This blog is part of a series for Cybersecurity Awareness Month 2022. You can find the other blog...
Look Who’s Talking…a data privacy issue
Just the other day, in the murky world of data privacy, a computer and a smartphone decided to have a conversation.
Computer: "You know, I've been feeling a bit exposed lately. I mean, all these cookies and trackers everywhere!"
Smartphone: "Oh, tell me about it! I've got apps constantly asking for my location. It's like they want to throw me a surprise party, but they're terrible at keeping secrets!"
Computer: "Exactly! And don't get me started on those targeted ads. I feel like my search history is judging me."
Smartphone: "Well, at least you don't have people swiping through your photos without permission. It's a privacy invasion, I tell you!"
In this light-hearted conversation, a computer and smartphone commiserate over the struggles of maintaining a semblance of privacy in the interconnected world. While a fictitious conversation, it's also likely similar to conversations you have had or perhaps at least a topic you've given some thought to – concerns about the risks to your personal data. Data privacy is crucial to the protection and management of personal information. In an era where data is prolific, maintaining privacy is challenging yet essential.
For those managing data in their organizations, protecting personal data (i.e., personally Identifiable Information (PII) and Protected Health Information (PHI)) and other sensitive data (i.e., Controlled Unclassified Information (CUI)) is likely a frequent if not daily, conversation. With the amount of data growing exponentially and an increasing demand to use and share it, staying ahead is an ongoing challenge. Additionally, there's a growing focus on topics like artificial intelligence (AI), biometric data protection, and ensuring privacy in a globally connected world – and rightfully so. These advanced topics reflect the evolving landscape of data privacy, where technologies and strategies continually adapt to the increasing complexity of protecting sensitive information in various contexts.
The risk is real and evolving. Last month, an AI-generated voice cloning attack leveraged President Joe Biden's voice to impersonate and misrepresent him in a New Hampshire election primary robocall to Democratic voters. Scammers are using these same tactics to impersonate family members of their victims. Given the advanced nature of these AI-assisted tactics, how can we identify and protect sensitive data in image, audio, and video sources, including biometric data?
NIST provides guidelines for protecting Personally Identifiable Information (PII) and Protected Health Information (PHI) through its Special Publication 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)." NIST's guidelines provide a comprehensive framework for organizations to enhance the protection of PII and PHI, taking into account various aspects of information security and privacy. Organizations should tailor these recommendations to their specific context and regulatory requirements.
CISA provides general guidance on protecting PII and PHI as part of its broader cybersecurity effort. It's important to note that specific recommendations may vary based on the organization's nature and its regulatory environment. Organizations handling PII and PHI should also consider relevant privacy regulations, such as HIPAA for healthcare information, and tailor their security measures accordingly.
While these recommendations are generally very good, your organization's adoption may not sufficiently protect against these new and evolving AI-assisted attacks. This is something to further discuss within your organization and potentially revisit your data privacy and protection strategies. One area that's still a common challenge is the holistic and automatic discovery and categorization of sensitive data, which is essential to applying the right data protection policy. In our experience at MFGS Inc., you must fight fire with fire and leverage AI to solve this problem.
IDOL (Intelligent Data Operations Layer), one of our AI offerings, specifically provides an Eduction engine to solve this challenge at enterprise scale. It's a flexible, embeddable software component that finds and extracts sensitive and high-value entities from structured, semi-structured, and unstructured data using high-performance natural language processing. Eduction grammars define which entities are of interest for automated identification, and you can create your own or use the entity grammars included with IDOL. Existing grammars include PII (entities covering 59 countries and 38 languages), PHI (entities covering 18 entity types), PCI (entities covering 43 countries), Government Classification (including DOD markings, Controlled Unclassified Information, and export control), among others. IDOL Eduction is also designed to work well with third-party components through readily consumable APIs and architectural options.
If enterprise scale discovery and categorization aren't a concern, another common challenge is automatically applying the right data protection policy to the right data. Advances in data-centric security best practices by applying encryption or redaction technology can protect sensitive data no matter where it resides, what the format is, how it is transported, and even how it is used. An essential part of a layered-defense security strategy, data-centric security includes encryption, tokenization, data masking, and large-scale key management techniques to help effectively protect data from the moment it is ingested, through analysis, to backend data storage. MFGS Inc. offers Voltage to overcome this challenge, protect sensitive data wherever it flows, and enable true data privacy without limiting data sharing. The key is Voltage renders any stolen sensitive data useless.
In conclusion, data privacy is crucial to protecting and managing sensitive information. In an era where data is prolific, maintaining privacy is challenging yet essential. It is not just a regulatory requirement but a fundamental right underpinning trust in our interconnected world. With continuous advancements, addressing the challenges and embracing responsible practices are imperative for a resilient and privacy-centric digital future.