Elevating Data Security

The modern regulatory landscape frequently mandates the collection and retention of Personally Identifiable Information (PII) and other sensitive information. Financial institutions, in particular, must adhere to Know Your Client (KYC) and Anti-Money Laundering (AML) regulations. However, current regulations may lack prescriptive guidelines for data protection, leaving organizations vulnerable to breaches. This article presents additional data protection techniques that can supplement existing regulations, rather than replace them entirely.

Futuristic gate implying it is protecting data behind it

Data breaches involving PII can have severe, long-lasting consequences that are difficult, and usually impossible, to reverse. While monetary losses can be replaced, leaked data remains exposed indefinitely. To address this pressing issue, we must move beyond the baseline security measures and adopt advanced data protection techniques. The following is a brief exposition of methods I have successfully used in several contexts to add additional layers of protection to data within organizations I worked with.

Challenging the Status Quo: Moving Beyond AES256 and TLS

Most organizations protect their data with strong encryption at rest (typically AES256) and encryption in transit (using TLS). Although these measures are essential and represent the industry standard, they should not be seen as the ultimate level of protection. We need to elevate our standards and explore additional layers of protection that focus on data usage frequency and context. Of course, we assume that other security control groups such as monitoring, access management and otherwise are implemented, and focus on some less frequently adopted methods.

Strategies for Enhancing Data Security

  1. Embrace Data Minimization: While this is not a novel method, it’s one worth reiterating as it’s the only “fool-proof” method available. Storing only the necessary data removes the attack surface and reduces the overall severity of breaches. The trap of storing more data than needed should be avoided, and liberty should be taken to delete data when retention policies don’t mandate otherwise. If the data doesn’t exist in a system, it can’t be compromised.

  2. Offline Asymmetric Encryption for Infrequently Accessed Data: Encrypt rarely accessed data (e.g., PII documents for regulatory compliance which may only be required when requested by regulators after their initial use for onboarding) using asymmetric encryption and store the private key offline. Although data retrieval speed may be affected, the security benefits outweigh this trade-off. Implement a reliable private key secure backup plan, such as one leveraging the Shamir’s Secret Sharing algorithm, to protect offline keys.

  3. Field-Level Encryption with Separate Keys for Frequently Accessed Data: For data that is accessed regularly, use separate keys for individual data fields. Leverage encryption keys provided by Key Management Systems (KMS) or equivalent solutions to add an extra layer of security. Restrict decryption access to system components that require the data in plaintext. Customize this methodology to suit the unique requirements of your infrastructure. The idea is that even if a database host is compromised, or a part of a system is compromised, the data is still safe, unless access to the KMS key it’s encrypted to is compromised. In other words, this is an additional layer of encryption in addition to “at rest” and “in-transit” encryption. In an ideal state, the encryption of the data as delayed up until the point where it needs to be used in plaintext.

  4. Minimize Trust with Third Parties and Retain Data In-House: Entrusting sensitive data to external organizations increases the risk footprint, potentially exposing your data to vulnerabilities within their systems. To mitigate this risk, consider storing sensitive data within your own infrastructure and removing it from third-party systems. Although it may be tempting to rely on other companies, assessing their security posture can be challenging and verification may be impossible. By minimizing trust with third parties, you take greater control over the security of your data.

The Path Forward: A Call for a Comprehensive Security Approach

By adopting these advanced data protection techniques, and looking for other methods that go beyond the industry standards, organizations can significantly reduce the likelihood of damaging data breaches and better safeguard their sensitive information. However, it is crucial to acknowledge that a truly secure environment requires a comprehensive approach that includes access controls, authentication mechanisms, secure data transmission, monitoring and logging, and incident response planning. Additionally, adhering to established security frameworks and standards, such as NIST or ISO/IEC 27001, can provide a structured foundation for a robust data security strategy.

In conclusion, as the threat landscape evolves, so must our data protection measures. By challenging the status quo and embracing advanced security techniques, we can strive for a more secure digital future.

Written on April 14, 2023