How to adopt a data-centric approach to data security

IT in Manufacturing

Engineering design software suppliers

Industrial software for PC suppliers

Manufacture/Management system suppliers

printer friendly version

April 2023 IT in Manufacturing

By Gary Allemann, MD at Master Data Management.

Gary Allemann.

There is no doubt that data protection regulations, like the Protection of Personal Information Act (PoPIA), are driving investment in data security. Typically, investments have included beefing up firewalls and other barriers to external threats; locking down the ability to extract data via devices such as memory sticks, and ensuring encryption of databases and hard drives. However, while these broad measures are important, they do not provide the level of protection required. This is because data privacy is context sensitive.

Sometimes, specific data is private, and in other contexts, it is not. That means that, to comply with PoPIA, a data-centric approach to data security must be applied that takes into account the purpose for which data is being used, and who is accessing it. So how do we adopt a data-centric approach to data security?

Data access must be restricted by purpose

In general, data privacy regulations such as PoPIA limit processing and access to data based on purpose. In short, data may only be accessed as required for a specific purpose. Blanket, all-or-nothing approaches such as encryption do not limit access based on specific roles. All users are either locked out, or have full access.

The General Data Protection Regulation (GDPR) requirement for a process register can be a great place to start. By linking business processes to roles, systems, and data, we can identify which roles require access to which data sets, and even to which attributes or rows of data. Using a data stewardship platform that makes it easy to identify and trace these relationships can speed up the process and make it easier to track.

Data classification processes need to consider purpose too. Generic classifications, such as PII or Restricted have limited value as they do not provide sufficient context for purpose-based security. Classification systems need to be more precise – for example, identifying telephone numbers, email addresses, names, and ID numbers. This allows data access policies to combine roles with the data that are required to support specific tasks.

Row and attribute

Fine-Grained Access Control (FGAC) combines roles with access to specific attributes. This is not enough. FGAC must also enable row-based filters. For example, data associated with children is treated as special data under PoPIA. A row-based policy could make all data for customers under 18 years old inaccessible, or we could restrict access to data based on location, or any other criteria. FGAC extends role-based access control to make access data-centric.

Future proof

As organisations increasingly embrace hybrid cloud, so the complexities of enforcing policies increase. It is very difficult to enforce policies if different technical implementations are required for each dataset, or each cloud provider. A single, centralised platform to manage data access policies on-premise and across various cloud platforms makes this easy, and protects against future changes in cloud provider.

Share this article:

IT in Manufacturing

How to adopt a data-centric approach to data security

Further reading:

Published by Technews