Data segregation is the process of separating certain sets of data from other data sets so that different access policies can be applied to those different data sets.  The ultimate goal of doing so is only allowing the individuals who are authorized to view certain data sets access to them.

There are many reasons why organizations may need to segregate their data, from regulatory requirements, systems that are shared between different entities in relationships like joint ventures, mergers, acquisitions and divestitures, or systems that are shared by many people within an organization that do not all have the same authorization to view all of the data.  We cover some of the main reasons why organizations need to implement data segregation in a separate post.

Types of Data Segregation

  • Physical Segregation – Separating and storing data on different physical systems or networks. While this may prevent someone from accessing the data if they don’t have physical access to the systems where it is stored, it also requires the expense of setting up different systems for the data sets that need to be segregated.  Data storage regulations may require physical segregation, however, especially in the case where data is not allowed to leave a country’s borders or there are restrictions sending data to certain countries.  By implementing physical separation, organizations can comply with export regulations of this nature.
  • Logical Segregation – Separating and storing data in separate logical partitions or storage areas, even if those partitions or storage are on the same physical device. This can be much more cost effective than physical segregation and allows organizations much more flexibility in designing and implementing data access policies.  Because all data is physically on the same system, changing data access policies or who can access specific data sets can be done by modifying the logical rules, instead of physically moving data, or changing who has physical access to the systems.

Implementing a Data-Centric Approach to Data Segregation

When designing and implementing effective logical data segregation measures it is important to focus on the specific data that needs to be protected, not the systems or networks where that data is stored or processed.  This is what is meant by a taking a data-centric approach to security.  Controlling access at the data level, using attributes of the data, the environment, and the user requesting access (known as Attribute Based Access Control, or ABAC) is one of the core principles of Zero Trust Architecture (ZTA), and is a more effective approach because a smaller number of attribute-based data access policies can be defined that cover all of the necessary scenarios, instead of writing separate policies for each combination of attributes.

Visit our product technology pages to find out more about NextLabs products enable organizations to implement data-centric data segregation.