Data Protection: The Five Controls That Actually Work

Encryption isn’t a feature. It’s a baseline. If you’re treating data protection as a checkbox, you’re already behind.

Here are the five controls that separate professionals from pretenders.

1. Encryption (At Rest, In Transit, In Use)

At rest: Disk encryption, database encryption, bucket encryption. If the data sits somewhere, it should be unreadable without the key.

In transit: TLS 1.3 minimum. Not optional. Not “where possible.” Every connection, every time.

In use: Confidential computing is emerging. Start paying attention now.

Rule: The key management is harder than the encryption. Who holds the keys? How are they rotated? Where’s the audit log?

2. Access Controls (Identity Is the New Perimeter)

Your network perimeter dissolved when you moved to cloud. Now identity is your only boundary.

  • Authentication: Prove who you are
  • Authorization: Prove you should access this
  • Audit: Prove we can trace what you did

Zero trust isn’t a product. It’s an architecture principle: never trust, always verify, assume breach.

3. Backup and Recovery (Your Insurance Policy)

Backups that can’t be restored are vanity metrics. Test your recovery. Document it. Automate it.

  • 3-2-1 rule still applies: 3 copies, 2 media types, 1 offsite
  • Immutable backups for ransomware resilience
  • Recovery time objective (RTO) and recovery point objective (RPO) should be defined and measured

4. Multi-Factor Authentication (The $0 Control With Massive ROI)

Passwords alone are broken. MFA isn’t perfect, but it eliminates 99.9% of automated attacks.

Hardware keys > authenticator apps > SMS. In that order. Enable it everywhere. Enforce it for privileged access.

5. Data Classification (You Can’t Protect What You Can’t See)

Not all data is equal. Classify it:

  • Public: No controls needed
  • Internal: Basic access control
  • Confidential: Encryption + strict access + audit logging
  • Restricted: Additional isolation, monitoring, approval workflows

Without classification, you overspend on low-risk data and underspend on high-risk data.

The Summary

Data protection isn’t a list of tools. It’s a mindset:

  1. Encrypt by default
  2. Verify every access
  3. Backup and test recovery
  4. Require MFA
  5. Know what you have and classify it

Short rule: The data you don’t know about is the data that will burn you.