Data Protection and Digitization - Best Practices for Business and IT

What can companies do proactively to address privacy and security requirements? We present basic approaches to solutions.

Author: Christian Ludt

Access to sensitive data is becoming more and more natural, and with FinTech, InsureTech and LegalTech, more and more possibilities are opening up. However, data protection must not fall by the wayside. With the entry into force of the new European Basic Data Protection Regulation (GDPR) on 25 May 2018, data protection will become even more important. What can you do proactively now? Here we present the challenges and the basic approaches to solving them.

Identify protectable data

Data protection begins by identifying sensitive data within the organization and assessing the risk associated with it. For example, is personal data processed or data that represents company secrets? What damage is caused if the data is stolen or lost? The level of protection a company determines for the data in question depends on its «risk appetite». Legal aspects are also taken into account at this point. These influence, for example, the decision as to whether and which data should be moved to the cloud.

Protect sensitive data during access

Once sensitive data has been identified, appropriate access protection measures can be implemented. To provide effective access protection, the following practices should be followed:

  • Centrally manage user identities and their authorizations. This provides a reliable way of granting or withdrawing authorizations for various applications.
  • Avoid the use of impersonal or group accounts, since no clear relationship can be established to a user identity and therefore traceability is lost. Special attention should be paid to privileged accounts.
  • Implement data accesses in the name of the requesting user identity. This makes it easier to ensure traceability. Here, standard-based mechanisms for identity propagation should be used.
  • If possible, outsource security functions such as authentication, enforcement of security policies and protection against attacks to dedicated security components such as API gateways and web application firewalls. Even fine-grained access decisions can be outsourced to central authorization servers.

Ensure traceability during access

Access protection measures are only one side of the coin. In order to ensure the traceability required by compliance, a high degree of transparency and control in access management is necessary. This can hardly be achieved in purely organizational terms. So how can the necessary traceability be ensured? The following best practices provide information:

IAM tool for central administration of user identities and authorizations. This enables control over which users have which rights in which applications. Process automation rules help to exercise this control with minimal organizational overhead. Automated re-certification campaigns make it possible to immediately revoke superfluous authorizations so that the need-to-know principle is adhered to.

Outsource technical authorizations from the applications. The fine-grained access to data is often solved within the individual applications and from a compliance perspective it is a black box. This is particularly problematic if the same data is used by different applications and access is controlled by complex, specialist authorizations (e.g. access to insurance dossiers depending on competence, agency, case, etc.). Transparency is increased by extracting such authorizations from the applications and managing them centrally as access rules in one tool. In addition, the consistency of access authorizations across multiple applications is ensured.

Safeguard protectable data already during software development

The protection of sensitive data must be taken into account during the software development and test cycle. A common problem is data that needs to be protected, such as personal or business data, which is often used liberally in software development and in business testing. The data is often copied from production systems and reused in non-production systems. This procedure is usually not only contrary to the data protection law, but also to internal company guidelines.

A well thought-out test data management can help. This includes anonymizing sensitive, productive data and enriching it with synthetic data. Anonymisation involves the alienation of data, while the latter involves the artificial generation of data. Simulations or virtualisation of surrounding systems also help to avoid access to data worthy of protection.

With the spread of DevOps and frequent release cycles, IT security should be anchored early in the development cycle. On the one hand, this is a mindset question: everyone should be sensitized to security. On the other hand, IT security can also be enforced with the help of tools: for example, current repository managers know the attack possibilities and block corresponding libraries or trigger the software build with current library versions.

Conclusion

The protection of data is enormously important and is gaining in importance as a result of the new European basic data protection regulation and the new Swiss data protection law which is currently undergoing consultation. With appropriate measures and best practices, the challenges can be addressed early and effectively.