Privacy and data protection in the enterprise world

Enterprise systems are becoming more complex with an interconnected network of large heterogeneous devices. These systems generate, process and store large volumes of data (including Personally Identifiable Information (PII)). Securing such a large infrastructure from adversaries is a humongous task for enterprise organizations. Adversaries can exploit the inherent vulnerabilities in the enterprise systems and mount various attacks such as ransomware, malware, phishing, and so on, with goals to steal the data, take control of the system, etc., thus causing huge financial and reputation loss. Further, with stringent privacy regulations such as GDPR, organizations can end up with large penalty payouts to local Governments and their affected people due to data breaches. Thus, to safeguard enterprise systems from data breaches, organizations deploy Data Leakage Prevention (DLP) systems with encryption and authentication mechanisms. While these techniques provide privacy and protection of data at-rest and in-transit scenarios, for data in use scenarios, data leakage is still possible (Since data needs to be available in plaintext form for several applications, the attacker can steal the data by exploiting the vulnerability in the access control system, authentication, or other vulnerabilities during the run-time execution of the application). Hence, in this paper, we discuss various challenges encountered by organizations in enabling privacy and data protection for data in-use. Next, we discuss how privacy enabled computation techniques such as Fully Homomorphic Encryption and Secure Multiparty Computation can be used to provide data in-use protection along with their pros and cons in real life deployment scenarios.