As enterprises and individuals struggle to keep pace with the deluge of data that now proliferates at every turn, the battle to protect information and keep their data private – particularly in the face of increasingly persistent and sophisticated attacks – has never been more urgent or complex.
Symantec’s strategy is to protect information wherever it might be going – whether the cloud or mobile devices. Data Loss Prevention and Identity Management are two key areas for Symantec. DLP helps us to understand the data and identity is all about the data itself: who is using it and what they are using it for. So the actual device involved is less relevant, because organisations are moving between these all the time.
Central to Symantec’s future focus will be behavioural analytics inside the firewall. What we are trying to do with Unified Security is to take these two behavioural procedures and integrate them, so organisations can make informed decisions, whether that be inside the organisation itself or outside, in the cloud. Tokenisation will enable us to track a user/computer/IP address, and therefore have a clear traceable line back to the individual. So, if there is a vulnerability, you can see, for example, that it’s a laptop involved specifically within an IT software shop. Tokenisation allows you to carry out the relevant analytics, whereas anonymisation in the cloud prevents that.
Symantec’s Unified Security solution will be going to Proof of Concept soon and organisations will have three options when managing data:
- SHARE EVERYTHING– process everything and get the best outcome
- SHARE DATA– but ‘pseudonymise’ everything.
- SHARE NOTHING– the price being that you can’t do any of the analytics.
Think about the new draft EU legislation, which, when it comes into force, would mean that loss of personal data would have to be reported within a set timeframe, perhaps as quickly as 72 hours. That could prove costly for organisations, if they don’t have the right security technology in place.
Equally, it’s worth keeping in mind the ‘Right To Be Forgotten’ – sometimes referred to as the ‘Right of Erasure’ – an idea foreshadowed by a European Court of Justice ruling in 2014 that forced Google to amend some of its search results. Most importantly, there will be no implied consent over the use of citizens’ data and, even when consent is granted, it will be easier for that to be retracted. Organisations will need to ensure compliance with these strictures.
What might that mean in practice? Companies managing personal data may be required to hire a Data protection Officer, implement privacy by design, understand how their data flows and carry out mandatory impact assessments.
Ultimately, the key to success for organisations will lie in understanding that anything can be personal data, particularly in the BIG Data world where we can aggregate data that might identify an individual. The new rights around access and erasure, the role and liability of Data Controllers versus Data Processors are all new challenges that have to be tackled head on.