Analyst Coverage: Fran Howarth
Data security has been a concern for many years but has been growing further in importance recently and improving data security is currently a key concern for the majority of organisations. According to Immuta, 88% of respondents to a recent survey indicate that data security will become an even greater priority in 2024 and 77% have seen data security budgets increase over the past year.
Data is an extremely valuable commodity that must be protected throughout its lifecycle, from collection and analysis, to enabling its secure use and, eventually, archiving or deletion.
Data security aims to protect data from corruption, theft or unauthorised access, and to enhance visibility of how it is being used across devices of all kinds, applications, access and administrative controls, policies and procedures. It is critical for protecting against external or internal threats, minimising the risk and impact of both threats and errors.
Ensuring data security begins at the data management layer, with capabilities such as data quality, data discovery and ensuring defective data governance. The real intersection lies at the governance layer. Data governance centres on the effective organisation and management of data and is where policies and procedures are developed for ensuring data can be securely used. Data security aims to ensure that data is safeguarded from falling into the wrong hands or being altered, whether maliciously or not. It aims to ensure the three basic pillars of security by maintaining the CIA triad—data confidentiality, integrity and availability. It does this through the use of security controls that include access controls, encryption, network, device, application and user monitoring.
With these capabilities working in tandem, organisations will be much better placed to ensure that their security posture is as strong as they can make it. However, constant vigil must be kept to ensure that controls are working properly and that they are adequate for dealing with changing circumstances and emerging threats or regulations.
Almost every organisation is data-driven, using data to improve decision-making , better serve customers and to protect against threats. But that data is also valuable to adversaries and no organisation is immune. Even small organisations are facing cybersecurity attacks, including phishing and ransomware, that look to steal credentials and/or data. Such attacks are often used in combination. Whilst larger organisations could be seen as better targets owing to vastly greater amount of data that they have and more employees to target, smaller organisations can also be seen as conduits into the networks of their business partners in the growing phenomenon of supply chain attacks.
Compliance with regulations and industry standards is another reason to shore up data security capabilities. Non-adherence can place organisations at risk of reputational damage, loss of trust, and fines or other sanctions. Some regulations and industry standards only apply within certain sectors or types of organisation, whilst others draw multiple organisations under their scope. An example of these is the growth in data protection and privacy regulations. The General Data Protection Regulation (GDPR) of the EU is a key piece of legislation that impacts any organisation worldwide that collects and processes personal information related to individuals resident in the EU. Since GDPR became law, a large number of jurisdictions worldwide have enacted their own similar laws. All of these laws require stringent security and privacy controls be placed around data, with sanctions for non-compliance that can be severe.
Industry standards are also being strengthened, an example being the Payment Card Industry Data Security Standards (PCI DSS), a new version of which comes into effect in spring 2024, with compliance being mandatory the following year. It has a vast array of new requirements.
Traditional data security controls are seeing new and advanced capabilities added to them to increase their effectiveness and are more often being integrated with other complementary security controls, sometimes by combining them onto data security platforms or in other cases through partnerships.
A greater focus is being placed on identity in order to guard against unauthorised access to data. Organisations are increasing adopting zero trust frameworks to help them to achieve their digital transformation goals, including the use least privilege to ensure that no one has greater levels of entitlements that are required for a particular task and that they entitlements are removed when they are no longer needed.
Secure data governance and security posture management are emerging capabilities that aim to ensure that data security is pervasive throughout the organisation and its extended network. This is especially important as organisations continue to flock to cloud services in greater numbers, often using multiple providers for different needs. There is also a significant rise in hybrid environments spanning on-premises systems with those in the cloud. Increasingly cloud-native security controls are being built to ensure scalability and greater visibility across the technology estate.
Security controls are increasingly incorporating artificial intelligence (AI) capabilities, most commonly in the form of machine learning that adds context to events seen, along with the use of threat intelligence, and allow security to be more predictive. However, organisations are reporting that improving data security and governance are more imperative at this point than vastly expanded use of AI.
Data security encompasses a wide range of technologies and requirements. Some niche vendors specialise in specific areas, whilst others provide the full gamut of security controls, some self-developed or through acquisition or partnerships.
Some vendors have built out data security platforms, often based in the cloud. These contain integrated sets of controls, some offering customers the opportunity to choose which controls they wish to license or subscribe to.