I've heard of other security professionals using metadata tagging tools to track sensitive data within an organization,...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
basically to ensure they always have protections in place for that data. Do you think a similar strategy could be deployed for compliance purposes, so PCI-relevant data could be tagged as such? Are there any tools you could suggest for such measures?
Absolutely. Metadata tagging is one example of data loss prevention (DLP) technology that may be used to identify and inventory sensitive information in an enterprise, and then monitor for intentional or inadvertent leaks of that information. When DLP systems detect an attempt to move data in violation of policy, the system may intervene and block the communication attempt before the leak occurs.
Metadata tagging requires users and/or security administrators to identify the specific files that contain sensitive information and tag them with a classification that may be read by the DLP system. This approach is effective when well-managed, but it is time-consuming and difficult to accurately identify all of the information that must be tagged.
In the case of PCI compliance, a more common way to leverage DLP is through pattern matching. Payment card account numbers follow a standard formatting process, and also include a check digit calculated using the Luhn algorithm. DLP systems may search data crossing a secure perimeter to detect the presence of numbers that match standard credit card patterns and pass the Luhn check. This is a reliable approach to monitoring the flow of credit card information with a fairly low false positive rate.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
To learn more about metadata security, check out this tip in our Data Protection Security School.
Dig Deeper on Enterprise Data Governance
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.