The Hidden Challenges of Data Retention
Add bookmarkCompanies are drowning in enterprise data. While such data can serve as a conduit to innovation, it can also be a liability.
Having the right data retention policies in place not only protects data from unauthorized access or other malfeasances, it also ensures data is primed for business usage. Furthermore, recent regulations such as GDPR mandate the creation of a data retention policy to prove data is properly managed and utilized throughout its entire lifecycle, but especially at the very end.
Data Deletion
While many organizations excel at saving data, few have mastered data disposal.
According to a 2020 Deloitte survey, 80% of companies surveyed have a defined data retention policy in place:
With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
“Only one out of three respondents provided data to the business process owners for final disposition. Data is seldom reclassified or anonymized per current practices. Organizations may not be aware of techniques to use anonymized/pseudonymized data in an effective manner. Only 30 percent of the organizations were adopting automated erasure techniques for data on completion of the retention period.”
Furthermore, the report found that an alarming number of companies relied on ineffective data deletion and drive/device formatting methods that can leave sensitive data unprotected. In fact, more than 15% of second-hand drives purchased from an online retailer contained leftover data from previous users.
GDPR and like-minded regulations also require proof of data disposal in the event of a consumer complaint. However, this too has been woefully overlooked as only 32% of companies “are prepared for and may have conducted audits of processing activities with respect to end-of-life of personal data.”
It is clear that CISOs need to become involved with the data retention process. Though policy decisions can be left to chief data and privacy officers, CISOs are increasingly being compelled to oversee the execution of data retention strategy, especially when it comes to the logging and verification of data disposal.
Data Lake Security & Governance
Over the past decade, data lakes have surged in popularity amongst data scientists looking to experiment with advanced analytics. However, if not properly maintained, data swaps can easily devolve into data swamps whereby the system is flooded with irrelevant, unusable data.
Such an environment poses a number of data security and privacy risks. To start with, data that cannot be found cannot be disposed of or retrieved in response to subject access requests.
Secondly, even well governed data lakes are vulnerable to false data injection and malware obfuscation, as datasets are not segmented by clear boundaries. As a result, someone with access to a particular file object can modify it, and there is no trail or history of what was modified.
CISOs, CDOs and CPOs must work together to create security-first data governance frameworks for data lakes to protect the business, its customers and it is most valuable strategic data assets. Such a plan should also address:
- Data access control
- Data protection (encryption)
- Data lake usage audit
- Data leak prevention
- Data lineage documentation
In the event the business opts to “drain the data swamp” it’s critical for the CISO to play an active role in determining what data to keep and how to dispose of unusable or corrupted data in the securest way possible.