In an age when ‘data is the new oil‘, large-scale processing of data related to customer behavior and preferences, product usage, or movement patterns (e.g. in the automotive industry) will be increasingly critical to every enterprise. This includes car manufacturers, consumer goods producers, smart-gadget vendors, or any kind of service provider. Obviously, greater reliance on data means an increased risk in the case of a data breach — especially when customers’ or partners’ personally identifiable information is compromised.
Unfortunately, the digital transformation that ushers in this new data economy is moving so fast, IT organizations can struggle to keep their information-security defenses up to date. That’s why enterprises across all industries need to take a close look at their information security processes, roles, and tools. Otherwise, data-related risks are bound to increase — and this can quite easily result in intellectual property leakage, customer dissatisfaction, compliance violations, reputation damage, and financial loss.
To improve information security, organizations need:
- Stringent, enterprise-wide data classification, determining which data are sensitive, internal, or personally-identifiable information. Not all data are created equal, yet many enterprises have no solid classification system in place — so they lack a clear picture of how relevant which data sets are.
- Technical means to keep track of sensitive information (e.g. personally-identifiable information): this original data needs to be safely stored in databases and content management systems (CMS), while additions, updates, and changes must be tracked and kept consistent across platforms. This usually means installing monitoring and asset management tools.
- IT security systems for secure role-based access to sensitive information: this aspect of information security requires an identity and access management (IAM) solution, VPN-based access to corporate resources, and data leakage prevention (DLP) tools to avert data loss due to targeted attacks or insider threats.
- A content collaboration platform (CCP): a platform that provides secure, centrally-controlled sharing of information even across the multi-cloud environments, minimizing the risk of data loss.
- Virtual workspaces and endpoint management: data breaches most frequently occur at the end-user side of corporate networks. This is why an organization should homogenize end-user access to corporate resources via a virtual workspace platform, allowing for centralized control of all resource access and usage. In a best-practice scenario, this is complemented by an enterprise mobility management solution to manage and secure mobile endpoints (along with Windows 10).
- A software-defined perimeter: intelligent networking, provided by application delivery controllers and analytics software, extends contextual control and behavior monitoring beyond the traditional datacenter. This allows IT to proactively secure data, detect breaches, and mitigate risk across the enterprise.
Holistic information security doesn’t just make sense from a business and IT security perspective, it will soon even be required by the new General Data Protection Regulation (GDPR) taking effect in May 2018: GDPR demands that all organizations that do business with EU residents and store or process their personally-identifiable information employ state-of-the-art data protection. The regulation even requires certain entities to introduce a new role, the Data Protection Officer (DPO): public authorities need DPOs, as do organizations that process highly-sensitive personally-identifiable information on a large scale. This includes, for example, hospitals or insurance companies.
Given the growing importance of data to the modern economy, organizations need to reevaluate the state of their information security processes, tools, and roles. A holistic security approach is the only way to protect valuable information, manage risk, and achieve compliance.
Legal Disclaimer: This document provides a general overview of the EU General Data Protection Regulation (GDPR) and is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that Customers or Channel Partners are in compliance with any law or regulation. Customers and Channel Partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and Channel Partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.
