How the evolution of tokenization can be utilised to better protect data

Traditionally, methods of data protection have focused on locking up their sensitive information away until it was deprotected to be used. While this may work for data that serves no current purpose, simply locking away the data greatly reduces its value, especially if the risks of loss of business or customer trust greatly outweigh the benefits of securing data. After all, what good is data if you can’t access it. By Trevor Morgan, product manager at comforte AG.

  • 3 years ago Posted in

Many enterprises that utilise this traditional mindset are sacrificing the utilisation of this data for security. However, this leaves precious data without any true value, and even in protected environments, security is not assured. In this traditional method, security is essentially binary. It is either locked away from unauthorised access, or in the open for analysis; there is no in-between.

Think about cloud applications, for example; they are incredibly rich in information and consume lots of data, particularly within consumer facing applications. If history has taught us anything it is that as the popularity of the cloud increases, we will begin to see much more data being stored there. However, unfortunately we often see that human error is repeatedly appearing as the downside of the cloud. All too often businesses adopt an ‘upload and forget’ attitude towards data in the cloud, believing that the intrinsic security parameters will be enough to shield them from the sinister scanning eyes of hackers and cybercriminals. Yet, as we know this belief is inherently wrong. In the event of a data breach, it is the owner of the data that will be punished under current regulatory frameworks.

What security approach should be used?

However, there is a solution. The key to securing data is to do just that – secure the data. This is where datacentric security comes in. It is no use securing perimeters and leaving a treasure trove of valuable data inside. This does nothing more than act as a challenge for the seasoned cybercriminal. Instead, enterprises should look to secure the data itself.

Securing information through a datacentric mindset can help businesses that process and store sensitive data to effectively neutralise datasets with secure technology by substituting sensitive information for a ‘token’ that is essentially meaningless. For example, take geographical information. If you wanted to isolate potential customers that live in the same post code, then you could easily isolate groups of datasets with the same location token. This method simultaneously allows the data in its protected form to be useful and drive operations such as analytics, while still maintaining regulatory compliance in the event of lost, compromised or stolen information due to a cloud misconfiguration. This is the sweet spot that organisations are looking for: assuring complete security for all data while simultaneously protecting it from unauthorised access.

This is where the utilisation of modern tokenization and encryption approaches come into play. The benefits of successfully leveraging these modern datacentric security applications are huge. They have the ability to facilitate the free movement of data to where you want and need without the risk of exposure. Tokenized data can also be shared with third parties for analysis, while still maintaining security and significantly reducing the overall exposure risk of live data in applications and processes, particularly in low trust environments. A low trust environment covers everything from the cloud, that might be deploying a dev and test approach, or it could be utilised in data science environments for secure analytical purposes. Ultimately, technology like tokenization and datacentric encryption

provides a powerful way of securely migrating to cloud while reducing risk and compliance burdens all at the same time.

Why tokenization and what sets it apart?

Tokenization has been a popular solution within the CISO community for some time because of its ability to comply with multiple regulatory frameworks from PCI DSS to HIPAA. Consumers are most likely unwittingly using this technology every day, especially if they pay for something with Apple or Android pay. That is effectively a token that is replacing a credit card or payment data while keeping the actual sensitive information secure. This neutralises the risk in retail and payment environments while still providing a convenient payment method.

Traditionally data security tools are restricted only to their use cases, however more recently modern tokenization and modern datacentric encryption technology are evolving and can now apply the same approach to practically any type of data that possesses an individual structured field. This means that its application can be used to cover anything from a US tax ID, to a UK National Insurance number, sensitive biographical PII, and geographical information such as location. Pretty much any piece of information that is standardised and protected as sensitive under CCPA and HIPAA effectively can be deidentified in an extremely efficient way. This may also prove useful in the future as regulatory frameworks evolve to cover more varieties of data that are not currently protected.

One of the major benefits of tokenization is its ability to be deployed to scale, in more complex systems, cloud native environments and in most recent application stacks. Tokenization can also be swiftly implemented through instrumentation so you’re not having to open up applications and recode them. This snap in approach to datacentric security cuts down time and effort and allows it to be essentially built into already existing devices. The desire to secure data by adopting a datacentric approach is the drive behind many notions of privacy, such as GDPR and its aim to ensure that security is built in. Modern security solutions such as tokenization facilitate this mindset, and only by deploying a truly datacentric mindset will businesses finally be able to obtain integrated privacy and security for protected information.

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.