How Do You Secure Enterprise Data?

Data is arguably the most valuable asset in any organization today. Unfortunately, data – especially personal and proprietary information – is also a prime target for malicious actors. For example, 2024 saw a number of huge breaches, including the National Public Data breach that allegedly exposed 2.9 billion records of up to 170 million people in the United States, Canada and the United Kingdom. The largest healthcare data breach to date also occurred in 2024. The ransomware attack on Change Healthcare exposed protected health information from approximately 100 million people.[SS1]

And data volumes are exploding, offering expanded opportunities for cybercriminals. According to Statista, global data creation is expected to jump from 147 zettabytes in 2024 to 394 zettabytes by 2028. A zettabyte is equivalent to a trillion gigabytes.

These factors are increasing the importance and urgency of achieving strong security for enterprise data.

Before discussing this challenge, let’s define “enterprise data.” This term refers to structured and unstructured data that supports business operations and activities. Enterprise data is shared by users throughout the organization: across different departments, business units, and geographic areas.

Today, an estimated 80% to 90% of enterprise data is unstructured. Unstructured data, which includes text, audio, video, social media posts, and email messages, contrasts with structured data, which is organized in a searchable format. While enterprises are familiar with using and securing structured data residing in applications and databases, they may struggle to discover and safeguard unstructured data. In short, unstructured data can make it difficult to secure enterprise data as a whole.

Another complicating factor in securing enterprise data is location. In the “old days,” enterprise data resided in on-premises data centers and on enterprise-owned devices like corporate-issued laptops and desktops. Today, it is no longer restricted to systems, apps, locations, and devices that are controlled by the organization. Cloud services, SaaS applications, bring-your-own-device programs, outsourcing, and many other factors have combined to disperse enterprise data far beyond the organization’s traditional perimeter, making it difficult to locate, let alone protect.

The next challenge is knowing which enterprise data, out of all these myriad sources, must be secured. “Sensitive” is the term used to describe data requiring protection from unauthorized access and disclosure.

In general, sensitive data encompasses personally identifiable information (PII), protected health information (PHI), financial information, intellectual property such as trade secrets, access credentials such as biometrics, and government classified information. Security and privacy of these data categories are often regulated.

In the past, enterprises differentiated between sensitive and non-sensitive (public or internal) data by using manual identification and classification methods. Not only is this approach time-consuming, but it can be very tricky. That’s because sensitive data may reside in unregulated files, databases, or other locations, making it hard to discover.

Today, machine learning is being used to inspect content to discover sensitive data, rather than basing classification on data location, source, or file name and other external markers. Further, these machine learning-based “content-aware inspection” tools offer benefits of automation and scalability.

Just as enterprises have depended on manual classification of sensitive data, they have relied primarily on encryption for data security. In addition to providing protection and privacy, encryption may be required for compliance with certain regulations, such as PCI DSS.

Encryption provides a first line of defense by turning readable text into unreadable ciphertext that can only be deciphered with a unique key. End-to-end encryption means the data remains encrypted as it passes from one device to another, until the intended recipient decrypts it.

However, encryption is not a panacea for data security, and has a number of drawbacks:

1. Insider threats: Encryption protects sensitive enterprise data from an external third-party attacker, but not from malicious insiders or those with privileged data access.
2. Implementation complexity: Deploying encryption hardware and software can be difficult and may require assistance from third-party experts.
3. Challenges around key control: Keys are essential for encrypting and decrypting data; without the key, the encrypted data remains unreadable. It can be complicated to manage these keys across large enterprises. Special software can help protect keys from unauthorized access or modification.
4. Performance degradation: Encrypting and decrypting data can increase processing time and degrade system performance, especially in view of the explosion of data in today’s enterprises.
5. Vulnerability to quantum computing: When they become available, fast and powerful quantum computers could theoretically use brute force attacks to break many of the encryption methods in use today. For instance, a quantum computer could derive the associated private key from a public key.

For these reasons, enterprises need a multi-layered approach to data security that includes data loss prevention (DLP) and secure access service edge (SASE) technologies.

Data loss prevention tools and processes protect data at rest, in transit, and in use by focusing on detecting and preventing leakage. Data leakage can occur deliberately, through exfiltration by malicious actors and insiders, and accidentally, when breaches result from sloppy security practices. In both cases, the leaked data is vulnerable to misuse. Some DLP solutions can automatically encrypt sensitive data after detecting it.

Because enterprise data is no longer confined within the network perimeter, there are DLP solutions for networks, cloud storage, email, and endpoints.

How DLP works with encryption:

• It identifies sensitive data. Using algorithms, DLP systems can identify sensitive data within files, documents, emails, and other repositories. If suspicious activities are identified, such as large data transfers, the sensitive data can be flagged for encryption to provide an extra layer of protection.
• It prevents unauthorized access. Encryption makes data unreadable without a valid decryption key. DLP reinforces this protection by preventing unauthorized attempts to access or share the encrypted data.

SASE (pronounced “sassy”) is an architecture or framework that combines networking and security technologies like firewall-as-a-service, software-defined wide area networking (SD-WAN), secure web gateways (SWGs), cloud access security brokers (CASBs), and zero trust network access (ZTNA).

How SASE works with encryption:

• It encrypts all network traffic. Encryption of all traffic, not just specific segments, ensures a robust security layer across the entire network.
• It supports zero trust. SASE frameworks assume every user, whether within or outside the corporate network, is a threat.

Trends such as cloud and SaaS adoption and remote work have exposed the drawbacks of traditional network security, including the time and costs required to backhaul traffic to corporate networks equipped with required security services. It also became obvious that on-premises, hardware-based appliances were no longer effective for securing network access by remote users and widely distributed devices on the edge of the network, such as medical wearables and Internet of Things sensors.

SASE offered a solution combining network and security functions that is cloud native and therefore adapted to the way people work today. It also provides a single platform with a unified console that is easier and less complicated to administer and operate than multiple point products.

Following are key reasons why enterprises can benefit from SASE:

• Secure remote access. SASE provides granular access controls and identity-based authentication that only permit authorized users – regardless of location – to access sensitive data.
• Support for zero trust. SASE integrates ZTNA technology to restrict users’ access to the resources they’re allowed to see.
• Data loss prevention. SASE incorporates DLP capabilities into the framework to prevent unauthorized users from losing or misusing sensitive information.
• Comprehensive network visibility. In contrast to legacy systems, which have difficulty providing complete visibility into cloud services, SASE provides full visibility and control across the WAN, Internet, and cloud environments.
• Desirable experience. SASE optimizes network performance and ensures reliable access for all users, regardless of location, helping to boost productivity and satisfaction.
• VPN alternative. SASE can replace traditional server-based VPNs with a cloud-based solution offering advanced security features, greater functionality, reduced complexity, and higher performance.

In addition to implementing advanced solutions like SASE, organizations should consider these best practices for strengthening the security and privacy of their sensitive data.

Perhaps the most important step is obtaining the support of senior leaders, including the board of directors. Placing enterprise data security in the context of business risk, including regulatory compliance, revenues, growth, customer trust, and reputation can help executives understand the need for commitment and investment.

However, leadership is not the only group that needs to support enterprise data security. Employees play a vital role in safeguarding sensitive data, and they can benefit from regular training and communication. Everyone needs to understand – and buy into – the need to consistently follow security mandates like using strong passwords and multi-factor authentication and avoiding shadow IT and other risks. Another way to involve employees is by forming a security committee where they can discuss issues, recommend changes, and report back to their departments or units.

Audits of data protection tools, processes, and outcomes are a good way to verify their effectiveness, and also to generate data that can inform senior leaders and employees alike. Audits can also strengthen the business case for security technologies or policy changes.

Finally, adopting proven industry standards, such as the principles of least privilege and zero trust and established guidelines on password management, can help create a culture of security throughout the organization.