5 factors for data security

Secude shows below important topics that will occupy companies in the coming months until the new EU General Data Protection Regulation (GDPR) comes into force. More precise handling of usage rights for employees and partners, the strong demand for automation, and data exchange mechanisms between applications that now supplement the human factor with the machine-to-machine factor will play a key role. It is also important to consider supposedly secure systems, for example ERP systems such as SAP, because it is precisely here that uncontrolled data exports - from man and machine - frequently occur. 

1. compliance - closing knowledge gaps
Knowledge about the use and storage of corporate data is no longer a matter of choice. The new GDPR forces all companies to have an overview of the current location, use and distribution of their sensitive and personal data across all company applications. In the future, documentation and implementation of data protection measures must also be proven to regulatory authorities. For many companies, this is the impetus to deploy log reporting, auditing and analytics solutions that identify threats or risks based on data movement patterns and user behavior. Particularly affected are systems in which a lot of security-relevant data is held - for example, SAP ERP systems. Although information within such systems is relatively well protected, many companies lack an overview of how much of this data is exported daily and further processed or passed on via less protected systems and channels.

2. data-centric privacy solutions
Customers are looking for solutions that protect their documents and data exports from the moment they are created, even before they leave secure infrastructures. Trying to adequately secure all channels and systems through which security-relevant data could be shared and further processed - proves to be an almost impossible Sisyphean task. Therefore, the recommended approach is to classify the information itself as it is created in order to determine its security relevance as well as authorizations for its further handling. "In our increasingly interconnected business world, information can no longer simply be held within secure enterprise systems. It therefore makes much more sense to secure the data itself rather than relying on securing storage locations and communication channels. Reactive and context-sensitive data protection solutions, such as DLP, fulfill important basic functions, but they are not enough," explains Volker Kyra, Managing Director of Secude GmbH.

3. rights of use for personal data
Anyone who processes personal data will be required to do so at the latest by the new EUBasic Data Protection Regulation will be held to account as of 2018. This also applies to collaboration with partners and external parties, and specifically to the rights of use for personal data and its processing. Here, a distinction must be made between restricted rights of use and privileged users, which are often inadequately managed. To meet the requirements of the new legislation and pass audits, companies must therefore check exactly who is allowed to view which data, export it from systems and process it further. One problem is that many systems in which sensitive data is stored only permit a very rough assignment of rights. Either a person has full rights of use for certain data or none at all. Granular solutions are needed here so that information can be handled in compliance with the new legislation without the restrictions on use hindering important business processes.

4. human factor - automation
The automation of security-related activities, such as patching systems, is a much-discussed topic. According to Capgemini, it is also seen by companies as one of the top security topics, because up to 95 percent of all security-related disruptions are due to human error. However, this applies not only to the automation of security patches, but just as much to the area of data classification. This is where it is determined which information is particularly sensitive and therefore subject to stricter security criteria. If this classification is left to the employees, then not only do misjudgments often occur, but the classification process also slows down the work processes considerably.

"Automated contextual data classification will therefore be a key factor for data security in the coming years," emphasizes Volker Kyra. "Another factor is the exploding number of applications in the context of digitalization, which makes automation just as imperative."

5. factor machine - data exchange mechanisms between applications
The rapid conceptual evolution of enterprise architectures is leading to a significant paradigm shift in terms of application integration and data distribution. The ability to monitor data flows between applications is therefore becoming another critical factor for data security. Now, not only employees exchange sensitive data, but also the applications themselves (machine-to-machine).

The problem here is that the complexity of today's system landscapes, whether organically grown or specifically designed, makes it virtually impossible for companies to gain control over ongoing logical data communications. This poses a significant challenge for IT security managers and has a major impact on compliance guidelines resulting from regulatory obligations. Intelligent solutions are therefore required to enable classification and tracking of sensitive data streams.

Source: Secude