Data security is the process of protecting data from loss, theft, or unauthorized access during its lifecycle. Not only does data itself have to be protected, but also the systems used to create, collect, receive, transmit, or store data, and the physical locations in which it is at rest.
Not so many years ago, people weren’t that concerned about data security. The government kept records about who you were, who you married, what you did for a living, and what taxes you paid. Businesses also started building databases of personal data when installment plans became popular, and later built similar databases to send junk mail - which was annoying, but not necessarily concerning.
At the time, data was maintained on paper and stored in filing cabinets - sometimes locked, sometimes not. Because the nature of the data was relatively simple, if it was lost or damaged (corrupted) it wasn’t too difficult to replace. Furthermore, there was little incentive to steal data because there was no easy way to monetize it. Compared with today’s always-online environment, data security was much simpler.
How the Internet Changed Data Security
Data security started to become an issue when computers became more affordable and businesses digitalized data and stored it on removable media. However, the arrival of the Internet changed everything. Now data was instantly available to malicious insiders and a new breed of cybercriminals, as were online avenues to monetize data via identity theft, credit card fraud, and insurance fraud.
News of large-scale data breaches became monthly events - then weekly events - prompting the government to act and include data privacy and security regulations in acts such as the Healthcare Insurance Portability and Accountability Act (1996), Sarbanes-Oxley (2002), and Dodd-Frank (2008). or many businesses data security was no longer an option, it was a legal requirement.
Data Security isn’t Just about Data
Because of the many routes through which data can travel and locations in which it can be stored, data security isn’t just about the data. In many industries, data in transit has to be encrypted, while physical safeguards have to be applied to the hardware use to create, collect, receive, transmit, or store data, and the premises in which hardware is maintained.
hen assessing whether access controls are appropriate, businesses have to take into account physical security as well as technology security in order to prevent the loss or theft of physical devices, and prevent unauthorized access to devices, servers, and backups. The measures put in place should be equally effective against all malicious actors - whether internal or external.
Technologies to Enhance Data Security
Technology has evolved considerably from firewalls and anti-virus software to the point at which developers are working on Vanishing Programmable Resources (VAPR) that self-destruct along with the data they are storing when accessed without authorization. However, until such time as VAPR becomes commercially available, businesses can use these technologies to enhance data security:
Data encryption is a requirement in most regulated industries, but any business not encrypting data at risk and in transit is practically inviting malicious actors to help themselves to data. There are many solutions on the market that can convert data into encrypted code in order that it is difficult to decipher if accessed or disclosed without authorization.
Asset Access Controls
Controlling the assets employees have access to is essential in order to practice effective data security management. This not only applies to physical assets, but also to areas of the network in which sensitive data is stored or through which it travels. Encrypted data, although difficult to decipher, isn’t impossible to crack if the prize is valued highly enough.
Data masking (or tokenization) involves substituting a randomly generated value, or token, for sensitive data such as credit card and social security numbers. Unlike encryption, there’s no mathematical relationship between the randomly generated value and the original data, so to crack the code, the malicious actor must have access to the mapping database.
Two-Factor Authentication (2FA)
Most of us use 2FA for our personal bank accounts, but few businesses apply it to corporate accounts. Yes, it’s time-consuming and it can be counterproductive; but, if a hacker obtains a username and password combination, he or she can use it to extract other username and password combinations through phishing or keylogging malware. 2FA prevents a hacker from being able to use the combination.
Data Security in the Cloud
The cloud adds another dimension to data security when cloud service providers and businesses share responsibility for cloud security. Although cloud service providers secure their physical environments (data centers and servers), businesses maintain responsibility for the security of provisioned assets (virtual machines, storage volumes, databases, etc.).
The distinction between a cloud service provider’s responsibilities and businesses’ responsibilities is usually outlined in the provider’s terms and conditions. Businesses must determine where the provider’s responsibilities begin and end - and communicate the distinction to their employees to ensure each individual team member is conscious of their security obligations.
Data Security Management
Regardless of whether a business operates in the cloud, on-premises, or a mixture of both, there are a lot of moving parts to manage when it comes to data security. The key to effective data security management is having total visibility of all IT infrastructure so it’s possible to identify all threats and vulnerabilities, and address them with full understanding of how assets interact with each other.
To gain total visibility over all a business’s assets, it’s recommended to implement a cloud management platform such as CloudHealth that consolidates disparate data sets so that security concerns, cost gaps, and other inefficiencies can be identified. Once any identified issues have been addressed, businesses can use policy-driven automation to keep on top of data security management.
Using Policy Driven Automation to Secure Data
Policy driven automation reduces the workload of data security management by monitoring the network around-the-clock and alerting administrators to any policy violations; or, when there’s a risk of a serious security breach, performing a function that (for example) blocks an asset being launched or revokes user access. Typical security-related policies could include:
- If any IAM user has 2FA disabled, send email notification.
- If an S3 storage bucket is publicly accessible, restrict access.
- If any non-conforming asset is launched, terminate asset.
- If an IAM user logs in from an unrecognized IP address, revoke access.<
More about CloudHealth’s Cloud Management Platform
CloudHealth is a cost, performance, and security enhancing platform recognized by Forrester Research as a leader among cloud cost monitoring and optimization platforms in 2018 (the report is available to download here). CloudHealth Technologies is also accredited as an advanced technology partner by Amazon Web Services and as a Silver Microsoft Partner for businesses operating in the Azure Cloud.
Leading businesses rely on our management platform to manage costs, performance, and security, and to support the success of their cloud environments with enhanced visibility, control, and automation.