Most organizations have a vast amount of sensitive data in their possession. This includes customer data, intellectual property, and other information that could hurt the business or its customers if publicly exposed.
Data security is the practice of protecting this data from unauthorized access and compromise. Organizations can use a variety of different tools and techniques to meet their data security needs.
Why is Data Security Important?
Data security is a top-of-mind priority for many organizations.
This is driven by a number of different factors, including:
- Growing Data Breaches: Data breaches have become a daily occurrence, publicly exposing sensitive customer and business data. Data security helps to protect this data from breach and unauthorized use.
- Expanding Regulatory Landscape: In recent years, the number and scope of data protection regulations has grown dramatically. As a result, strong data security practices are increasingly necessary to avoid regulatory penalties.
- Increasing Insider Threats: Insiders are a leading cause of data breaches, theft, and leaks, whether intentionally or not. Data security helps to protect against actions by legitimate users that put corporate data at risk.
All of these pressures mean that creating, implementing, and enforcing a strong data security strategy is essential for any organization.
What are the Types of Data Security?
Data security can be implemented using a variety of different methods, each with their own advantages and disadvantages.
Some of the most common methods for data protection include:
- Minimization: Data minimization is an important first step for any data security policy. By limiting data collection and storage to only what is necessary, an organization limits its data security risk and the volume of data that it needs to protect.
- Encryption: Data encryption ensures that only those with access to the secret key have the ability to decrypt and read the data, making it useless to an attacker. This is a strong protection for data that is in storage or being transmitted; however, encryption cannot currently be used effectively for data in active use.
- Masking: Data masking replaces some portion of sensitive data – like the first 12 digits of a credit card number or the first 5 digits of a Social Security Number – with a masking character (often an asterisk). This limits the utility of the sensitive data if it is accidentally exposed to an unauthorized party.
- Tokenization: Data tokenization replaces a piece of sensitive data with a unique identifier (or “token”) and uses that token in place of the data. The lookup table that maps these tokens to the real data is stored in a protected location, minimizing its probability of exposure. Without access to this table, it is much more difficult (and potentially impossible) to determine the real value associated with a particular token.
- Erasure: Erasure is the most effective method of securing sensitive data. If an organization securely deletes data from its systems when it is no longer necessary, there is no need to protect the data.
All of these methods of data protection are largely passive.
While they can be quite effective, the potential exists that an attacker can bypass or overcome them. For example, an attacker may gain access to the decryption keys for encrypted data or the lookup table mapping tokenized data to real values.
Organizations also need to implement active protections for the sensitive data entrusted to them.
Some examples of active data security solutions include:
- Access Controls: Limiting access to sensitive data is an essential part of protecting it against abuse or exposure. Access controls should be designed based on the principle of least privilege, which states that a user or application should only have the access and permissions needed to do their job and no more. This limits the impact of a compromised user account or application on enterprise data security.
- Data Monitoring: Access controls protect against unauthorized access to data, but insider risks are a significant data security risk. An organization should have solutions in place that monitor access to and usage of an organization’s data and alert security personnel of activities that would place data at risk.
An effective data security strategy implements both passive and active data security controls.
For example, encryption of data at rest and in transit ensures that the data is safe most of the time. The organization can then focus its active protections on when data is “at risk”, when it is decrypted and in active use.
Data Security Compliance and Regulations
When developing a data security policy, it is important to take relevant data protection regulations into account.
In the past few years, the regulatory landscape has grown with new regulations (GDPR, CCPA) joining existing laws (HIPAA, SOX, PCI DSS).
The goal of all of these regulations is the same: to ensure that the particular types of data under their jurisdiction are protected. However, the methods and requirements mandated can vary from one regulation to another.
For example, data encryption is commonly recommended as a data security solution, and, under many regulations, a breach of encrypted data is not considered reportable to regulators.
However, some regulations have less common requirements, like the GDPR’s mandate that organizations implement data minimization. Before developing a data security strategy, it is important to determine which regulations apply and their specific requirements to ensure that an organization is compliant by design.
Balancing Data Security with Employee Productivity
When developing a data security strategy, many organizations focus their efforts on “threats”. They try to identify the users and activities that are likely to cause data breaches or other data leaks and clamp down on these threats.
The problem with this approach to data security is that it doesn’t work and hurts the organization’s ability to do business. Data loss prevention (DLP) systems – which work off of this principle – were deployed in 69% of organizations that suffered a data breach involving an insider.
To make things worse, these policies that don’t protect against threats do prevent employees from doing their jobs, according to 66% of organizations.
Data security should be a priority for every organization, but a threat-focused mindset isn’t the best way to implement it. Instead, organizations should focus on visibility and risk when designing a data protection plan.
If an organization can see where their data is and how it’s being used, they can identify the activities that place this data at risk. This allows them to quickly respond to the incident and block a potential data breach without stopping employees from doing their jobs.
It’s Not Impossible: Securing Data While Supporting Employee Productivity
Insider threat and insider risk are often discussed interchangeably. In this podcast, Code42 Security Solution Engineer Tommy Todd breaks down the key differences between the two and discusses some of the biggest data risks to look out for.Listen to the Podcast