Keeping your data incognito – Harry Keen – Ep 45

Sharing our data is an important part of our day to day activities, be that for analysis, collaboration or system development, we need to be able to share data sets.

However, this need to share has to be balanced with our needs to maintain the security of our data assets.

I saw a great example of this recently with a company who were convinced they were suffering a data breach and having data leak to their competitors. They investigated all the areas you’d expect, data going out via email, been uploaded to sites that it shouldn’t, or been copied to external devices and leaving the company. None of this investigation seemed to identify any areas of leak.

They then discovered that they had a team of developers who, in order to carry out their dev and test work, where given copies of the full production database, so not only given all of the organisations sensitive data, but they had full and unencumbered administrative access to it.

Now, I’m not saying the developers where at the centre of the leak, however you can see the dilemma, for the business to function and develop, the software teams needed access to real data that represented actual working sets, but too provide that, the business was exposing itself to a real data security threat.

How do we address that problem and allow our data to be useful for analysis, collaboration and development, while keeping it secure and the information contained safe and private?

One answer is data anonymization and that is the subject of this week’s show, as I’m joined by Harry Keen, CEO and founder of anon.ai an innovative new company looking to address many of the challenges that come with data anonymization.

In our wide-ranging discussion, we explore the part anonymization plays in compliance and protection and why the difficulty of current techniques means that we often poorly anonymize data, or we are not even bothering.

We explore why anonymization is so difficult and how solutions that can automate and simplify the process will make this important addition to our data security toolkit, more accessible to us all.

Anonymization plays an important part in allowing us to maintain the value of our data as a usable and flexible asset while maintaining its privacy and our compliance with ever-tightening regulation.

Harry provides some great insights into the challenge and some of the ways to address it.

To find out more on this topic, check out the following resources;

The UK Anonymization Network (UKAN)

The UK Information Commissioner (ICO)

And of course you can find out more about anon.ai here

You can follow Harry on twitter @harry_keen18 and anon.ai @anon_dot_ai

You can contact anon.ai via info@anon.ai

Hopefully, that’s given you some background into the challenges of data anonymization and how you can start to address them, allowing you to continue to extract value from your data while maintaining its privacy.

Next week I’m joined by Ian Moore as we take a Blockchain 101, to ensure you catch that episode why not subscribe to the show? you can find us in all the usual podcast homes.

Until next time, thanks for listening.

Advertisements

Don’t be scared – GDPR is a good thing, embrace it!

I can’t open my inbox these days without someone telling me about the European Union, General Data Protection Regulation (GDPR), the content of these emails ranging from the complex to the scaremongering.

However, what I don’t see are the ones extolling the positives of the regulation.

In my humble opinion, GDPR is a driver for some very positive change in the way that we as businesses, use the data that we have and will continue to collect in ever-growing amounts.

I’m sure we’ve all heard how data is the new gold, oil, etc, and to many of us our data is among the most valuable assets we hold and as I heard recently “the ability to gain actionable insights from data is what will separate us from our competition.” I personally believe this to be true, the businesses that know how to manage and gain value from their data will be the ones that are the success stories of the future.

If data is such an asset, then…

Why do we keep hearing stories about high profile data breaches, such as Equifax and Deloitte, where sensitive information has found itself in the public domain? If data is an asset, then why are we so lax with its security? Are we that lax with other assets?

Data is hard

The problem is, that managing data is hard, we don’t know what we have, where it is, who has access, and when or even if they access it. This lack of insight makes securing and managing data a huge challenge — and why the idea of more stringent regulation is a frightening prospect for many.

Why is GDPR a good thing?

The GDPR is going to force organizations to address these problems head-on, something that, for mthumbs upany of us, is long overdue. Although the regulation focuses on the privacy of “data subjects,” the principles can and should be applied to all of our data.

To be clear, GDPR is not a data management framework. Its scope is much wider than that. It is a legal and compliance framework and should be treated as such. But, while GDPR is “not an IT problem,” it’s certainly a technology challenge, and technology will be crucial in our ability to be compliant.

Why GDPR and technology is helpful

Even If GDPR did not demand our compliance, I would still thoroughly recommend it as a set of good practices that, if you’re serious about the value of your data, you should be following.

I believe the principles of the GDPR, along with smart technology choices, can positively revolutionize how we look after and get the very best from our data.

In the last 12 months or so, I’ve done a lot of work in this area and have found 4 key areas, where the GDPR alongside some appropriate technology choices has made a real difference.

1. Assessment

assessment-1024x819

As with any project, we start by fully understanding our current environment. How else are you going to manage, secure and control something if you don’t know what it looks like, to begin with?

Your first step should be to carry out a thorough data assessment, understand what you have, where it is, how much there is, if it’s looked at, what’s contained within it and of course, who, when, where and why it’s accessed.

This is crucial in allowing us to decide what data is important, what you need to keep and what you can dispose of. This is not only valuable for compliance but has commercial implications as well: why take on the costs of storing, protecting and securing stuff that nobody even looks at?

2. Education

It’s too easy to look at our users as the weakness in our security strategy when they should be our strength. They won’t ever be, however, if we don’t encourage, educate and train them.

Technology can help provide training, develop simple-to-use document repositories or keep them on their toes with regular orchestrated phishing tests. This helps users develop skills, keeps them aware and allows us to develop metrics against which we can measure our success.

We must move away from the annual “lunch and learn” briefing and realize we need tools that allow us to continually educate.

3. Breaches

breachThe GDPR places a major focus on our ability to identify breaches quickly and accurately and be able to report on exactly what data we have lost. Traditionally this is an area in which business have been lacking, taking weeks, months or maybe even years to be aware of a breach. In a world where we are ever more data-reliant, this cannot be acceptable.

Technology is the only way to meet these stringent reporting requirements. How else will you know the when, where and how of a breach?

But technology isn’t only about reporting. The ability to have such visibility of data usage —  the who, where and when of access — will allow us to quickly detect and stop a breach, or at least reduce its impact.

4. Data protection by design

This is perhaps the most positive part of GDPR, as it will encourage us to build data protection into the very core of our infrastructure, systems and data repositories. Whether on-prem or in the cloud, under our control or a service providers, security has to be at the heart of our design — not an afterthought.

We need to use this as an opportunity to encourage cultural change, one where the importance of our data is not underestimated, where maintaining its integrity, security and privacy is a priority for everyone, not just IT.

Is the GDPR a lot of work? Yes.

Is it worth it? In my opinion, 100%, yes — GDPR is a real positive driver for a long overdue and crucial change and should be embraced.


What I’ve Learned About GDPR

The EU’s General Data Protection Regulation (GDPR) that comes into effect in May 2018 is a subject that has moved to the top of many a list of priorities and is going to have a major effect on how we handle personal data.

Over the last year, I’ve spoken with businesses about their data security, how to avoid data loss, leaks and insider threats. However, over the first 3 months of this year (2017) this conversation, driven by GDPR, has shifted to compliance and privacy.

However, it’s evident that not everyone is either aware of the forthcoming changes or how to build privacy and security policies to deal with the complex problems it presents.

Over the last few months I’ve been pretty absorbed in the world of GDPR and thought it’d be useful to share a few of the things I’ve learned that may help you with your own privacy and security strategy.

It’s complicated

GDPR is a complicated bit of legislation, its scope is vast and too some degree we will all be affected, whether as organisations having to sort out our compliance or as individuals whose data will fall under the scope of the regulation, we will see lots of changes.

Remember it is a complex bit of legislation, which leads to…

Good news, GDPR is not an IT problem

It’s true, it’s a legal and compliance issue, not an IT one, just because we are talking about data, an organisation cannot say, “it’s data so can’t IT just sort it out?”

Absolutely not, IT will be a critical partner for helping to deliver compliance, but only in the same way the Board, HR, Finance or anyone who touches data is going to be a key partner in maintaining compliance.

Is your organisations view of GDPR that it is only an IT problem? If it is then you need to look at how you educate them, quickly, that it isn’t!

Roughly what is it?

We’ve heard what it isn’t so what is it?

In its simplest form it is updated legislation, replacing the EU’s data protection directive, but it goes beyond updating, growing in scope and potential penalties for noncompliance.

To quote the EU ;

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

The goal of GDPR is too ensure the personal data held about us can only be used for the purposes it was gathered for and is treated with due care to ensure it is not abused by those who would wish to exploit it.

It’s privacy, not security

One of my go to people when it comes to data privacy is NetApp’s Sheila Fitzpatrick, Sheila is a data privacy attorney with nearly 35 years’ privacy experience and is NetApp’s data privacy officer and global privacy counsel.

Sheila makes the point that data security, IS NOT data privacy.

Data privacy is much wider in scope than just security, Sheila likes to use the example of a data privacy wheel, where security is just one spoke on that wheel.

When designing data privacy solutions, we should understand the full lifecycle of the personal data we collect, assess, process and use, from the minute we collect it until we finally destroy it.

If your organisation is looking at GDPR and saying, “isn’t that just more of that IT security stuff” then it’s time to educate again, it’s so much more than just security.

Will it affect me? Does it matter if I’m not in the EU?

Both valid and common questions, the answer, pretty much every time is a resounding yes. It doesn’t matter is you are inside or outside of the EU.

Location is irrelevant, if you hold data on EU citizens, regardless of where you are based, then you will fall under the scope of GDPR.

What about putting data in the cloud?

Cloud presents an interesting issue, as actually does the placing of data with any 3rd party, as the data controller, you are ultimately responsible for what happens to it. The general advice is to ensure two things, if you are passing your data to someone to process ensure that you have a clear contract in place with them.

If you are looking to a cloud provider, then ensure they have appropriate data privacy policies and safeguards in place so that you are not exposed to risk.

What should I do?

What are some steps you should be taking?

Dealing with GDPR is going to be a constant challenge so it’s important to get started, here’s where I’d start;

  • What are my current policies and are they appropriate?
  • Understand your current data, where is it, how much do I have, who has access, what does it contain?
  • Why do you have that data and why do you collect it.
  • Educate your business, so that from top to bottom people understand the importance of data privacy and the impact that this new regulation will have.
  • Deliver your GDPR compliance plan.

You’ll notice there is very little technology highlighted in those initial steps, maybe something to help you to understand your current data sets, but apart from that, it’s policies, procedures and education.

Technology will have a place, in reality, you are going to find it hard to remain compliant without some technical tools and resources to help you do it.

What have I learned?

There is lots too learn!

It’s complex, it’s not a technical problem with a “silver bullet” to fix it. It is a business legal and compliance issue.

The most interesting thing I’ve discovered though, is even if GDPR wasn’t something we had to comply with, it is something that contains such a level of good and sensible practice it is something that we would want to adopt anyway.

Because in the end, it’s all about our data, let’s keep it secure and private.

For more GDPR resources try out some of the following;

EU GDPR Site

UK Information Commissioners Office

You can also check out a friend of mine, Mark Carlton and an excellent GDPR post he recently published.

How GDPR could affect your business

I also did a series of podcasts to support a recent event that we ran, they cover GDPR in broad terms as well as looking at some specifics on data management and how to work with your people, feel free to check them out;

Best Take Care Of Those Crown Jewels – Sheila Fitzpatrick – Ep 17

Don’t Build Your Data Privacy House Upside Down – Sheila Fitzpatrick – Ep 18

What you don’t know, may hurt you – John Hughes – Ep 20

Make People Our Best Data Security Asset – Dom Saunders – Ep 19

.