the GDPR
The General Data Protection Regulation (GDPR) applies to all organizations that do business with EU citizens, regardless of whether the company is located inside or outside the EU. Failure to comply can result in fines of up to 4% of worldwide sales or 20 million euros. The GDPR protects personal data such as name, ID number, date or address of birth, web analytics data, medical information, and biometric data.
Data protection laws in the USA
The USA does not have a sweeping regulation equivalent to GDPR, but it does have several regulations that affect data protection:
Data protection laws in Australia
The Australian Prudential Regulatory Authority (APRA) introduced a mandatory data privacy regulation called CPS 234 in 2019. CPS 234 requires organizations to improve information security measures to protect personal data from attacks.
CPS 234 applies to accredited deposit-taking institutions (ADI), general insurance companies, life insurance companies, private health insurance organizations, and companies licensed under RSE.
Imperva’s data security solution protects your data wherever it lives—on-premises, in the cloud, and in hybrid environments. It also provides security and IT teams with full visibility into how the data is being accessed, used, and moved around the organization.
Our comprehensive approach relies on multiple layers of protection, including: