How to adopt a data-centric approach to data security

Mar 23rd, 2023

Gary Allemann – MD at Master Data Management

There is no doubt that data protection regulations, like the Protection of Personal Information Act (PoPIA), are driving investment in data security. Typically, investments have included beefing up firewalls and other barriers to external threats; locking down the ability to extract data via devices such as memory sticks; and ensuring encryption of databases and hard drives. However, while these broad measures are important, they do not provide the level of protection required. This is because data privacy is context sensitive.

Sometimes, particular data are private, and in other contexts, it is not. That means that, to comply with PoPIA, a data-centric approach to data security must be applied that takes the purpose for which data is being used, and who is accessing it, into account. So how do we adopt a data-centric approach to data security?

Data access must be restricted by purpose

In general, data privacy regulations such as PoPIA limit processing and access to data based on purpose. In short, data may only be accessed as required for a specific purpose. Blanket, “all-or-nothing” approaches such as encryption do not limit access based on specific roles. All users are either locked out or have full access.

The General Data Protection Regulation (GDPR) requirement for a process register can be a great place to start. By linking business processes to roles, systems, and data, we can identify which roles require access to which data sets, and even to which attributes or rows of data. Using a data stewardship platform that makes it easy to identify and trace these relationships can speed the process, and make it easier to track.

Data classification processes need to consider purpose too. Generic classifications, such as “PII” or “Restricted” have limited value as they do not provide sufficient context for purpose-based security. Classification systems need to be more precise – for example, identifying telephone numbers, email addresses, names, ID numbers and so on. This allows data access policies to combine roles with the data that are required to support specific tasks.

Row and attribute

Fine-Grained Access Control (FGAC) combines roles with access to specific attributes.

This is not enough. FGAC must also enable row-based filters. For example, data associated with children is treated as special data under PoPIA. A row-based policy could make all data for customers whose age is under 18 inaccessible, or we could restrict access to data based on location, or any other criteria. FGAC extends role-based access control to make access data-centric.

Future proof

As organisations increasingly embrace hybrid cloud, so the complexities of enforcing policies increase. It is very difficult to enforce policies if different technical implementations are required for each dataset, or each cloud provider. A single, centralised platform to manage data access policies on-premise and across various cloud platforms makes this easy, and protects against future changes in cloud-provider.