Protecting data in use is essential

This article is part of our Opinions section.

Data has been called many things: the new oil, the new gold, the lifeblood of modern organisations – all labels that recognise the critical role it plays in guiding strategy, driving decision-making, and supporting numerous use cases across global organisations. Assets this essential need to be protected, a fact that is widely recognised given the numerous ongoing efforts to mandate and incentivise this protection.

Many of these new laws and regulations are designed to emphasise the security of the data itself as well as the ownership and privacy of its source. The General Data Protection Regulation (GDPR) and the recently passed EU AI Act are two notable examples of regulatory guidelines that are frequently heralded for their focus on driving foundational actions (‘Privacy by Design’).

But, despite this broad-reaching, globally dispersed activity, many organisations still have data-centric vulnerabilities either lurking in plain sight or greatly limiting value creation, including a failure to protect the usage of data.

Defining data in use

To understand this often overlooked point of exposure, we need to first get back to basics. At a foundational level, data within an organisation exists in one of three states: at rest (stored on the file system or database), in transit (moving about the network), or in use (actively being used or processed). Protecting data at rest and in transit is a recognised and well-understood challenge – ensuring their coverage is standard practice for the enterprise. There are many proven, readily-available technology solutions on the market and most security teams have a rich depth of experience implementing them at scale in production environments.

The final data segment, data in use, is less appreciated. For data to provide value, we need to be able to leverage it. Putting data to use means users are doing something with it – often this looks like performing a search, analytic, or machine learning model on a relevant dataset to extract some form of value: a response, an insight, a match, a more effectively trained model, etc. In order to do this, the data must be usable, which in traditional systems means that security measures that are securing the assets at rest or in transit, such as encryption, need to be paused or removed. This necessary action exposes the data, leaving it vulnerable. 

Understanding the risk

While this type of ‘in use’ exposure may be brief, in the case of sensitive or regulated data, it is enough to be problematic. To understand why, it may be helpful to reflect on the concept of Zero Trust. The approach, which is increasingly being adopted by organisations in both the public and private sectors, operates on the core assumption that networks have been compromised. If this is the case, any exposure of sensitive or regulated data – even within trusted systems – is an issue because it opens the door for potential compromise or misuse.

Beyond use in an organisation’s trusted systems, data in-use vulnerabilities also come into play when users need to leverage data sources they don’t own or control. Performing searches or analytics on data in any third-party, cross-jurisdictional, or external environment can be very revealing. Such engagement not only exposes the attribution of the search (who is performing it) but also the content of the search (what the user is searching for). If this search content includes sensitive indicators or regulated data, the result can be extremely damaging. 

Currently, there are two main options to avoid this in-use exposure when utilising external or cross-boundary assets. One is to simply not do it: avoid performing searches or analytics with sensitive data over these datasets entirely, killing the business value and utility of the data source. The second alternative is for users to take a data replication approach: replicate or move datasets to trusted systems, a process that is time-consuming, expensive, risk-inducing, and many times not feasible.

Technology-enabled solutions

Thankfully, technology has delivered a solution to protecting data in use. The increasingly recognised category known as Privacy Enhancing Technologies (PETs) is uniquely positioned to address these data processing pain points. PETs protect the usage of data by enhancing, enabling, and preserving the privacy and security of data throughout its lifecycle, allowing organisations to extract value from internal and external data sources without compromising the integrity of their efforts.

In practice, this means banks can leverage PII and other sensitive information to conduct fraud investigations across jurisdictional boundaries. Pharmaceutical companies can securely utilise public datasets without compromising competitive advantage. Public sector users can perform analysis over open-source data sources without relieving their interest in the data. Insurance companies can cross-match global assets to speed the customer onboarding process while respecting regulatory restrictions.   

PETs can help organisations close the last gap in data security by ensuring data remains protected during use. There are many technologies within the PETs family – homomorphic encryption, secure multiparty computation, and trusted execution environments are several of the most recognisable. While there is no ‘one size fits all’ PETs solution, the depth of options is making them increasingly applicable to a broad range of challenges. 

Why we must protect data in use

As data plays an increasingly critical role for global organisations, a focus on protection is paramount. The risks associated with data exposure and misuse are far-reaching and can include regulatory penalties, loss of competitive advantage, consumer distrust and reputational damage.

To avoid such repercussions, organisations must recognise the need to ensure the security of sensitive data at all times, and the technology-enabled solutions that can answer the challenge. PETs are primed and ready to deliver data in use protection that allows users to extract value without increasing risk.