Click to learn more about author Balaji Ganesan.
Sources indicate 40% more Americans will travel in 2021 than those in 2020, meaning travel companies will collect an enormous amount of personally identifiable information (PII) from passengers engaging in “revenge” travel. In a near 100% digital world, sensitive information including credit card numbers, email addresses, phone numbers, COVID-19 vaccination information, and more can be at risk and exposed in some fashion similar to Carnival’s data breach in March that potentially compromised the PII and health data of its customers.
Convincing millions of travel-hungry Americans to stay home because of Data Governance and security risks is unrealistic. It’s much more practical to prevent future data breaches from occurring, or minimize their effects, by implementing proper Data Governance controls to safeguard travelers’ valuable PII.
Heterogeneous Data Sources
Carnival’s example illustrates the risk and responsibility organizations face by amassing data from a variety of sources. Carnival Corporation operates a number of travel entities across countries and continents in areas such as the U.S., Holland, Australia, Alaska, Costa Rica, the United Kingdom, and more. With its subsidiaries ingesting large quantities of customer data, it collectively functions at a global scale with a sundry of data owners, analysts, and teams all demanding data access – which increases the risk of granting it.
The diversity of these data sources in disparate geographic regions means Carnival is subject to numerous data regulations, data sovereignty concerns, and laws, each with varying requirements. Non-compliance with any of these entities (by suffering a data breach, for example) results in costly fines, loss of reputation, customer distrust, and operational downtime.
Similar to Carnival’s data estate, organizations across all industries face similar challenges and regulatory landscapes that impact the way they collect and manage sensitive data. To stave off the risk of a data breach, organizations should follow these important steps:
1. Centralize Data Visibility: To understand real-time data use in this assortment of sources, business units, and end users, organizations need to centralize their data visibility from one location. This approach creates several benefits for consistently securing Data Governance, foremost of which is simply understanding where sensitive data exists. With the widespread use of hybrid and multi-cloud deployments, this fundamental task is far from easy, since different sources frequently involve different infrastructures. The data discovery process – in which technology automatically scans, classifies, and tags sensitive data according to PII or other characteristics – provides this basic necessity across clouds and tools.
Central visibility into data systems is also effective for countering data replication issues in which respective teams copy data – in different repositories and platforms – for their own purposes. Such systemic redundancy increases the difficulty of controlling access to PII, for example. However, a centralized platform unifies the views for all data to keep security and governance personnel abreast of who’s doing what with which data so manual efforts and security gaps diminish.
2. Apply Granular Access Controls: Once organizations know where important data is and can view it from a single location, they need to restrict who can see and manipulate data according to governance policies based on the aforementioned regulations, laws, and data sovereignty concerns. This is the key to minimizing adverse effects and access to sensitive customer data. Most solutions rely on perimeter defenses that manage information at the application, database, or platform level. A better approach is to secure information at the data level by restricting use according to individual columns, rows, or nodes of data.
With this method, companies can customize the way data is accessed according to things like attributes, users, roles, or groups. Thus, there are limits to which databases (and files in those databases) users can view, as well as restrictions to rows within them, so only authorized individuals can access the data for which they’ve been approved. Marketing and HR teams, for example, can only see what’s necessary for their jobs – protecting data like birthdates or credit card information. Solutions with automated, real-time alerts are also crucial for reducing reaction time when unauthorized activity happens, which either stops or mitigates breaches.
3. Leverage Automation and Auditing Capabilities: The increase in data breaches illustrates another painful reality: Enterprise resources aren’t matching the pace at which data amounts are growing. Manual processes simply can’t scale to the demand of modern cloud and hybrid cloud deployments, making automation the game-changer for protecting data. Firms can automate access policy enforcement with technology that creates enforcement measures from a single, central location and implement them in source systems everywhere. This ensures uniform data access no matter who needs it or where, while also reducing the burden on security personnel tasked with controlling such access at scale.
Data lineage and auditability is another important benefit of leveraging technology with a centralized approach to securing data access in distributed systems. These capabilities reduce the risk associated with sensitive customer data and are vital for demonstrating regulatory compliance for mandates like GDPR, for example. Automating aspects of data lineage and pairing reporting tools with auditing allows organizations to track exactly what’s happening to data in their journey throughout the enterprise, trace it, and create detailed reports for internal or external auditors.
A Lesson Learned
Like many other high-profile data breaches, the Carnival incident reinforces the need to ethically use data to prevent future mishaps, guard sensitive customer data, comply with regulations, and avoid fines or shutdowns. Securing data’s accessibility throughout complex IT systems requires centralized, automated technology to control information in their source systems while managing them from one place. This provides the scalability to grow Data Governance, security, and access controls as needed across the organizations and with partners. Moreover, it simplifies the jobs of governance and security personnel tasked with providing these gains for all companies – not just those in travel.