Security Think Tank: Data flow visibility is essential to security

The most valuable data for which an organisation is responsible routinely passes between organisations, across networks and geographies in innumerable business-to-business (B2B), business-to-customer (B2C) and machine-to-machine (M2M) settings.

It is therefore paramount for an organisation to undertake data mapping to be able to secure data that matters. If it does not have a clear picture of where, what, who and how relevant data is processed within and outside the organisation, it is practically impossible to develop a cyber security plan to protect its data. 

Data mapping involves searching inside and outside an organisation to determine what data is processed where and by whom. After the organisation understands where the data is, it will need to put in place measures to ensure that such data is protected adequately.

Typically, the security measures undertaken within an organisation will be of a technical nature, whereas outside the organisation it will be more a matter of ensuring that any business relationship that includes data processing with a third party has a strong legal framework in place.

Data mapping has been recognised as a mandatory activity for organisations by Article 30 of the EU General Data Protection Regulation (GDPR). Article 30 regulates the records of processing activities and requires each organisation that is a data controller or a data processor to maintain a record of its data processing activities.

They are required to record, among other things, categories of data subjects, personal data and recipients to whom personal data has been or will be disclosed internally and externally, as well as categories of recipients in third-party countries or international organisations.

The GDPR regulates how an organisation shall undertake data mapping of personal data belonging to EU citizens, and failure to do so may result in the organisation being liable for fines. However, beyond compliance with statutory requirements, an organisation should also be mapping other sensitive data, including intellectual property, knowhow and financial information.  

Although there are many products on the market that can perform data mapping, there are some other challenges to consider from a technical perspective. An organisation’s data is processed by very many multimedia communication products that enable, for example, one-to-one voice calls, group voice calls, video calls and webex, voicemail, instant messaging, email, document sharing and machine-machine communications.

To be able to implement a data mapping technology, an organisation must ensure it has put in place multimedia communication technologies that are designed to give the enterprise full control. Only then can the communication systems give access to a data mapping technology solution.

Secure Chorus is a not-for-profit membership organisation that has adopted MIKEY-SAKKE as its open cryptography standard of choice to develop with its members an ecosystem of multimedia communication systems that are interoperable, secure and regulatory compliant.

The MIKEY-SAKKE cryptography standard allows the enterprise to entirely control the security of its system by using a key management server. This provides the essential capability required for data mapping all enterprise communications, internal or external, including B2B, B2C and M2M.