Updated July 31, 2023

• Physical Segregation – Separating and storing data on different physical systems or networks. While this may prevent someone from accessing the data if they don’t have physical access to the systems where it is stored, it also requires the expense of setting up different systems for the data sets that need to be segregated.  Data storage regulations may require physical segregation, however, especially in the case where data is not allowed to leave a country’s borders or there are restrictions sending data to certain countries.  By implementing physical separation, organizations can comply with export regulations of this nature.
• Logical Segregation – Separating and storing data in separate logical partitions or storage areas, even if those partitions or storage are on the same physical device. This can be much more cost effective than physical segregation and allows organizations much more flexibility in designing and implementing data access policies.  Because all data is physically on the same system, changing data access policies or who can access specific data sets can be done by modifying the logical rules, instead of physically moving data, or changing who has physical access to the systems.

There are several main reasons why data segregation is so important:

• Security: If sensitive data is accessed by unauthorized individuals, it can cause great damage to a company. Leaked intellectual property or proprietary data could mean the loss of competitive advantage or expose an organization to sabotage.  A breach of business partner information, or customer details, could lead to a loss of those business relationships or legal liability.
• Regulatory Compliance: Organizations that handle sensitive data often have multiple regulations that apply to what they can and can’t do with the data. Oftentimes restricted data doesn’t even have to be accessed by an unauthorized individual to trigger a compliance violation, just the possibility of unauthorized access is enough.

Because of the potential impact unauthorized access can have on a business, it is very important that organizations implement robust data segregation measures to limit access to sensitive data.  On shared systems, since data cannot be segregated physically, it must be segregated virtually, using a combination of data access policies and encryption to make it impossible for unauthorized access to the data.

Implementing data segregation at a lower level, such as the data access level, can make that segregation more robust and less likely to be compromised by reducing the systems or applications that have access to the data.  Segregating on the data object level can also be less complex, and the less complexity there is in the system, the less chance there is of something going wrong.

When designing and implementing effective logical data segregation measures it is important to focus on the specific data that needs to be protected, not the systems or networks where that data is stored or processed.  This is what is meant by a taking a data-centric approach to security.  Controlling access at the data level, using attributes of the data, the environment, and the user requesting access (known as Attribute Based Access Control, or ABAC) is one of the core principles of Zero Trust Architecture (ZTA), and is a more effective approach because a smaller number of attribute-based data access policies can be defined that cover all of the necessary scenarios, instead of writing separate policies for each combination of attributes.

Visit our product technology pages to find out more about NextLabs products enable organizations to implement data-centric data segregation.