Doing business while complying with privacy regulations is a delicate balancing act. Deploy overly complex privacy software and your IT infrastructure may slow to a crawl. Maintain a relaxed approach and you could leave your organization open to legal issues.

Alas, your organization must adhere to numerous privacy regulations. Some regulations are based on the state or country in which you do business. Other regulations target specific vertical markets (see next page, Regulations to Watch).

Keeping track of the regulations you need to worry about is difficult. Developing practical policies and procedures to comply with today's complicated regulatory environment is even more challenging.

Each regulation defines different criteria for who can or cannot access various types of corporate data. Without a progressive Enterprise Privacy Management (EPM) strategy in place, today’s businesses could be asking for trouble.

Protect the Data not the Network

Many organizations attempt to use their network infrastructure to control data access. But that approach has grown increasingly difficult as cross-company networks have become interconnected.

In the past, businesses could clearly define the boundaries in which corporate data resided: all data behind a firewall was inside this boundary and all data outside it was not. But in the age of mobile computing, wireless and global supply chains, this distinction is increasingly difficult to make. As a result, it is becoming progressively more difficult to control access to sensitive data through simply hiding it behind a firewall.

In the case of a payment card processing company, for example, the integration between the card issuer, member banks and merchants has progressed to the point that it is difficult to define exactly where the networks of the payment card company end and the networks of member banks or merchants begin.

Tightly integrated supply chains provide the same problem, as do existing networks of health care providers and insurers. This difficulty has introduced a new paradigm in which we protect data—instead of the network on which the data resides.

Encryption of the data is the easiest way to accomplish this.

“Traditional security technologies are designed to focus the bulk of defense on the network perimeter,” said Brian Snow, the former Technical Director of the NSA’s Information Assurance Directorate, now a consultant who advises businesses on information security strategies.

"The blurring of boundaries that has accompanied the tight integration of systems has made this approach less effective in many cases. Today, and in the near future, protecting the data that resides in the networks seems to be the most robust way to protect sensitive information. Strong cryptography to encrypt the information – along with robust access control to cryptographic keys – will protect information in a more resilient way across more architectures than what we find today.”

Classify by Application

The first step toward using encryption for Enterprise Privacy Management is to classify data into categories that reflect specific levels of protection. It is tempting to classify data according to its level of sensitivity, but this is almost always too complex and expensive to implement.

Using existing technologies, it’s usually more practical to classify data according to the application that generates it. Thus it usually makes sense to apply a common level of protection to all output of an automated statement generation system, for example, no matter what the content of the statements being created. This is far from the ideal case, of course, but it's usually possible to do without the cost and schedule problems that plague more complex solutions.

Future security technologies will support more fine-grained approaches to data classification, but such technologies are not widely available yet. Soon, it will be practical to define, implement and manage policies that automatically identify data that needs to be protected, and to manage the cryptographic keys that are used to control access to this data. Easy management of cryptographic keys is the critical part of this technology that is not yet available, but it will be soon.

Look for such technologies to become available in the next 12 to 18 months and plan your strategy to address Enterprise Privacy Management with this in mind.

Next page: A list of regulations to watch