Data Security Controls: Beyond Encryption


This content is over 24 months old. While the research and opinions expressed by Neuralytix was valid when published, readers should not rely on the applicability of the content in the context of today’s market.

Data encryption is clearly a best practice. However, according to an Informatica/Ponemon Survey of enterprises in 2014 showed that less than 50% of enterprises are doing any form of data encryption (Figure 1). But beyond encryption, what are the other techniques are enterprises using to protect data?

2015-03-16 - Informatica - Feb Connection


Figure 1: Data Security Controls (Informatica, 2015)

The fact that encryption does not have even a close to 100% adoption rate is partly responsible for exponential increase in the number of records resulting from data breaches in the last several years.

But encryption is only good for data at rest, and in flight. But, data encryption is useless once an application opens its data. At that point, the data becomes vulnerable to man-in-the-middle attacks, and to malicious insiders. What happens when your enterprise needs to collaborate with other organizations, and the data is passed over the Internet?

At that point, two organizations can set up point-to-point encryption, but what if an organization or government agency wants to do business with hundreds or thousands of businesses or individuals? It would be impractical to set up and manage different encryption schemas between thousands of organizations. In turn, those organizations would need to have encryption schemas with whomever they conduct business.  In addition, when the information is transferred, you, as the data owner, are still responsible. 

So from one organization, there is an infinite number of encryption schemas that would need to be set up. And, this assumes that every organization is encrypting their data exchanges, which is not a reasonable assumption.

Could the data breaches that have occurred been completely avoided. The answer is no.

But, going beyond encryption could have helped. Among the technologies currently available, include data anonymization or data masking. Data security could also be linked by way of associating data objects with specific users, rather than security at the application level. Anything and everything that can be done to de-identify, desensitize and anonymize data at all levels should be exercised.

The survey referenced above showed that less than 20% of the surveyed enterprises were going beyond encryption to more advanced tokenized or masking solutions. This means that 80% of the enterprises are not deploying any advanced technologies to ensure the security of the data they are storing – about you and me!

The growth of data, as has often been cited as the cause of data security problem, is no more a problem than it has been in the past. The challenge is the interdependencies and complexities of the integration of disparate datasets, often owned and controlled by different entities with different (sometimes conflicting) business objectives.

While application and network security and encryption provide basic data security, it does not address the problems associated with data lakes that many organizations are creating, or with information that more routinely needs to be shared for mission or business purposes. These data lakes mixes both sensitive and non-sensitive data, so that the same enterprises can mine or use analytics to generate competitive advantage and business value. But it is the same processes that are creating new exposure to data breaches. For data sharing and access, “least privilege” should be invoked and anonymize data to ensure security and privacy.

Software vendors such as Informatica are addressing these issues with advanced technologies. Neuralytix advises enterprises large and small to adopt and deploy these technologies urgently.




This Research Note is sponsored by Informatica. All opinions expressed are those of Neuralytix and its analysts.