How to secure your data by Yuri Livshitz
Fair use disclaimer: I do not own this content. This post contains excerpts (“highlights”) from a longer article used here solely for educational purposes. All credits go to its rightful owner. Please see Citation information.
<Data security can be based on the classic CIA triad: confidentiality, integrity, and availability. Here’s a summary of the steps needed to achieve those three critical objectives.>
You may also be interested in How to break into information security.
Confidentiality
<Confidentiality is the hardest data-protection goal to reach, because people (employees, vendors) need to have access to your organization’s data—otherwise that data is useless.>
<In order to properly secure data, an organization should develop clear and precise standards of data classification. Usually data access is governed via a data-access control scheme. A simple and sound way to develop one is using role-based access control (RBAC).>
<Organizations should limit access only to those employees who are approved by management on a need-to-know basis. In addition, procedures should be set up to ensure immediate permission removal in the case of termination or role change for an employee.>
<In order to simplify data governance, information should be segregated by levels of importance and risk, since it is very complicated to safeguard all the data in organization using the same standards … sensitive data has to be protected by more security measures in order to safeguard it. In some cases, in order to archive “defense in depth,” multiple security devices from different vendors are recommended.
<A key technology for data confidentiality is data leakage prevention (DLP), a system that tracks specific sets of sensitive data. For example, DLP can issue alerts when sensitive files are copied to a USB, or credit-card numbers are shared. DLP is a great tool, but it requires precise, organization specific data classification and alert creation in order to be effective.>
Integrity
<Data integrity is extremely important for any organization. It’s especially critical in ones that deal with sensitive material such as health records or financial data. Damage to data integrity can have severe implications. In certain mission-critical systems, if data is modified by an attacker, it could lead to loss of life.
<To protect data integrity, regular audits of information access and change are required. Data access has to be centrally logged, in case a bad actor manages to damage log data at the endpoint. Any employee who modifies sensitive data should do so using his or her personal user name. This allows non-repudiation, which means that an employee who modified data can’t deny his or her action. Any “super user” access to sensitive files has to be strictly prohibited to guarantee non-repudiation across the organization.
<To truly safeguard information integrity, you’ll want to incorporate change management technology. Change management basically tracks changes to data, requires management approval of changes, or prevents changes forbidden by policy. Change management usually stores snapshot of data and tracks changes that are performed on it. Those changes are compared with system policy, and carried out only when they are in compliance with the policy. There are numerous change management products that can apply granular policies to track and prevent unwanted changes on almost any device, from storage filers to firewalls. One of best-known systems for change management is free SVN, which allows the detailed tracking of data inside a file, as well as granular permission control.
<Audit and Monitor Data Access: Access to data and modification of data has to be logged and recorded in the central (Security Information and Event Management) system. A SIEM system is important for data security, since it consumes multiple logs and allows those handling security to connect the dots and create a big picture that gives insight into multiple events. For example, it can draw attention to a user who sends abnormal amounts of data outbound, or one who connects to an unusual amount of servers. To utilize a SIEM system properly, its dashboards and metrics need to be set up to measure organization-specific data access activity. A complimentary control that can greatly enhance data security is an insider threat detection system. Those usually use machine-learning algorithms to analyze log data to find users’ behavior abnormalities and alert on those. This technology enhances threat mitigation when an attacker is in reconnaissance mode, allowing the detection and prevention of new and unknown threats.>
Availability
<Yes, data that isn’t accessible to anyone may be perfectly secure, but it’s worthless to the enterprise if it can’t be seen and used. Even more problematic is data that gets destroyed, which can create severe problems for a company’s business and reputation. Another thing to think about is that in the case of data damage, the organization may want to be able to restore older data. The timeframe within which data has to be fully restorable and usable should be aligned with an organization’s business goals and (Service Level Agreement) policies. In some cases, highly critical data should be backed up in numerous places to ensure high data resiliency and the ability to carry out a successful restoration under a range of circumstances.
<You should also be aware that your data could be damaged by malware that remains dormant for long period of time. Therefore, organizations should schedule data backups in order to guarantee business continuity in the case of a malware-related disaster. Backups should be created on a yearly, monthly, and weekly basis, and stored in an offsite location. It is critical to encrypt backup data in order to prevent untrusted access to it.>
<Following the CIA methodology outlined above will guarantee a good standard of data security in your organization. Though in order to have great data security, it is important to maintain security awareness among employees. Good security awareness among IT personnel and other employees will allow your enterprise’s technical controls to work effectively. Not only should employees receive continuous security education, the organization’s information security policy has to be clear—and regularly updated. Employee’s knowledge of and adherence to information security policy are critical to robust data security.>
Citation information
Yuri Livshitz. (2016). How to secure your data (Ch. 6). In Beginner’s Guide To Information Security (pp. 32-35). Peerlyst. Retrieved from https://www.peerlyst.com/posts/peerlyst-announcing-its-first-community-ebook-the-beginner-s-guide-to-information-security-limor-elbaz
