Putting data first: Managing regulations, protection and business agility
Article by Forcepoint sales engineering director Brandon Tan.
Regulations in Asia Pacific
Operating across jurisdictions has always been a challenge and in an increasingly borderless world, this has become even more complex. While already at the forefront of digital innovation, countries across APAC have experienced rapid digital transformation and an accelerated movement to the cloud over the last eighteen months. For the many business in Australia and New Zealand that interact with customers, partners and suppliers across the region, these changes can’t be ignored or taken lightly.
Digital transformation offers huge opportunities: innovative new technologies, efficiencies and costs saving, and a wide range of ways to collect, understand and analyse customer data. However, data protection regulations across the region are complex, and enterprises need to understand and plan for appropriate compliance.
Across the APAC region, there are a wide range of data protection and privacy regulations. Many of these share many common concepts and core details, but there are also significant differences that organisations operating across countries must consider.
For example, The Singaporean Personal Data Protection Act (PDPA) has been a topic of much discussion in the APAC region since 2012, when it was first introduced. However, the new amendments which were passed in late 2020 brought the regulation up to date with changes in the way organisations are handling data today - thanks to digital transformation and rise of the data economy. The new regulation puts the privacy of individuals front and centre, while mandating that businesses need to be accountable for the data they collect. In addition to local changes, this has implications for Australian and New Zealand entities that intend to do business with Singapore.
Companies continue to navigate a complex landscape of data protection regulations and standards, posing numerous operational and technological challenges – further complicated by international trading. In fact, a recent study by Ecosystem revealed that 77% of organisations globally found that data integration is a key hurdle due to the diversity of data types, sources and environments.
This is also echoed in the conversations I’ve had with some of Forcepoint’s leading data protection partners, with voices on the ground being relatively consistent: enterprises are struggling with legacy data management and data integration. The pandemic, which caused businesses to race to adopt cloud and digital solutions, exacerbated the challenges of data ownership, management and governance.
Unfortunately, in the scramble to modernise and digitise, many organisations treated data with pre-cloud thinking, seeing data management as an IT rather than a business problem. Many of these businesses, especially the small and medium-sized ones, may not have the right resources and infrastructure to develop operating processes that mitigate data security controls.
Businesses need to be aware of both the new data protection regulations and the differences between them, in order to avoid potentially costly consequences if regulations are breached. However, if cybersecurity systems are built around a deep understanding of data, these consequences can be minimised.
Why data is king
Data is a huge competitive advantage and source of growth for businesses around the world. According to The McKinsey Global Institute, data-driven organisations are 23 times more likely to acquire customers, six times as likely to retain them, and 19 times as likely to be profitable as a result.
But how to manage, harness and protect this data to the best effect? The challenges we as cybersecurity professionals face are multiple:
- How can we protect data as it flows across a hyper-distributed organisation, with multi-generational infrastructure?
- How can we comply with international data protection regulations?
- Do we truly understand what data we have, what we need to protect, who wants to access it, how are they behaving, and where the data is moving?
This is why Forcepoint has built a Data-first SASE (Secure Access Service Edge) approach. It is based on a converged data protection platform, bringing together data protection and secure access to provide a user and data-aware risk/trust model. Enterprises can put their trust in this approach: we are after all the fastest-growing provider of data protection and security with the largest install base, including two-thirds of the Fortune 500 and nine out of the top ten telecommunication companies worldwide.
Enterprises looking for strong data protection partners must explore whether their cybersecurity partner can support their particular IT infrastructures: can suppliers provide secure access across multi-generational IT? Do they have single endpoints offering a unified agent across all solutions: simplifying implementation and enabling automated enforcement? Can they apply uniform policies mean we have a single set of policies spanning multi-generational IT: on-prem, hybrid and cloud?
Many of our customers and prospects report a barrage of communications from vendors around SASE – Secure Access Service Edge. We at Forcepoint do believe this is the right approach – but enterprises need to ask some hard questions of vendors to ensure that their offerings are more than just marketing.
Gartner coined the Secure Access Service Edge term in 2019 for an approach that uses cloud-based services to protect people consistently no matter where they are. Just a few years later, almost every security vendor has jumped into the market. However, while SASE is newly defined, organisations have been moving toward the model for a long time—which became a sprint as a result of the pandemic.
A SASE architecture moves security from the data centre to the cloud, reinventing technologies that used to be separate and isolated into converged Security-as-a-Service. It enables people anywhere—the new hybrid workforce—to get to and use data safely, everywhere. By centralising the administration of security, it reduces the effort and complexity of connecting people to the internet with technologies such as Software-Defined Wide Area Networking (SD-WAN) and keeping them safe as they use business data.
SASE isn’t a single product; it’s an architecture or philosophy, according to Gartner analyst Nat Smith. Many vendors now offer bundled solutions that can fast-track a company’s ability to use SASE to support remote workers.
Adoption of SASE services usually happens incrementally — addressing immediate business needs first, then expanding to solve other problems over time. At Forcepoint, our customers are seeing distinct and early advantages in incorporating cloud-delivered security capabilities such as Secure Web Gateway (SWG), Cloud Access Service Broker (CASB), and others that act as their on-ramp to SASE.
Combining market-leading data protection and regulatory compliance
There has been so much change in the last few months, it’s hard for cybersecurity professionals to ensure they balance data protection (and regulatory compliance) with keeping the business flowing. According to a report from the Australian Institute of Family Studies, 42% of employed Australians were sometimes or always working from home prior to COVID-19, compared to 67% in June this year.
Now, with truly hybrid and remote working teams, data must stay safe: and people must stay productive.
Data Loss Prevention (DLP) technologies have formed a large part of organisations’ data protection strategies, as they are able to protect data in use, data in motion on their network, and data at rest in their data storage area or endpoint devices. However, traditional DLP does still leave significant gaps in protection. Traditional DLP is focused on policy violations, where everything must be pre-defined as either allowed or denied. While this is valuable, it creates a gap when we don’t truly understand which data is valuable, can’t predict how it may be misused, and simply don’t craft policies to protect it.
Traditional DLP can also be clunky with its black/white, allow/deny policies. It can get in the way of business, with protections not being rolled out as they can be intrusive or work against user productivity. Over time, policy creep can lead to complex policies that are difficult to manage, incidents that are difficult to investigate and lots of manual rework.
Organisations need to find solutions that offer a convergence of secure access and data protection, provide a continuous, context-aware, risk adaptive response and reduce friction and risk at every moment and point of data access.
It is possible to achieve this! Forcepoint’s Data-first SASE is based on a converged data protection platform, bringing together data protection and secure access to provide a user and data aware risk/trust model.
Protect the data: enable the business
Cybersecurity, particularly during the pandemic, is a true business enabler delivering customers anywhere, anytime security availability without compromising performance or productivity. In fact, the most recent joint Forcepoint/WSJ Intelligence survey revealed that leaders view cybersecurity as the key to business advantage, with 48% of the respondents reporting cybersecurity’s bigger role in enabling innovation and 41% agreeing that it delivers a competitive edge.
Today’s reality is that people are working from everywhere, and progressive organisations must address the protection of precious information assets in perimeter-less networking environments. By putting data at the centre of cybersecurity infrastructures, enterprises can achieve consistent enforcement anywhere their people work.