Syed Ashfaq Ahmed, the Head of Encryption Business Unit at Spire Solutions, speaks about how data security and compliance needs have changed in the past year, the blurring line between data security and data privacy, and lots more
How have data security and compliance needs changed over the past year?
The last 12 to 18 months have seen a paradigm shift in technology adoption due to COVID and many initiatives which would have taken years to adopt have fast-tracked. The region has seen work from home, digital transformation, IoT, cloud adoption, etc take off in an unparalleled manner. All these changes make data one of the most valuable and strategic assets to the business therefore data protection has become a priority.
Though the complexity in cybersecurity has increased, the idea of securing the data at the core using encryption has not changed. The authentication, integrity, and access to data are directly governed by encryption. Encryption is literally the last frontier of data security. Given a scenario when all the other security measures are breached, if the encrypted data cannot be broken, the stolen data will not be of any use to the adversary. The health of the cryptographic primitives should be at the highest level to give a core advantage for an organization in securing its data.
In my opinion, data security is the heart of cybersecurity, and most organizations now believe that they are inherently addressing data security when they adopt various cybersecurity measures. Data security & compliance to regulations are no longer choices but mandates that companies must adhere to so they can protect their most prized asset (data) from newer attack vectors.
What best-practice standards and frameworks can help companies achieve and maintain data security and compliance?
Data breaches can lead to stringent financial penalties and can have catastrophic effects on an organization so building robust data security programs that are in line with industry standards and led by skilled personnel becomes non-negotiable. Organizations can couple their internal experiences and industry best practices along with local laws and most popular frameworks developed based on years of academic research, training, and education such as:
- Payment Card Industry Data Security Standard (PCI DSS): Protects the payment card data in electronic form during transmission & storage.
- Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive patient health information & personally identifiable information.
- NIST Cybersecurity Framework & NIST Privacy Framework: Provides standards, guidelines, and best practices to help organizations manage cybersecurity risks & data privacy risks.
- ISO/IEC 27701, Security Techniques: Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines, helps companies manage their privacy risks for personally identifiable information.
- eIDAS: This allows the EU to provide a legal framework for transnational digital transactions. It establishes a framework for electronic identification and trust services, including the topic of the electronic signature.
Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow?
Many countries in the Middle East and Africa have started to develop their own data regulation/framework which is tailored to the needs of their nation. They focus on various aspects such as PKI, e-transactions, and data management but ultimately keeping data protection at the center.
Some such regulations include:
- UAE – Dubai Data Law by Dubai Electronic Security Center, Data Management Standards by Abu Dhabi Digital Authority, Dubai Government Information Security Resolution (DG ISR)
- Qatar – National Information Assurance Policy and FIFA Cybersecurity Framework (CSF) 2022
- Nigeria – Nigeria Data Protection Regulation (NDPR) by National IT National Information Technology Development Agency (NITDA)
- Egypt – Data Protection Law
What according to you are the five tips that companies need to follow to comply with data security regulations?
Irrespective of the framework an organization adopts, the following five tips will help them on the journey to regulatory compliance:
- Identify/Discover Critical Data: On the Data Security journey, the initial / First step is to identify or discover what data is present and where your data is present. Organizations should opt for solutions such as Atos Data Protect for discovering both the structured data like in Databases, or Unstructured data like data in File shares, SharePoint etc. Atos Data Protect can you help in discovering the data based on cardholder information (PCI DSS), health records (HIPAA), PII of EU residents (GDPR), or other data.
- Classify and Protect the Data: The second stage in data security is to Classify and Protect the data. Organizations must use Solutions like Data Classification and DLP which can help in Classifying the data and protecting the data from leakage.
- Data and Identity Security: Adopt a data-centric security approach to ensure your most critical assets are protected. Monitoring & detecting suspicious behavior on sensitive data & ensuring access rights to sensitive data is properly managed. Also, Identity is the new perimeter in today’s world and organizations should adopt strong measures to protect the Identities & the access, internal or external.
- Develop a clear plan: Organizations must develop a strategy while implementing Data security solutions. Organizations should start with minimal scope, rather than going for exhaustive scope. Organizations must understand that developing these measures will be “User Behavior/ Culture Change”. Adding more controls in the initial stages will increase the user frustration and in turn decrease the productivity of the users.
- User Awareness: Organizations must ensure educating and creating awareness in the users. Organizational users must be trained to understand the importance of data security & the role they play in protecting critical assets of the organization.
How does your company help its clients with securing their data and staying compliant?
Spire Solutions has a team of data security professionals focused on data protection solutions that address compliance regulations of countries in the Middle East and Africa. We are partnered with ATOS, a global cybersecurity leader, to provide end-to-end protection of data at rest, in motion, or in use; and emerging quantum leader QNu Labs to bring quantum-safe security to the region with Quantum Key Generation & Distribution.
Our consultants are adept with the regional data protection laws and agile enough to adapt to newer regulations to help our customers in their data security journey. Our consultants help organizations in building comprehensive data protection and governance starting with the deployment of the necessary solutions to protect critical data from unauthorized use or theft.
On a final important note, we recently launched a dedicated business unit to support regional customers with their end-to-end data journey. Right from solving complex data engineering scenarios to building modern-day AI-driven analytics solutions, our goal is to make data secure, accessible, and monetizable without impinging on privacy.