CDO Blog Series: Part 1 – CDOs’ Blindspot: CSPs’ Best Kept Secret
The responsibilities of the Chief Data Officer (CDO) encompass various aspects of managing the organization’s data and analytics operations, including data architecture, securing access-control, data sovereignty, privacy, security, user requirements, software development, report development and AI and machine learning integration to name a few.
In layman’s terms, the CDO is responsible for establishing and maintaining the organization’s data governance policy and procedures, ensuring lifecycle data quality and management.
As data is scattered across the organization and used by multiple data-consumers, it is imperative for CDOs to be able to create quick value for the business stakeholders and focus on high-priority projects. (Source: HBR, 2023)
As organizations across the world continuously develop and enhance data operations, it is becoming increasingly difficult to manage it and ensure its security. For Chief Data Officers, data security is a challenge that should be addressed on high priority, as data security breaches have significant impact on businesses, brands and customer loyalty.
Data security risks are extensive, with many well addressed by legacy technologies and Cloud Service Providers’ (CSPs) native security capabilities.
An important risk to consider, and a blind-spot for many CDOs is the whereabout of data re-identification. Or in other words, can the organization’s sensitive data be visible to the CSP administrator?
CSPs, Cloud Data Platform Providers and traditional encryption services try to accommodate the challenge with variety of capabilities and alternatives, ranging from cloud KMS, BYOK, External Functions and Encryption Services, alongside disk-level encryption.
Unfortunately, the risk is not mitigated by these capabilities as they are unable to enforce full Segregation of Duties (SoD), externalizing security controls from the cloud and data platform. Failing to ensure SoD is equivalent to giving away the keys to your kingdom to somebody else.
The Way Forward: End-To-End Cloud Data Security With Full SoD
Entitlement, Access-Control & De-Identification
Unauthorized access to data is a common privacy breach. Companies can prevent this by implementing an integrated Data Access Entitlement Model, encapsulating both Role Based Access Control (RBAC) and Attribute Access Control (ABAC) to enable real-life data-access scenarios, without compromising business operations and data security.
Another key pillar into data security is ensuring data is also protected from IT staff, third-party & cloud-administrators, managing the infrastructure organization data platforms. This means that data needs to be protected with additional layer of security, namely de-identification of data with full key-segregation while ensuring access on a need-to-know basis without compromising business operations.
De-identification is a wide term, covering an extensive set of methods to protect data including Dynamic Data Masking, Physical Masking, Encryption, Tokenization, Pseudonymization, Anonymization, and others. Enforcing de-identification over data at-rest ensures access to the data is restricted to everyone, while allowing only selective users, with valid purpose, to gain access to the data. Ensuring DBAs, administrators, cloud providers and other third-party contractors, cannot access sensitive data, even at the infrastructure layer.
De-identification is becoming even more important (and complex) for multi-national organizations, looking to leverage cloud data platform as an organization-wide analytics platform. Global operations include not only GDPR, CCPA and other privacy regulations but also data sovereignty. In such cases, the notion of de-identification is further enhanced with the need for SoD and Key Segregation — two important elements at the core of data-sharing and global data operations.
External Functions Are Unsafe, Inefficient and Expensive
Organizations relying on using External Functions for encrypting/decrypting data on cloud analytics platform will face a variety of challenges when trying to change the schema, creating views and managing access to the views based on various attributes, a cumbersome, costly, resource demanding and time-consuming effort that cannot scale.
Furthermore, organizations using an External Functions are facing severe security risks as the External Function can be invoked by the Cloud Account Admins, eroding SoD posture and returning the clear-text data back to the Cloud analytics platform – which would not serve the purpose of the law.
End-To-End Data Security: SoD & Hold Your Own Key
SecuPi enforce Secured cross-border data collaboration and data-sharing while seamlessly addressing data privacy and sovereignty requirements on Cloud platforms.
SecuPi Data Air-Locks are specifically designed to enable organizations to keep cloud data always secured. Seamlessly enforcing data privacy, sovereignty, and security requirements in cross-cloud environment, SecuPi ensures the data is protected from ingestion to consumption, with full key-segregation (HYOK) and is only decrypted in certain global locations and only for authorized users.
This approach allows organizations to easily govern and control all data access and data-processing transactions while enforcing full Segregation of Duties (SoD) on their Cloud data platforms and analytical workloads, ensuring that clear-text data is NEVER accessible globally, but can only be decrypted locally, on a ‘need-to-know’ basis.
SecuPi Data Air-Locks offer a future-proof technology with enhanced data security posture, ensuring data is never compromised while stored and processed on a cloud platform and reducing security TCO (Total Cost of Ownership).
The SecuPi centralized Policy Definition (PDP) control plain is deployed on the customer VPC and self-contained, distributed Data Air-Locks (Policy Enforcement Points – PEPs), installed in various locations across the data environment:
- The data ingestion/ETL/Streaming: enforcing encryption of sensitive data upon ingestion (not sharing the key with the CSP).
- The data consumption layer: enforcing fine-grained Access Control based on all required attributes before critical data is re-Identified, ensuring access on a need-to-know basis.
The SecuPi PDP-PEP architecture ensures easy deployment with no changes to the underlying schema, applications, and business processes, enforcing key-segregation and SoD, ensuring end-to-end cloud data security.
- Enable secured data collaboration & democratization over cross-cloud, global data operations.
- Full segregation of duties (SoD) & HYOK, ensuring data is never decrypted on-cloud and never available to the cloud administrator.
- Seamless enforcement of security, sovereignty, privacy and governance use cases.
- Full visibility into every data access and data-processing transaction with full end-user context.
- Sensitive data is always protected and access is controlled across ingestion and consumption environments.