Guide: Data Security

What is Data Security? Threats, Controls, and Solutions

What is Data Security?

Data security is the practice of protecting organizational data from risk. It is common to organize data security according to three dimensions—Confidentiality, Integrity, and Availability—in line with the CIA Triad commonly used in information security.

Data confidentiality involves preventing unauthorized parties, whether internal or external, from accessing sensitive data. Organizations implement a variety of security measures to protect confidentiality, from perimeter network defenses, to permission systems like role based access control (RBAC), data encryption, and multi-factor authentication.

Data integrity involves the prevention of unwanted modification or deletion of data. This might be the result of an accident or disaster, or a malicious act by an attacker seeking to sabotage company operations. An important way to ensure data integrity is the use of digital signatures. Encryption can also help protect data integrity.

Data availability ensures that valuable data can always be accessed by those who need it, both inside and outside the organization. IT operations are primarily responsible for data availability, by making sure infrastructure is working and recovering quickly from failure.

In this article:

Data Security vs Data Protection vs Data Privacy

Data security is often confused with similar terms such as data protection and data privacy. All of these are different ways to protect an organization’s data:

 

  • Data security means protecting your data from unauthorized access or use where it could be leaked, deleted or corrupted. An example of data security is the use of encryption to prevent hackers from using your data if it is compromised.
  • Data protection refers to making backups or copies of data to prevent accidental deletion or loss. An example of data protection is backing up your data, so if data is corrupted or deleted due to a disaster or a cyberattack, it is not lost.

Data privacy refers to concerns about how data is processed, including data sensitivity, regulatory requirements, consent, and notifications. An example of data privacy is the use of a separate, secure database for personally identifiable information (PII).

Data Security Threats

Here are a few of the most common threats facing organizational data.

Social Engineering Attacks

Social engineering attacks are the primary medium used by attackers to gain access to sensitive data. This includes manipulating or deceiving individuals to provide personal information or access privileged accounts.

 

Phishing is a common form of social engineering. This includes messages that appear to come from a trusted source, but are actually sent by an attacker. If an employee is convinced to provide personal information, click a malicious link, or open a malicious attachment, the attacker can compromise the user’s device or account and gain access to the corporate network.

Security Misconfiguration

If a computing system does not have security settings properly defined, or is kept with the default username and password, a security misconfiguration occurs. This typically means that a system’s configuration does not comply with security standards, such as CIS benchmarks, the OWASP Top 10, or specific compliance requirements. 

 

If an administrator or developer does not properly configure security for an application, website, server, or workstation, the system may be wide open to attackers. 

 

Misconfiguration is widely cited as one of the biggest security threats in a cloud environment, and the risk is also present in an on-premises environment. It can lead to large-scale data breaches and can have economic consequences such as temporary loss of business, damage to reputation, revenue loss, exposure to lawsuits, and regulatory fines.

Shadow IT

Unauthorized use of third-party software, applications, or Internet services in the workplace, known as shadow IT, is difficult for IT departments to track. Shadow IT is very common because employees habitually use applications they know from their personal lives, which are more efficient, lightweight, and easier to use than company-approved alternatives.

 

Shadow IT creates a blind spot in an organization’s data security strategy, making it difficult to identify what data is stored on unauthorized services. Even more dangerous is the weak security of these third-party services. This could lead to data breaches, and also represents a major compliance risk—an organization could face lawsuits or fines because sensitive data was stored by an employee on unauthorized services.

 

The main cause of shadow IT is that a company cannot provide its employees with the tools they need to get the job done. Organizations must have an open dialogue with their employees and do their best to understand and satisfy their technical needs. DLP tools can also be used to prevent employees from uploading sensitive information to third party services, and monitor data transfers to better understand the impact of shadow IT.

Ransomware

Ransomware is a top priority, if not the highest priority, in any organization’s cybersecurity program, and it directly affects data security. In a ransomware attack, the victim’s computer is infected by malware that encrypts valuable files, or entire devices, making it impossible for victims to use the equipment and data. To regain access to the device or data, ransomware demands that the victim pay a ransom. 

 

Ransomware is becoming a huge global business for cybercriminals, and techniques are evolving rapidly. Ransomware as a Service (RaaS) provides large groups of hackers easy access to advanced Ransomware technology. In addition, new types of ransomware use a double extortion technique—before they encrypt files, they transmit them to the attacker, who threatens to make them publicly available if the ransom is not paid. 

 

Ransomware can spread through malicious email attachments, infected software applications, infected external storage devices, infected websites, and vulnerabilities in commonly deployed applications.

Advanced Persistent Threat Attacks

An Advanced Persistent Threat (APT) is a targeted network attack that goes undetected for a long period of time after attackers penetrate the network. The purpose of APT attacks is not to compromise systems or networks, but rather to monitor network activity and steal data over a prolonged period of time. Cybercriminals often use APT attacks to target high-value targets, such as large corporations and government institutes, to steal valuable or strategic data.

Types of Data Security Controls

Here are some of the most common security controls organizations can put in place to secure their data.

Access Controls

Access controls are physical and digital mechanisms that limit access to critical systems and data. This includes making sure all computers, devices, networks, and applications are protected with mandatory login, and that physical spaces can only be entered by authorized personnel.

Authentication

Authentication is another layer added on top of access controls, which defines how a system verifies user identities before granting access. Today, secure authentication mechanisms rely on multi-factor authentication, which requires several methods of proof of user identity. This can be something the user knows, like a password, something they own, like a mobile phone, and something they are, such as a fingerprint scanned through biometric authentication.

Backups & Recovery

Backup and recovery was always a critical part of data security, providing a strategy for restoring data in case of a disaster, system failure, or data corruption. Backups are becoming increasingly important as a defense mechanism against ransomware. Regular backups which are stored securely, disconnected from the corporate network, are an effective measure against ransomware.

Data Erasure

Most organizations store redundant, duplicate, or otherwise unnecessary data. Some of this data may be sensitive and present a security risk. Therefore, erasing data is an important data security control. 

 

Organizations should dispose of data on a regular basis, and use appropriate data erasure techniques to ensure that storage devices are truly erased. Deleting or formatting a storage device via the operating system might not actively wipe all the data from the device, and this data can be compromised by attackers who get hold of the device.

Data Masking

Data masking hides sensitive information by replacing it with anonymized or randomized data. This means that even if unauthorized parties access the data, it will not be useful to them. Data masking is built into all modern database systems, and makes it possible to share sensitive data in anonymized form, without compromising it. Data masking can even be applied to part of a data table, so that non-sensitive data is shown as is and sensitive data is masked.

Data Resiliency

A key part of data security is ensuring that systems are able to endure failure and rapidly recover. A key strategy for data resilience is replication. Cloud-based storage provides powerful capabilities to replicate data across multiple physical data centers distributed across different geographical locations. This provides strong resilience to failure, because even if an entire data center fails, a copy of the data still exists on another data center and is instantly available.

Encryption

Encryption is a critical part of any data security strategy, and is explicitly required by many regulations and industry standards. Encryption uses algorithms to transform files into an unreadable format. The transformation is impossible to reverse except with a key. Encrypting data both at rest and in transit effectively protects it from attackers. However, encryption requires careful management of keys and ensuring they do not fall into the wrong hands.

Data Security Solutions

Software vendors provide a variety of tools that can help improve data security. Here are a few important types of solutions—there are many more.

Data Discovery and Classification Tools

Data discovery is the basis of any data security strategy. An organization must understand what data it owns, and which of the data is sensitive and requires protection. Data discovery tools can scan structured and unstructured datastores, including file systems, relational databases, NoSQL databases, data warehouses, and cloud storage buckets. They can automatically map datasets, identify sensitive information, and identify vulnerabilities that can affect data security.

Data and File Integrity Monitoring

Data and file integrity monitoring tools provide security teams visibility over file systems and databases. They report what sensitive data is being accessed and by whom, identify anomalous access, and send alerts. These tools can also automatically block access for certain types of suspicious access requests. Finally, they can provide an audit trail of file and database access that can be useful for compliance purposes.

Vulnerability Management Tools

There is a wide range of vulnerability management, scanning, and remediation tools that can help address vulnerabilities in IT systems. For example, these tools can identify software that needs to be updated or patched, security misconfigurations for data stores, weak passwords, and vulnerabilities specific to databases, such as code injection.

Automated Compliance Management and Reporting

Data security is closely related to compliance, and many data security issues also create a compliance risk. Automated compliance management tools have the relevant compliance standards built in, can scan an organization’s systems for specific compliance issues, and are able to automatically generate reports required by auditors. These tools can dramatically reduce the manual effort needed to evaluate and remediate compliance issues across the organization.

Data Security Best Practices

Here are a few best practices that can help you secure data more effectively.

Identify and Classify Sensitive Data

To protect data effectively, you need to know exactly what type of data you have. Collaborate with your security team to scan data stores and classify them by sensitivity. You can later organize your data into different categories based on its compliance and security risk, and value to the organization.

 

Classifications can be updated as data is created, modified, processed, or submitted. It is also important to have controls in place to prevent users from manipulating classification levels—only authorized users should be able to promote or demote data sensitivity.

Create a Unified Data Security Policy

Data can be structured or unstructured and can reside in a database, cloud storage, local storage, etc. Most organizations manage large volumes of data, and it is common for some data to be forgotten or misplaced. Protecting your company from data breaches requires all data—including large datasets and individual files and folders. You cannot know in advance where sensitive data will be found.

 

Create an inventory encompassing all your data. Identify unmanaged locations, such as personal employee devices or shadow IT services, and build a strategy to ensure company data cannot be stored there, or is stored safely. Once you have a comprehensive view of all data across the organization, you can implement a unified security policy to ensure data is appropriately protected, and put in place monitoring to alert you when sensitive data is tampered with.

Deploy Identity And Access Management (IAM)

Unauthorized access is a huge threat to cloud data security. Hackers are becoming more sophisticated at stealing credentials and compromising privileged accounts. A critical component in your defensive strategy is an identity and access management (IAM) solution.

 

Look for an IAM solution that lets you define and implement access policies based on the least privilege principle, using role-based permissions. Use multi-factor authentication (MFA) to significantly reduce the risk of accessing sensitive information, even if attackers compromise a user’s credentials.

 

Modern IAM solutions support hybrid environments, simplifying end-user authentication across on-premise data centers and cloud systems, and making it easier to implement consistent policies across all IT environments.

Carry Out Employee Security Training

It is not enough to have security policies in place. Companies must train their employees, explain the policies and their importance, and show them how to manage sensitive data and respond to suspicious activity.

 

Employees can follow data security best practices to prevent internal and external attacks. Teach employees to use strong passwords, avoid reusing them, and explain the importance of multi-factor authentication. Employees should be trained to recognize and avoid phishing attacks, and lock down applications and computing devices when they are not using them.

 

This basic training should be provided to new and existing employees on an ongoing basis. Do not assume that employees “already know” the rules—you must constantly refresh their knowledge and add new instructions and guidance based on the evolving threat landscape.

Data Security with Satori

Satori, The DataSecOps platform, gives companies the ability to enforce security policies from a single location, across all databases, data warehouses and data lakes. Such security policies can be data masking, data localization, row-level security and more.

Learn more: