“Data is a precious thing and will last longer than the systems themselves.” – Tim Berners Lee
This famous quote by Tim Berners Lee profoundly explains the longevity of the data and its importance. While enterprises heavily rely on data to generate useful information ad insight, they often tend to overlook the essence of securing their data at the core so that it can be protected from potential misuse.
In layman terms, Data Security is nothing but a streamlined approach to keep your data away from unauthorized or fraudulent access. It is critical for organizations and individuals to eliminate risk of losing data to wrong hands which may lead to negative consequences or cause financial and irreparable damage.
Why do we need to secure our data?
Novices in the industry might think of this as a concern which should be addressed in higher layers of an application but data security in fact, should begin at the source where the data originates. Data-driven security should not be aone-off event that originates out of a crisis or escalation; it should rather reside at the heart of any organization’s daily routine.
“It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.” — Clay Shirky
With the advent of omni channel platforms, sensitive data has become accessible through different channels and is prone to multiple levels of vulnerabilities. This advancement further calls for a need to prioritize Data Security which if overlooked might incur heavy monetary losses.
Professionals spend plenty of time cleansing the data and improving its quality. All this effort might be wasted with inefficient or no security practices in place. Losing sensitive information may spark an organizational crisis mounting up to penalties or losing the customer’s faith providing a winning hand to competitors.
Another factor that gets overlooked as an impact of security breach is the loss of productivity. Poor data protection strategy may leave people waiting for long periods of time for systems to be restored after a failure, hence diminishing productivity. Loss of important data lowers overall productivity, as employees and eventually end users must now follow a painful process and serve any sort of information manually.
As per theWorld Quality Report 2016-17 which is acknowledged as the only global report for application quality, the three most important factors according tosurvey respondents are security, customer experience and quality with Security having highest priority.
Key Reasons behind Data Breaches
There may be many reasons due to which data gets compromised, however these are some key reasons that contribute the most.
“It ain’t what you don’t know that gets you into trouble.
It’s what you know for sure that just ain’t so.” — Mark Twain
Most data breaches happen due to misconceptions. Apparently, quite a few data owners believe that hackers are accountable for security breaches, while inappropriate access to insiders contribute to majority of the data hacks. Afew assume that encryption will keep data secure, whichwould, but in conjunction with access control, data integrity and effective audit procedures.
Another practical reason which most of us would have come across is fragmented system processes. Despite bragging about our data security awareness, the scope of data protection projects is all too often either regulation or department-specific hence retaining certain data at stake. Working on a specific module, you might feel that your module would pass muster with respect to protection. However, you may not pay heed to the overall security when it is integrated with other modules to build an enterprise level application. This fragmentation often breeds disasters.
Pondering a while longer, we realize that complexity of data and Lack of knowledge of where the sensitivity liesis often a barrier to effective data securitywith data is distributed across mobile, cloud and big-data environments.With the Internet continually growing, the threat to data traveling over the network has increased exponentially. If we do not know how the data is stored and maintained across various platforms, we may be exposing sensitive data. There are multiple techniques available to implement security like encryption, strong access control, tiered security model, firewalls, etc.
With security becoming a key concern, the new and growing area of acting as a Data Security Provider has achieved popularity and helpsmany enterprises design effective security mechanisms. However, one of the keys requirements to strike the perfect security model is profound knowledge of the system. If you are vigilant about the nature of sensitive data that you have, where it is store, how it is structured and its risks, financial impacts related with it, you are certainly equipped with intellect required to manage your data security. There are certain tools also that aid in understanding the highly sensitive data. With the Internet continually growing, the threat to data traveling over the network has increased exponentially.
How can we secure our Data?
There is a lot of news about hacking airedon television, paper media and web. It is crucial to be vigilant about a few basic data securitypractices to avoid Data Breaches at work. We may or may not be directly associated to the security team of our organization, but having a little bit of this knowledge will certainly help in securing day to day data at work, hence evade the bitterness of Data leaks and thefts.
At the core of any Security Model lies the C-I-A triad; Confidentiality, Integrity, Availability. Compromising on any of these principles might in lead to disastrous consequences.
Confidentiality enables to hide information from unauthorized folks. It is vital in any security model and hence the most commonly targeted aspect. Many of the man in the middle attacks(MITMA)succeed if the data has not been masked appropriately. Cryptography and Encryption are examples of techniques that ensure confidentiality of data transferred from one system to another.
Integrity ensures the trustworthiness, completeness and correctness of the data at every stage of the data lifecycle, be it during ingestion, transformation or storage. Ensuring the accuracy and the originality of the information is another aspect required to keep the data secure. Preventing unauthorized modification using mechanisms like least privileges, separation, rotation of job duties, etc. and detecting any unauthorized modification to data in case preventive mechanisms fails is the key to maintain the data integrity.
Availability: Last, but not the least, this is one of the most important pillars of data security. Confidentiality and Integrity will go obsolete if authorized users only aren’t able to view the data. It is, hence, important to ensure that the information concerned is readily accessible to the authorized viewer at all times.
The key to effective adherence to the C-I-A ideology of data security isData Classification.
Treating all data equally creates inefficiency in terms of security and performance.Data Classification is a thorough process of organizing data into meaningful categories that helps in using iteffectively and efficiently. Considering all the data to be the same and applying a low level of security can expose sensitive data, while applying a high-level security will restrict access to operational data.A planned data classification scheme helps in making the essential data easy to locate and retrieve. It even helps in better risk assessment, discovery and security compliance. Having a well-planned and simple data classification scheme that all concerned individuals can understand is crucial.
Classification of data can be based on various aspects like its usefulness, timeliness, value or cost, age, lifetime, security implications, disclosure risk, modification risk, association with roles etc.
Confidential data comprises of highly sensitive Corporate and customer data which if disclosed may lead to serious monetary penalties and legal risks. For example, company strategies, contracts etc.
Private data requires equal level of Security as Confidential data. This data is relevant to individuals and customers. A loss of private data again can lead to serious legal issues and eventually shakes a customer’s faith in the organization. For e.g., compromising individual’s Aadhar or Social Security Number, bank account details etc.
Sensitive data requires a lower level of security than the above two, but if disclosed can negatively impact operations. For e.g., Example: Contracts with third-party suppliers, employee reviews.
Public data is the lowest level of classification and is not as sensitive as the above-mentioned ones. This data may be freely exposed to the public and does not have any downside associated to its disclosure. For e.g., a company’s products price list, individual’s likes and dislikes on the social sites like Facebook, twitter etc.,
Security Controls and Protection Mechanisms
Once the data has been classified, then comes the need to implement the Security Controls to keep the C-I-A triad effective in the system. Security controls are basically the countermeasures to safeguard the data and minimize any potential security threats that may arise. The 5 foundational elements that need to be present in the system are:
Identification – Claiming an identity when attempting to access a secured area or system
Authentication -requires the user to prove that he/she is a legitimate identity to access that secured system
Authorization – controls the access of an identity to the resources that he/she is entitled to access
Auditing – recording a log of the events and activities happening in the system
Accounting – reviewing log files to check for compliance and violations in order to hold personnel accountable for their actions
Another aspect for having a C-I-A compliant system is to have protection mechanisms which offer layered protection to the data using multiple layers, abstraction, data hiding and encryption.
Layering: Also termed as defence in depth, is simple the use of multiple controls in a series. With a multi-layered solution in place, different controls guard the system against various threats that come at the different levels. With this layered approach, most threats are eliminated by the time we percolate to the core data. An analogy to this could be the various checks we pass through at an airport. The Main entrance identity check, security check, boarding pass check etc.
Abstraction: Abstraction is used for efficiency. Similar elements are put together in groups, classes or roles which are assigned security controls, restrictions or permissions as a collection. Role Based Access Control (RBAC) is an example that uses this concept. Creating views on base data is also an example of abstraction.
Data Hiding: Data hiding entails keeping data undiscoverable by unauthorized personnel. There are certain data elements that are not exposed to certain roles/ranks.
Encryption: Encryption is a technique of masking the original data so that it can’t be interpreted right away. Certain encryption algorithms are applied to the data to convert it to cipher text that can only be read if decrypted with the correct decryption mechanism. Encryption is important in security control especially when data is flowing between systems.
Various categories of data that needs to be placed in appropriate hands, there are critical roles that need to shoulder the responsibility of managing various levels of data right from the time it originates, gets classified, stamped with a security model to rendering it to appropriate audience. It may be relevant to have an ideaof what these roles are.
Each of us may be in some way or the other may be/should be practicing these roles and responsibilities so that our business/day-to-day assets are appropriately handled and managed:
Data Owner: A person who owns rightful authority for a specific piece of information and the responsibility for establishing the controls for its generation, collection, processing, access, transmission and destruction. While the ownership of the data lies with him, he will usually have a team to implement data security as specified in the security model or policy.
Data Custodian is usually the user who works hands-on with the task of implementing the prescribed protection defined by the security policy and the senior management. He owns the responsibility of all tasks that are required to be C-I-A compliant. His activities may include creating and testing backups, validating data integrity, deploying security solutions and managing data storage based.
User: A user is any individual who can access the system. The accesses granted is always limited to the kind of activity the user need to perform with the data and corresponds to their role in the organization.
Auditor: An Auditor has the responsibility to audit the system regularly to make sure that the security policy is intactat all times and is not compromised. It is a periodic and iterative activity to monitor the system and catch any loopholes.
As end users, we need to be vigilant so that we do not expose or misuse the data we have access tointentionally or unintentionally.Every individual should own the responsibility of keeping information safe and secure. The simple way of doing this is to be cautious enough to keep our computer screens locked, all the documents locked in a secured storage unit while we are away no matter for how long we are leaving our desk, be it 2 minutes, 5 minutes or even hours. We should also realize the importance of signing out of our accounts once done for the day or after use. It is just a half minute activity to log in to our accounts again rather than keeping our self-logged in and making information vulnerable. If you are the user of a highly sensitive information, it may make sense to practice this act daily as a data breach can’t just be controlled by only products.
“We can evade reality but we cannot evade the consequences of evading reality.” –Ayn Rand
We should move beyond dealing with momentary crisis and focus on securing data holistically. Ensuring security of data is a continuous and round the clock process. While it might be difficult to free up time and budget to institute a comprehensive data security plan, a unified approach with individual contribution from all users will be far more effective to increase security than the fragmented practices present in many organizations.
CISSP (Certified Information Systems Security Professional) Study Guide
Authors: by James Michael Stewart, Mike Chapple, Darril Gibson