Sensitive data: Time to rethink your definition

When you think about protecting sensitive data, your likely first concern is confidentiality. But organizations need to start thinking more about data integrity – and potential misuses
611 readers like this.
CIO Code

If you’re watching a spy movie of the old school type, you can pretty much guarantee that at some point the phrase “that information is need-to-know” will be uttered by at least one of the characters. The information is, simply, sensitive, and is bound to be central to the plot - however weak the storyline ends up being.

In the real world, we talk quite a lot about information being “sensitive,” and the question “what exactly is sensitive data?” is one that has been on a lot of people’s minds recently with the advent of the GDPR legislation. In fact, GDPR has made the answer a whole lot easier to answer in some contexts: It gives us some pretty firm guidelines on what we should consider to be sensitive when we’re discussing anything to do with customers. How we protect that data, how we keep it up to date, how we use it, and what we do with it when it is time to delete it are all much more clearly in scope than they were previously for many businesses.  

[ Where will GDPR hit your organization? See our related story: GDPR: Biggest pain points, now and later. ] 

Although the impact of this legislation has been painful in some ways, the clarity that GDPR has provided is something for which we should actually be grateful.

What’s sensitive?

GDPR only covers one set of data types, however: What other types of sensitive data are there?  The answer to this question is both simple (“many”) and more complex. Information like customer data is likely to come under GDPR, but what about firewall configuration?  Probably sensitive. The CEO’s compensation package? Well, if you’re a public company, that may be public.  But the pay packages of all employees?  Probably sensitive. And details of a severance package? Also sensitive.  

That doesn’t mean that nobody should be able to see or access this information. The recipient of a severance package and the relevant HR person will need to be able to see it, as will legal representatives from both parties. People involved in payroll may need to be able to see it as well - or will they? Maybe it is sufficient to ensure that the automated systems that manage payroll processes are able to access it. Might anybody else need to be able to access that data? Well, depending on the situation, a union representative might need to see it, and in the case of a dispute, court and possibly law enforcement representatives, too.

Take cryptographic keys, for example. What humans need access to them, and under what circumstances?

This example might seem to be chosen to show complexity, but I chose it pretty much at random. Take the time to work through the same exercise for other types of data: cryptographic keys, for example. What humans need access to them, and under what circumstances? What automated processes need access to them, and under what circumstances?  Equally - maybe more - interesting are questions related to what happens when unauthorised entities gain access to these keys, what steps should be taken if they do, and whose responsibility it is to identify what mechanisms should be to protect them, and what should happen if they are exposed or changed.

Have you mapped possible misuses?

When we think about protecting sensitive data, our first instinct is usually to ensure that it is kept confidential.  However, its integrity (the assurance that it has not been changed by unauthorised parties) is often as important as its confidentiality, and sometimes more so.

Sometimes when information is available is important, too.  Knowing the stock price of a company up to the millisecond may be vastly important to a trader, whereas waiting a few seconds - or even minutes - to access historical stock data may be perfectly acceptable to a researcher or auditor.  To turn that on its head, knowing the current temperature to within a degree or two may be sufficient to plan a sporting event in the near future, whereas highly accurate historical measurements, and an assurance that they are correct, may be required for researchers looking into climate change.

What all of this tells us is that data has little intrinsic sensitivity on its own.  It is only when it is considered in various contexts - time, use, legislative or regulatory regime, who is trying to access it and why - that we can understand how it is sensitive, and, what steps need to be taken to protect and safeguard properties such as its confidentiality, its integrity, its availability, and its correctness.

Business leaders need to ensure that they and their staff are well-equipped to understand not only what types of data and are within their sphere of responsibility, but also, and more importantly, how the data can be used and misused. 

Without this ability to map use and misuse, and a real understanding of what “need to know” really means, organizations cannot hope to manage and protect their data.

Want more wisdom like this, IT leaders? Sign up for our weekly email newsletter.

Mike Bursell joined Red Hat in August 2016, following previous roles at Intel and Citrix working on security, virtualisation, and networking. After training in software engineering, he specialised in distributed systems and security, and has worked in architecture and technical strategy for the past few years.