GUEST ESSAY: 5 tips for ‘de-risking’ work scenarios that require accessing personal data

By Alexey Kessenikh

Working with personal data in today’s cyber threat landscape is inherently risky.

Related: The dangers of normalizing encryption for government use

It’s possible to de-risk work scenarios involving personal data by carrying out a classic risk assessment of an organization’s internal and external infrastructure. This can include:

Security contours. Setting up security contours for certain types of personal data can be useful for:

•Nullifying threats and risks applicable to general infrastructural components and their environment.

•Planning required processes and security components when initially building your architecture.

•Helping ensure data privacy.

Unique IDs. It is also possible to obfuscate personal data by replacing it with unique identifiers (UID). This de-risks personal data that does not fit in a separate security contour.

Implementing a UID system can reduce risk when accessing personal data for use in analytical reports, statistical analysis, or for client support.

Assigning UIDs for a set of personal data can signicantly reduce the risks of a data breach in scenarios where a significant amount of a company’s processes involves personal data sent to third-party services.

Randomizing data. Most business networks are architected with different levels of security and instruments for controlling the data in them. Personal data can be categorized according to different levels of criticality; and the migration policies for movement between adjacent systems can be refined.


This enables the application of different levels of protection for different data sets stored in different places. It also enables the establishment of granular data access controls for employees and systems.

Push vs. pull. It is always preferable to push sensitive data to third-party services rather permitting the service to pull data from an organization.

This general principle holds: it is always better for a company to control what it is ready to give away instead of allowing someone to take what they need. This is because companies typically do not pay enough attention to the risk profiles of partners and suppliers, and letting them grab data can lead to  hidden exposures.

Encryption. Encrypting data in storage and while it is being transferred can also significantly de-risk work scenarios revolving around the use of personal data. Encrypting data can be done cheaply. And this will reduce the potential for unauthorized access, data theft, or corruption of data integrity.

The alternative is to mask or tokenize personal data. Just as with UIDs, it is possible to completely tokenize sets or groups of data together (e.g. IP addresses). Third parties can’t see the personal data, but can learn that certain users have a single value (i.e. from one IP address) because the tokens will be identical.

Reducing and limiting risks generally comes down to controlling who has access to unencrypted data. Therefore, personal data should not be used in development or testing environments.

The more precisely a company can define and manage its assets — and, in particular, granularly control access to personal data — by both  humans and machines (i.e. software) — the better it will be able to de-risk the personal data it is responsible for.

About the essayist: Alexey Kessenikh is CISO at Soveren, which supplies automated detection and remediation solutions to manage personal data protection and compliance risks.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone