Why CIOs must take a proactive data protection & security approach
Highlights
- Modern data protection tools and techniques enable enterprises to handle data on a petabyte scale, while also assisting them in complying with stricter privacy and security laws. It also provides resilience against both internal and external threats.,
- With users and employees working remotely, data now gets stored in the cloud, which is outside of a business environment.,
- Data protection is among the most important business requirements today, and organizations can take critical precautions to protect their data against any threat using specific methods and software. The majority of platforms (On-Prem, IaaS, SaaS, and PaaS) offer their own versions of native encryption, key management, and authentication mechanisms.,
- If a company is targeted by persistent targeted attacks, its networks and data are very likely to be compromised. As a result, a company must be prepared to withstand such attacks. Resilience enables an organization to do so while reducing the impact of persistent threats.,
- The DPD bill softens some contentious clauses from previous iterations that sparked industry opposition, especially data mirroring and data sovereignty requirements.,
Where and when you need it most
The phrase “Data is the new oil” has been around for quite some time. Historically, data protection has prioritized high availability and redundancy, with an emphasis on Recovery Time Objective and Recovery Point Objective. With the recent digital transformation, enterprise viability and success are dependent on proper data governance. Well-managed data can improve an enterprise’s capability to make effective and responsible choices for revenue growth and profitability.
Modern data protection tools and techniques enable enterprises to handle data on a petabyte scale, while also assisting them in complying with stricter privacy and security laws. It also provides resilience against both internal and external threats. As remote working becomes more common, modern data protection assists enterprises in dealing with cyberattacks and ransomware.
“The healthcare sector is often found to be vastly under-equipped to manage security breaches. Public sector providers are widely open to attacks on their more extensive supply chains. Healthcare suppliers are typically targeted as a lucrative attack. And hospitals store some of the most detailed and sensitive data about their patients,” said Vineet Aggarwal, CIO, Paras Healthcare. “As tools like the internet, cloud computing, fifth-generation wireless technology, and AI come of age to form the modern digital landscape, more and more businesses depend on their relationship with data,” Aggarwal further adds.
Public sector providers are widely open to attacks on their more extensive supply chains. Healthcare suppliers are typically targeted as a lucrative attack. And hospitals store some of the most detailed and sensitive data about their patients.Vineet Aggarwal, CIO, Paras Healthcare
With the pandemic altering the way enterprises work, now, there are no boundaries. With users and employees working remotely, data now gets stored in the cloud, which is outside of a business environment.. Given this context, modern data protection differs significantly from the traditional approach.
“Data protection is not just about technology alone, it’s a culture. It is important to carry out a risk assessment of every business process, where there are touchpoints and engagement with customers, partners, and vendors. It covers all methods which an organization may implement to keep data secure and available for its products, services, and business operations,” said Sharad Sadadekar, Head-Cybersecurity & Data Protection, ICICI Prudential Life Insurance.
While data protection is a compliance mandate, most mature organizations would consider having a focused enterprise-wide approach to it. The board is also likely to demonstrate its commitment by allocating necessary resources.Sharad Sadadekar, Head Cybersecurity and Data Protection– ICICI Prudential Life Insurance Company
Importance of data protection across environments
Any organization that wishes to function effectively must ensure the security of its data by establishing a data protection plan. The importance of data protection grows in tandem with the amount of data created and stored. Data breaches and cyberattacks can have catastrophic consequences. Organizations must protect their data proactively and update their security measures on a regular basis.
“The data protection software market has become a multi-billion-dollar industry, fast approaching the 10-billion-dollar mark. The solutions in this space vary widely but what they all hold in common is that they help organizations discover, document, and control the processing of personal data. The goal is to deliver compliance but more importantly, to maintain the trustworthy handling of their customer’s data in-line with individual expectations,” said Nader Henein, Vice President, Analyst, Gartner.
Customers’ vital information, such as names, addresses, phone numbers, health information, or bank details, should be carefully stored and protected. When it comes to consumer information, data protection is especially important. If such information falls into the hands of the wrong people, it can jeopardize people’s safety in a variety of ways, including personal integrity, safety, and financial security. Stolen data can also be used to generate counterfeit profiles to commit fraud.
“Especially for B2C businesses, privacy is far more than just compliance as consumers today want to do business with trustworthy brands only. They are more likely to cross the street to a competitor and even pay a premium if that is where they believe their data will be best cared for,” Henein further adds.
Especially for B2C businesses, privacy is far more than just compliance, consumers today want to do business with trustworthy brands. They are more likely to cross the street to a competitor and even pay a premium if that is where they believe their data will be best cared for.Nader Henein, VP, Analyst, Gartner
Data protection is among the most important business requirements today, and organizations can take critical precautions to protect their data against any threat using specific methods and software. The majority of platforms (On-Prem, IaaS, SaaS, and PaaS) offer their own versions of native encryption, key management, and authentication mechanisms. And these mechanisms appear to be easier to implement, particularly in the context of platform technology adoption.
Enterprises have seen the importance of data security. “At Oracle, we offer Oracle Data Safe which is aimed at catalyzing organizations’ understanding of data sensitivity, evaluating data risks, masking sensitive data, implementing and monitoring security controls, assessing user security, and monitoring user activity with a single console. With these, we have witnessed our customers manage the most important requirements, and certain regulations and also leverage the benefits of the cloud without any threats,” P Saravanan, Vice President, Cloud Engineering, Oracle India.
“Data protection software is an afterthought. The best thing we can do is fundamentally change the ball game with the implementation of Self-Sovereign Identity (SSI) using W3C standards with Verifiable Credentials (VCs) and Decentralized Identifiers (DIDs) on a Distributed Ledger. This would enable decentralized trust and capabilities to use Zero Knowledge Proof (ZKP) for the purpose of identity validation, etc. without really sharing sensitive Personally Identifiable Information (PII) data in an unencrypted format,” said Suresh Khadakbhavi, Assistant Vice President, Innovation Lab, Bangalore International Airport (BIAL).
Fundamentally the bill should ensure minimization of data use for the purpose of validation, data sharing only with the consent from the data subject (holder), and prevention of misuse of the shared data i. e. no monetization of the PII data or misusing for a purpose not defined in the consent taken from the data subject.Suresh Khadakbhavi, Assistant Vice President, Innovation Lab, Bangalore International Airport (BIAL)
Data protection and Cyber resiliency
While cybersecurity focuses on protecting an organization from cyberattacks, it involves factors like firewalls, VPNs, anti-malware software, and hygiene, which includes things like patching software and firmware and training employees about secure behavior. Cyber resilience concentrates on what happens when security systems fail, as well as when systems are disrupted by things like power outages, human error, and weather. Resiliency considers where an organization’s operations rely on technology, where critical data is stored, and how disruption can affect those areas.
If a company is targeted by persistent targeted attacks, its networks and data are very likely to be compromised. As a result, a company must be prepared to withstand such attacks. Resilience enables an organization to do so while reducing the impact of persistent threats. Building resiliency into an organization’s information architecture reduces the likelihood of an attack’s success and the impact of a data breach if an attack succeeds.
“A business must focus on data protection, but it should also focus on cyber resiliency with equal importance considering while data protection aims at being a precautionary measure, cyber resilience is ensuring the company comes out of it and mitigating any damage to further carry on,” Saravanan said. “Here cloud service providers can also offer benefits to organizations that are seeking to manage and further better their cyber resilience without adding extra costs. Another benefit that businesses can leverage from the cloud is automation, preventing unauthorized access and overall efficiency,” he adds.
At Oracle, we have witnessed many of our customers being highly alert around data protection and data management. Tech decision-makers are making consistent efforts to ensure there is the utmost level of data protection measures taken aligned with any regulatory compliance they may have. We have also witnessed a shift in many organizations in understanding and leveraging technology to protect and manage the most mission-critical data.P Saravanan, Vice President, Cloud Engineering, Oracle India
Digital Data Protection Bill 2022 and what it means for businesses
“The draft Digital Personal Data Protection Bill 2022 is a revolutionary step towards regulating personal data. While the bill is still in the works, there seem to be many aspects in it that can potentially revolutionize how we view data protection in the country,” said Saravanan.
The bill is intended to be technology and sector-agnostic, serving as a broad guide for digital data protection across all industries. Sector-specific regulators are expected to develop regulations based on legislation passed based on the said bill. The DPD bill softens some contentious clauses from previous iterations that sparked industry opposition, especially data mirroring and data sovereignty requirements.
“It creates a structure within which organizations will be expected to handle personal data, it will also require those organizations to provide their consumers with fundamental privacy rights. More widely it will bring India in line with the European regulatory model which has taken hold with the introduction of the GDPR in 2018,” Henein mentions.
As per the draft Bill, Data Principals are responsible to provide verifiably authentic personal data while exercising their rights. It’s interesting to note that the bill has also proposed a penalty of Rs. 10,000/- for non-compliance of duties expected of a Data Principal, which isn’t a common trend. However, this is likely to promote authenticity in principal data requests and limit non-legitimate requests.Manish Sehgal, Partner, Deloitte India
Many of the changes to the DPD Bill, as stated in the explanatory note, will ease as well as facilitate both domestic and cross-border domestic flows of data. While some changes to consent and data classification may have an effect on the overall safeguarding of individual data privacy rights, the bill is likely to be welcomed by businesses in the IT and tech sectors.
“The new title itself signifies the intent to continue pushing the digitization agenda, thereby offering a legal framework to govern the collection, usage, processing, and storage of digital personal data. However, the bill’s exemptions for central and state agencies, along with the exclusion of personal data stored and or processed in non-digital (original/handwritten/paper) format may be a gap to protecting personal data and ensuring privacy in entirety,” said Manish Sehgal, Partner, Deloitte India.
Data localization is perhaps one of the most debated aspects of any such regulation. The bill takes a softer stance on data localization requirements and allows data transfer to specific global destinations based on predefined assessments. This is likely to encourage country-to-country trade agreements and make it relatively easier for large businesses to function and process data with their current set-up rather than building advanced infrastructure in India for storing and processing personal data.
“The success of the DPD Bill 2022 will lie in its execution on the ground. It would be more prudent if every industry carefully evaluates the impact in alignment with the regulatory norms and makes a comprehensive set of guidelines. This will simplify the adoption process,” concludes Jijy Oommen, CIO & CTO, Aavas Financiers.