There are many risks to data: from the IT admins worst nightmare, ransomware, to a company’s worst nightmare, a malicious admin. Data security is a huge challenge and becomes increasingly more important to understand as data grows rapidly, sprawls to different platforms and becomes more valuable. This topic is a straightforward concept, protect the data, but the many ways to go about achieving this goal make this a complex and fascinating subject.
This article will help you with your first steps in understanding what data security is, how this relates to security and compliance, and the risks and challenges you might face on this ever-expanding topic.
What is data security?
As mentioned previously, data security is an easy concept to understand: protect data. This means protecting this data from malicious outside forces and ensuring proper segregation of data for the user’s company role. Someone in sales does not need access to the HR financial and disciplinary records. Also, consider that no protection is perfect or impervious to attacks. To stop the damaging interest of unauthorized people, organizations should look at using a layered approach. This is the only way to ensure optimal data security. Locking down a network is just as important as educating your users and encrypting data in all forms.
The different aspects of protecting data can be summed up and easily remembered from a single acronym, CIA. CIA means Confidentiality, Integrity and Availability of data. Each of these points is crucial in protecting data and ensuring productivity remains intact. Confidentiality of data ensures that only those who need access to the data have access to the data and intellectual property is not breached. The integrity guarantees that the data is in an unaltered state. Ensuring the availability of this to the authorized users when it is needed completes the CIA triad.
Why is data security important?
We live in a time where assets are not just physical components you can hold in your hands, but 1s and 0s electronically zipping from physical to virtual places in a blink of an eye. In many cases, these virtual bits of data can be worth far more than any building or company car. The value of employees can be measured in the generation of intellectual property, which can be critical to a company’s bottom line. It’s not just businesses that are starting to understand how valuable this data is, but also malicious attackers who wish to profit from this commodity.
In 1989 the IT world was stunned by the first recorded ransomware attack. It was delivered via a floppy disk that was sent to thousands of hospitals and health care institutions disguised as research for arguably one of the scariest diseases at the time, AIDS. This ransomware’s sophistication did not stop there; it was also what they called a timebomb attack. Meaning, it did not release the ransom right when the disk was inserted but timed to release after the machine had been rebooted 90 times. It was reported out of the 20,000 floppy disks sent out, about 90 companies admitted being infected. Years later, the attack types and delivery methods have grown exponentially, and beyond anything we could have imagined.
The term “resilient ransomware” has become the most significant topic of the 21st century for its indiscriminate and ruthless nature. Ransomware has come a long way in the last 30 years and has evolved into countless variations that have extremely creative ways of holding your data for ransom. These variations stem from what they call ransomware families who take advantage of various exploits. Each of the families uses one or multiple data manipulations, which then holds that data’s integrity and/or privacy at risk.
The most commonly thought of data manipulation is data encryption, but data deletion, data stealing and device locking are also used. Used in combination, these can cause devastating effects to company assets. A prime example would be an attack that steals your data and threatens not only to release, if you refuse to pay, but also deletes portions of the data for every hour you do not pay. The imagination of the attackers who invade our environments seems to know no bounds, leaving this a never-ending battle to protect our data.
What are the various data security technologies?
When understanding each data security technology, the essential concept to keep in mind is there’s no magic bullet. These technologies exist to fight off different types of attacks and understanding how each of these technologies works can help you place them correctly into your protection plan. The security methods covered in this section are a great starting point, but be aware you are not limited to these options, and the deeper you dive into this subject, the more layers you discover.
Arguably one of the most critical factors in data security is the education of your users. Users can be your greatest ally in early detection and isolation of innocents or the most significant attack risk. Many attacks involve hacking into networks and leveraging backdoor access, but most attacks exploit unknowing users to access the network. It is far easier to send a phishing email to a set of email addresses bought from the dark web for pennies and have one user click a link that compromises your company than send a series of attacks hoping to run into an unpatched system with a vulnerability. The email could be as simple as asking the user to click the link and change their password, and now their password is compromised. Phishing attacks are the number one method of successful breaches and go further with a spear-phishing attack, which targets your company, specifically tailoring the link and email with the company logo and language.
Training your employees on proper data security practices to not be a point of attack can be a daunting task, but there are many tools to make it easier. A great place to start would be
Encryption does not help prevent an attack from entering the company, but it does protect the confidentiality of the data. Having proper data encryption can make a huge difference if your data is intercepted and read. Encryption does not just apply to data at rest but also data in transit. Any WiFi connection accessed outside of the company network should be using a VPN tunnel. Wireless connections used within a company should be protected by a password and use the strongest in-transit encryption the device supports.
One of the most well-known examples of encryption was produced by a machine called the Enigma. This machine was invented in 1919 and looked a lot like the typewriter. The key difference was gears within the machine were shifted based on a code; this code altered the message as it was being typed. The only way to decrypt this code was to have the same machine and code to translate the message. This type of encryption is called cryptography and played a huge part in sending select messages in World War II. The movie Enigma was based on this machine and the many ways it altered the war. This movie also highlights how any code can be broken with time, displaying why layered defenses are crucial.
Encryption protects against a higher form of ransomware that steals your data and threatens to release your data to the public unless you pay. As we have found in the last year, data leaks can cost a company money and damage its reputation. A company losing data can compromise the consumer’s trust in a brand or product if the consumer’s privacy is also breached.
Like encryption, data masking protects the confidentiality of data, but it archives this differently. Data masking alters the data set so that vital information can be shared between groups allowing more people access to the data without compromising confidentiality. This is achieved by associating unique IDs in sections of privileged information so that data sets can be shared more widely. Many examples of this can be found in the medical field regarding personally identifiable information being removed from documents so that the medical reports can be published or distributed. This method allows for some flexibility in the CIA triad protection.
Data erasure means to dispose of data on devices when it is no longer needed. As technology grows, so does the need for businesses to keep up with the efficiencies offered by migrating to newer machines. As legacy hardware fades out of circulation, the data on storage remain. There are many methods to disposing of this data from these devices. These methods range from using an algorithm that scrambles the harddrive to breaking out the handy drill to shader the components. Both approaches tend to be just as effective as others when properly executed but where most businesses fall short is not having any procedure in place at all. A proper inventory and disposing of unwanted equipment containing company data can be the easiest part of your data security plan.
There is a lot of time spent around protecting data from malicious users, but other factors fall more in the category, “Acts of Nature.” These occurrences include fires, floods, lightning, and tornados that threaten the data and factors like bit rot and other hardware failures. Making data more resilient means protecting data against events that could cause company data to be lost and not recoverable.
There are many ways to make data more resilient and on different levels. The easiest way to protect data locally is to invest in a RAID configuration that offers a redundancy factor in case of bit rot or hard drive failure. There are many RAID configurations to choose from and different considerations to make based on performance and cost. Larger disasters that could potentially wipe out a build or entire servers rely on technologies that offer offsite redundancy like replication.
Understanding data security compliance
Many compliance regulations are built around the CIA triad concept and encourage companies to comply with these concepts. Many data security governances vary from country to country and, in some cases, can be very strict on data leaving the country or a user who wishes to remove their information from the company’s database. There are even regulations around what can and cannot be done when under an attack from ransomware. The United States Department of Treasury in October 2020 published an
Data security as it pertains to
There are many laws around data governance, but there are a few we regularly see as apart of the data security conversation.
HIPAA stands for Health Insurance Portability and Accountability Act. This regulation is the standard in the United States to protect a patient’s health records’ confidentiality. Unless patients consent to sharing their information with their personally identifiable information, the records cannot be read. If there is a security breach that leads to an unauthorized entity reading a medical record, then the company which houses that information is open to litigation and fines. There are some cases where data masking can cover personally identifiable information to share findings.
CCPA stands for California Consumer Privacy Act and was initiated to protect how residents of California’s personal data are handled worldwide. This regulation protects individuals’ rights to their information in all aspects. Any California resident can request a copy of their data from a company, have the company delete their data from their database, and ensure no personal information is sold to a third party. This regulation also prevents discrimination based on exercising these rights.
GDPR stands for General Data Protection Regulation. GDPR is very similar to the CCPA for California, but GDPR applies to all of the European Union. GDPR gives control over an individual’s information back to that individual.
Data security risks and challenges
There are numerous risks around data security, but arguable, the number one risk will always be people. Every network will need access points to allow employees to do their job and access information. Every company has a need to collaborate with external parties at some point to grow. The number one way to combat the most significant risk to a company is education. Next is to ensure proper privilege control; if a user does not need permissions or access to information, do not provide it. Last, ensure that your company’s defense is layered for any attack that you can encounter.
This blog was originally written by Karinne Bessette for Veeam Blogs.