Compliance officers might think the best way to solve these problems is by forcing project owners to anonymize or mask their data, or even to not use sensitive data at all. Of course, this would defeat the purpose of data analytics. Instead, organizations can be smarter, by applying format-preserving protection.

A patchwork of regulations

The EU General Data Protection Regulation (GDPR) moved the dial on data protection laws when it was introduced back in 2018. Not only does it apply extra-territorially, meaning organizations outside the bloc must follow its rules if they process data on EU citizens, but it has since spawned numerous copycat laws across the globe. Not only did it grant consumers (data subjects) new powers of their own personal information, it placed at times onerous new obligations on data processors. Large potential financial penalties of up to €20m or 4% of global annual turnover were intended to make boardrooms sit up and take notice.

Many similar laws around the world have followed suit, just as the California Consumer Privacy Act (CCPA) has inspired legislators in other US states. But what that means is a patchwork of regulations which global organizations must navigate if they want to truly tap the benefits of cloud-based analytics without risking serious penalties. Data on customers, partners and employees must be adequately protected as it flows across different databases and applications on-premises and into the cloud. Only a comprehensive and continuous audit of all of this entire data landscape will do.

Yet the challenge is that each new tool added to the IT infrastructure will increase complexity and demand more personnel and time to successfully manage audits. And many data protection approaches fail because they don’t have continuous visibility and control in cloud environments, or across all data types.

Data-centric security

Data-centric security offers a more intelligent way to manage the compliance challenges related to cloud-based data analytics. There are three primary goals:

• Put your data warehouse and analytics environment out of scope for PCI DSS. This would help to reduce associated costs. (A comforte customer reduced security compliance scanning by 30%)
• Ensure that your data warehouse and analytics environment is compliant with privacy regulations such as GDPR. This would help to reduce project risk and accelerate the adoption of new tools and technologies
• Ensure that any privacy solution you deploy is sustainable and future proofed. This would help to speed time to market and the enrolment of new applications for future projects. It could also reduce costs if capabilities are consolidated on a single vendor. (A comforte customer simplified its security architecture, with the associated benefit of 16.8m).

To achieve this, organizations must look to technology vendors like comforte, which offers:

• Continuous discovery of sensitive data, no matter where it is
• A variety of end-to-end format preserving protection (eg: tokenization, format-preserving encryption) which ensures data can be used in analytics projects
• A single, unified solution which enables centralized management and enforcement of policies for all current and future projects and applications
• Simple, streamlined integration of any data source, ensuring data is safe not just at-rest and in motion, but also when it is used or shared

The key is to apply data-centric security before data is ingested into cloud analytics systems, by first discovering all data, identifying sensitive elements and then adding protection. This means no sensitive information will be stored in the cloud and compliance risk is minimized. With technology like comforte’s platform, organizations have the agility to optimize their use of data without running the risk of non-compliance—not just today but as technology and regulations evolve over time.