Co-authored by : Ramakrishnan Kallidaikurichi
- Enterprise security spending is $75B+
- 93% of enterprises feel vulnerable to security threats
- 61% of enterprises have had at least one data breach
- In 2015 alone, 781 breach incidents compromised 169M records
- $217 per-record is the average cost of a data breach
The proliferation of customer identifiable data processed by financial firms drives increased scrutiny of practices to ensure end-customer rights. These regulations impose obligations and penalties for non-compliance on the treatment of customer data, storage, distribution and access. The user’s data access changes based on location. There is a hard requirement to lock down customer identifiable data (CID) with infrastructural, regional, and services and people based boundaries using compliant policies.
These stringent conditions have made organizations extremely cautious, and they respond by spending considerable sums of money to comply and ensure data protection. As a result, the potential for outsourcing and cost savings is limited. Moreover, as data spreads through horizontal and vertical lines, few organizations have a grip on what constitutes sensitive data, where the data repositories are and complete intelligence about them.
The EU is at the forefront of enforcing Subject Rights, having enacted the General Data Protection Regulation (GDPR), which goes into effect May 2018 This regulation marks a milestone in data protection, and will transform how businesses handle sensitive customer information. The GDPR imposes specific requirements on data controllers (for example, Deutsche Bank or Credit Suisse) and data processors (for example, a FinTech or IT Service provider). It holds both accountable for ensuring the enforcement of Subject Rights, including the Right to Access (what customer data is held, how it is processed, what it is used for and who it is shared with) and the Right to Forget. Similar laws are applicable in the US and the UK
FS space & Use Cases
Currently, the intelligence on sensitive data is driven by human declarations, and enforced by strict policies. This may increase the costs for an organization, in the event of a breach or non-compliance.
There is an urgent need to scientifically identify the sensitive data. Today, many financial organizations are not well-informed when it comes to categorizing and inventorying the data. This has many dimensions like attributes, locations, access rights, etc. Most banks tend to keep the sensitive roles in the same location as they deal with the data. Even within the function, it becomes more relevant when it comes to considering different roles.
Database administrators (DBAs) have enhanced levels of access from an application- right from being able to use back-end entry points, such as database client applications and scripts, to accessing log files with sensitive data. In order to unlock the benefits of right-shoring for talent and cost, the definition of DBA security policies must provide comprehensive and effective anonymization mechanisms. This will ensure that DBAs, irrespective of location, access mechanisms, etc., are productive in their roles.
ENTERPRISE SENSITIVE DATA MANAGEMENT (ESDM) Solution
The ESDM solution:
- Establishes a complete intelligence system on the sensitive data throughout the organization
- Eliminates roadblocks in the adoption of location strategy or cloud deployments, driving faster TCO Optimization
- Drives responsive compliance, evidence-based reporting, and evolving data protection regulations
- Achieves total protection of sensitive data, accurately
There are many by-products of implementing a solution on ESDM. Some of them are:
- A dynamic repository of complete sensitive data and its whereabouts
- Optimal access based on such sensitive data
- Freeing up resources on-site to switch to other locations, based on the clear implementation of an ESDM solution
- Amenability for outsourcing or elimination of roadblocks for more outsourcing
- Elimination of barriers for adoption of new technologies
Here are a few examples of sensitive data grouped by different categories:
- Personal Identification (Name, Gender…)
- Personal IDs
- Customer identification
- Career details
- Birth details
- Family details
Any ESDM solution should consider the entire stack and be tool-driven. Our guiding principles are:
- Right tool: Selecting the right tool is critical for which a technical PoC is recommended. This can be used to verify the usefulness of the tool, scalability of the model, and evaluate a cost-benefit analysis. Possible operations for managing sensitive data could be static masking, dynamic masking, and finally retirement.
- Easy adoption: Critical use cases should be covered first.
- Scalable operating model: The service delivery model should be aligned to the outcome.
- Co-existence: The solution must co-exist in a heterogeneous environment supporting non-greenfield estate.
HCL’s point of view
HCL has partnered with Mentis, one of the most innovative products in the IT services area. HCL’s ESDM solution uses Mentis to discover the sensitive data accurately, mask it seamlessly, monitor it continuously, and retire it securely. Gartner and Bloor regard this product as an innovator and a serious contender.
The product or tool should address the challenges posed by different environments in the life cycle such as; test, pre-production, production etc. covering data, code, and the user community as depicted below.
The approach starts with the PoC, development of a business pilot, and realizing quick wins before rolling out to the rest of the organization.
Subsequently, the solution can be rolled out to other units over the following year. By the end of this, the organization has control over its sensitive data, and its usage, access, and deployment. Any future regulation in this area can be easily addressed.
Organizations seeking to stay ahead should adopt ESDM culture from the top down.
They accrue in the form of an established set up as below
- Creates a comprehensive inventory of sensitive data lying in the organization, covering type of data, repository, artefacts, programs accessing the data, users, and locations, etc.
- Is able to consume mature IT services delivery
- Optimizes infrastructure spend by adopting of multi-location models and platforms (Cloud)
- Segregates roles clearly with respect to data access
- Unlocks previously held roles at the customer’s location to other low cost locations, after analyzing and implementing a suitable solution
- Eliminates roles that are no longer required in this connection
- Ensures compliance to the local laws and is able to report clearly