The Next Frontier In Data Security: How To Safeguard Sensitive Data

Aatish M is the founder & CEO of Strac, a leader in Data Discovery, DSPM, & DLP. Previously, he led payment security at Amazon for 11 years.

Data security has become an ever-evolving challenge, influenced by advancements in cloud technologies, the widespread adoption of software-as-a-service (SaaS) applications and the rapid growth of generative AI in the last two years. Traditional methods of securing data—such as perimeter defenses and endpoint antivirus—aren’t sufficient on their own, because threats now exist well beyond traditional network boundaries.

Meanwhile, ever-increasing compliance regulations and customer expectations force organizations to reexamine their entire approach to handling sensitive data. With that in mind, here are key considerations and best practices for today’s technology leaders who want to bolster security in a world in which generative AI, cloud applications and remote workforces have become the norm.

1. Recognize That Data Lives Everywhere

The first step to securing sensitive data in any company is accepting the reality that data no longer stays in a single location or a single data center or even a single cloud. Sensitive data resides within SaaS platforms like Sharepoint, Google Drive, employee laptops, collaborative workspaces like Slack, Jira, Teams, CRMs like Salesforce, HubSpot, customer support like Zendesk, Intercom, on-premise file shares, and it’s often shared between internal teams, vendors and customers. And definitely on cloud platforms like AWS, Azure, GCP. Plus, with the rise of generative AI, more people are inadvertently funneling potentially sensitive data into AI-driven tools without fully understanding the implications.

Takeaway: Conduct a holistic analysis of where data resides, how it’s transferred and who has access. This broad lens is vital to ensuring you haven’t left any blind spots and that your security efforts match the complexity of data’s real-world flow.

2. Discover And Classify Data

Once you recognize data is scattered far and wide, you need a systematic way to discover and classify it. This typically involves machine learning—powered solutions that can continuously scan a range of data sources—SaaS applications, cloud storage, email, endpoints, AI integration points and beyond. However, modern data discovery goes well beyond simple keyword searches. Modern discovery typically leverages machine learning and OCR to detect PII, PCI, PHI and other sensitive information, even in unstructured documents or images (PDF, JPEG, PNG, DOCX, scanned contracts) or in unstructured text (emails, chat messages, transcripts). It can also crawl structured databases to tag sensitive fields. ML-based scanning and context-aware classification reduce false positives, giving security teams a clear picture of data flows.

Takeaway: An ongoing, automated discovery-and-classification capability forms the foundation of any comprehensive data security strategy. It’s only when you know where all your sensitive data lives—whether in text documents, images, spreadsheets, code repositories or databases—that you can properly protect it.

3. Protect And Remediate

After identifying where sensitive data resides, the next step is to protect it and remediate existing risks. For each location, develop a strategy that includes:

• Redaction (Masking): Hide critical information while safeguarding privacy (e.g., masking SSN or credit card details).

• Labeling: Tag files, tables or cloud resources with sensitivity labels to guide handling.

• Blocking/Alerting: Prevent unauthorized access or transfers, and alert security teams to suspicious activity.

• Deletion: Remove data that no longer meets business or compliance requirements.

• Revoke Access: Remove access for users or services no longer needing it, especially after role changes.

• Bulk Remediation: Automate clean-up across applications or repositories, critical for large enterprises.

Takeaway: Discovery alone isn’t enough. Having a clear playbook for how to act on sensitive data findings—whether it’s masking, revoking permissions or deleting unnecessary records—helps you close the loop on data security and substantially reduce overall risk.

4. Embrace Agentless Solutions Where Possible

Increasingly, security solutions are shifting to “agentless” models—meaning they don’t require installing software agents on every endpoint (employee laptop), SaaS platform or AI system. Instead, they integrate seamlessly with existing SaaS, cloud, GenAI apps. This approach is especially helpful in protecting data that lives in SaaS platforms or cloud instances. Plus, it shortens deployment times and can make ongoing management far more efficient. Also, it works for SaaS/cloud apps on mobile and BYOD devices because it is agentless. Agent-based solutions on the contrary works only on employee laptops and are prone to performance and deployment issues.

Takeaway: Agentless solutions can alleviate overhead and maintenance, while still providing deep visibility and protection over data. Look for providers that can offer a robust, agentless architecture to make your security efforts less complex yet more comprehensive.

5. Don’t Overlook Generative AI Risks

Generative AI can boost efficiency but introduces risks of data leakage. Whether employees use ChatGPT, Google Gemini, MS Copilot or back-end APIs like OpenAI, AWS Bedrock, Azure or GCP, sensitive data can inadvertently enter third-party training datasets or logs.

Specific Risks:

• Employee-Facing Tools (e.g., ChatGPT, Google Gemini, MS Copilot): Employees may unintentionally share confidential data in prompts, and AI outputs might reproduce sensitive information.

• Back-End APIs (e.g., OpenAI, AWS Bedrock, Azure, GCP): Avoid sending sensitive data without reviewing contracts. Use redaction, masking or pseudonymization where necessary.

Takeaway: Generative AI offers great potential but poses privacy and security challenges. Organizations must enforce usage guidelines, implement access controls, apply real-time data redaction, ensure vendor oversight and provide employee training to leverage AI safely.

Final Thoughts

Data security in a world increasingly defined by SaaS, cloud workloads and generative AI demands more than one-size-fits-all solutions. It requires a systematic, layered approach that covers discovery and classification, endpoint and cloud defense, zero trust and a security-by-design philosophy. By understanding where your data lives, who can access it and how that data travels, you can build a robust defense that stands strong today—and well into the future.

Above all, remember that this isn’t a one-and-done exercise. Effective data security thrives on continuous improvement and ongoing vigilance. The payoff is well worth it: greater trust, reduced risk and a competitive edge in a marketplace that values privacy and compliance more than ever before.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?