The concept of data security has been around for a few decades now, but when we hear of cases such as the Ashley Madison or Playstation breaches it understandably put fear into most businesses, particularly those with significant amounts of client data in storage.
Data security is no longer an optional extra for businesses. As of May last year, the GDPR regulations came into effect in Europe and signified an increase in liabilities and responsibilities for companies collecting personal information. Whilst not having a direct effect on Australian businesses that do not trade in Europe, the GDPR is largely reflective of The Australian Privacy Act of 1988 which sets out guidelines that businesses in Australia must adhere to in order to protect private information.
With that in mind, there are four common layers that businesses need to take into account when planning their data security strategy:
Authentication refers to guarding access to a system, the data therein and the services associated with it. It aims to reduce the risk of unauthorised usage or access by way of creating identities, profiles and credentials that provide various levels of access and control. Robust data security requires easy-to-implement practises but sophisticated measures to ensure that only the right people are gaining access to any and all available data.
Authentication can be delivered via numerous means such as perimeter authentication (preventing access from outside a theoretical perimeter), multiple factor authentication (requiring several identity checks prior to access), and token or authenticator restrictions whereby a temporary code or security pass will be distributed to a device to confirm authentication.
Cluster authentication is a more complex method whereby internal checks are run repeatedly to secure a system against unwanted services that have gained access through impersonation or subtle injection.
Authorisation refers to what access or control over a resource or system a particular user will have. The most obvious and simplified example of this can be seen in CRM or Database access whereas some users will be allocated administrative rights, others may have contribution rights, whilst others may have read-only rights. Whilst enterprise grade IT is more sophisticated than this example, the concept of user-level access remains the same.
3. Data Protection
The purpose of data protection is to prevent unauthorised users from viewing, duplicating, and contributing to documentation or a data set. These controls add an additional layer of protection to a business against internal threats from users and also external attacks from malicious sources.
The configuration of data protection varies based on the task and type of data.
The auditing layer seeks to capture a complete historical record of the access and activity within the system and is central to the health of the three key activities described above.
Auditing is the layer that will explain what happened, by whom, when it occurred, and how should a breach occur.
As an example, if a user was to incorrectly delete or replace a data set, the auditing layer will provide the details of who was responsible, when, and what they did (increasing the likelihood of retrieving the lost data).
Auditing is also an essential requirement for compliance for those businesses that need to meet certain regulations associated with their industries or line of services they are offering.
5. What Now?
Businesses of all sizes are prone to malicious activity from outsiders and sadly, insiders too. This need not be the case.
Data security has been and will remain a hot topic in enterprise IT because it continues to cause businesses a substantial amount of damage when it is not handled appropriately.
Whether the business has an internal or external IT provider, data security needs to be an ongoing process that resists the temptation of becoming complacent or lazy. The consequences for getting it wrong are severe and just not worth the risk.
Another basic aspect of data security that is quite often implemented poorly is ongoing and frequent team awareness training. Keeping the team briefed and aware of their responsibilities as users and how to report or identify potential security issues plays a major role in a strong data security process.