Actions

Data Security

Definition of Data Security

Data Security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.[1]

Data security refers to protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites. Data security also protects data from corruption. Data security is an essential aspect of IT for organizations of every size and type. Data security is also known as information security (IS) or computer security.[2]



Data Security Vs. Data Privacy[3]

Data security and data privacy are, by no means, the same terms. Data privacy is about proper usage, collection, retention, deletion, and storage of data. Data security is policies, methods, and means to secure personal data.

So, if you are using Google Gmail account, your password would be a method of data security, while the way Google uses your data to administer your account, would be data privacy.


Data Security Vs. Data Privacy
source: Data Privacy Manager


Think for example of a window on a building; without it being in place an intruder can sneak in and violate both the privacy and security of the occupants. Once the window is mounted it will perform a pretty decent job in keeping unwanted parties from getting into the building. It will, however, not prevent them from peeking in, interfering thus with the occupants’ privacy. At least not without a curtain. In this (oversimplified) example the window is a security control, while the curtain is privacy control.

The former can exist without the latter, but not vice versa. Data security is a prerequisite to data privacy. And information security is the main prerequisite to data privacy.


Why Data Security?[4]

Organizations around the globe are investing heavily in information technology (IT) cyber defense capabilities to protect their critical assets. Whether an enterprise needs to protect a brand, intellectual capital, and customer information or provide controls for critical infrastructure, the means for incident detection and response to protecting organizational interests have three common elements: people, processes, and technology.


Ensuring Data Security[5]

While data security isn’t a panacea, you can take several steps to ensure data security. Here are a few that we recommend.

  • Quarantine Sensitive Files: A rookie data management error is placing a sensitive file on a share open to the entire company. Quickly get control of your data with data security software that continually classifies sensitive data and moves data to a secure location.
  • Track User Behavior against Data Groups: The general term plaguing rights management within an organization is “overpermissioning’. That temporary project or rights granted on the network rapidly becomes a convoluted web of interdependencies that result in users collectively having access to far more data on the network than they need for their role. Limit a user’s damage with data security software that profiles user behavior and automatically puts in place permissions to match that behavior.
  • Respect Data Privacy: Data Privacy is a distinct aspect of cybersecurity dealing with the rights of individuals and the proper handling of data under your control.


Types of Data Security Controls[6]

Understanding the importance of data security will help you formulate a plan to protect that data. There are many data security technologies and processes that can support your company’s productivity while safeguarding data. Types of data security controls include:

  • Authentication: Authentication, along with authorization, is one of the recommended ways to boost data security and protect against data breaches. Authentication technology verifies if a user’s credentials match those stored in your database. Today’s standard authentication processes include using a combination of ways to identify an authorized user, such as passwords, PINS, security tokens, a swipe card, or biometrics. Authentication is made easier through single sign-on technology, which, with one security token, allows an authenticated user access to multiple systems, platforms, and applications. Authorization technology determines what an authenticated user are allowed to do or see on your website or server.
  • Access Control: Authentication and authorization happen through the process called access control. Access control systems can include: **Discretionary access control (the least restrictive), which allows access to resources based on the identity of users or groups,
    • Role-based access control, which assigns access based on organizational role and allows users access only to specific information, and
    • Mandatory access control, which allows a system administrator to strictly control access to all information.
  • Backups & Recovery: Prioritizing data security also requires a plan for how to access your company’s and client’s data in the event of system failure, disaster, data corruption, or breach. Doing regular data backups is an important activity to help with that access. A data backup entails making a copy of your data and storing it on a separate system or medium such as a tape, disk, or in the cloud. You can then recover lost data by using your backup.
  • Encryption: Data encryption software effectively enhances data security by using an algorithm (called a cipher) and an encryption key to turn normal text into encrypted ciphertext. To an unauthorized person, the cipher data will be unreadable. That data can then be decrypted only by a user with an authorized key. Encryption is used to protect the data that you store (called data at rest) and data exchanged between databases, mobile devices, and the cloud (called data in transit). Your encryption keys must be securely managed, including protecting your critical management systems, managing a secure, off-site encryption backup, and restricting access.
  • Data Masking: Data masking software hides data by obscuring letters and numbers with proxy characters. The data is still there, behind the masking. The software changes the data back to its original form only when an authorized user receives that data.
  • Tokenization: Tokenization substitutes sensitive data with random characters that are not algorithmically reversible. The relationship between the data and its token values is stored in a protected database lookup table, rather than being generated by and decrypted by a mathematical algorithm (as in the case of encryption). The token representing the real data is used across different systems as a replacement, while the actual data is stored on a separate, secure platform.
  • Deletions & Erasure: When electronic data is no longer needed and must be permanently cleared from the system, erasure can overwrite that data so that it is irretrievable. Erasure is different from deletion, which is a process that simply hides data in such a way that makes it easy to retrieve.


Data Security Compliance and Standards[7]

When an organization collects any kind of personal data, it instantly becomes known as a data processor. This label comes with a lot of responsibility. For this reason, there are a number of compliance regulations that govern organizations dealing in personal data regardless of the type or volume. The regulations that affect your organization will depend on a selection of factors, such as the industry you are operating in and the type of data you store. For example, if you store data relating to citizens in the European Union (EU) you will need to comply with the latest GDPR regulations. Failure to comply with any regulations that affect your organization could result in hefty fines. Other regulatory compliance and standards examples include:

  • NERC - Critical Infrastructure Protection
  • China's Personal Information Security Specification
  • PCI Security Standards

Regulatory compliance requirements often vary by data type. A few common examples include:

  • Personally Identifiable Information (PII)
  • Protected Healthcare Information (PHI, HIPAA)
  • Credit card information


Benefits of Data Security and The Potential Risks of Poor Data Security[8]

Benefits of Data Security
Loss or unauthorized disclosure of valuable data can be quite costly to an organization. It's the reason data security is quite useful. For instance;

  • Safeguards all valuable information: Sensitive information is never supposed to leak. Whether we are talking of bank customers’ details or a hospital’s patients’ information; these are crucial information that are not meant for every prying eye. Data security keeps all this information exactly where it's meant to be.
  • Important for your reputation: Any organization that can keep secrets also helps to build confidence among all stakeholders including customers, who know that their data is both safe and secure.
  • Marketing and competitive edge: Keeping sensitive information from illegal access and disclosure keeps you ahead of your competitors. Preventing any access to your future development or expansion plans is key in maintaining your competitive advantage.
  • Saves on development and support costs: The earlier you plug security features into your application, the less costs you may incur from any future support and development costs in terms of code modifications.

Potential Risks of Poor Data Security
The more technologically advanced businesses become, the more susceptible their systems become to attacks. Poor data security can subject your company to the following dangers:

  • Costly fines and litigations: Data breaches are usually serious offenses which can lead to legal actions from the customer against an organization. Failure to comply with any applicable state or federal data protection regulations can result in fines exceeding hundreds of thousands of dollars, depending on the severity of the breach, the number of individuals affected, and the company’s attempts (or lack thereof) to notify consumers and mitigate risks.
  • Reputation damage: Privacy and security of data are important, especially to your customers. If you don’t meet your end of this bargain – keeping your customers’ data secure in exchange for their business – your reputation as an organization can go up in flames. Customers tend to lose faith and confidence in a company that cannot keep their private information well-protected. Loss of business and a damaged reputation can often be even more costly over time than the hefty regulatory fines you also might be facing.
  • Loss of business: Cyber attackers have the potential to not only access and exploit sensitive information; they can also delete the same information. They can even introduce a highly destructive virus which infects the whole system, such as ransomware, requiring the payment of a ransom fee in order to regain access to your networks and sensitive data.
  • Poor data security could lead to an event which negatively impacts your business. Even the ability to conduct normal business may be changed. Again, it is a trickle-down effect, in which you may not be able to render the required services, leading to legal action and probable loss of revenue.


Data Security Challenges[9]

  • Explosive data growth: Data is growing at an exponential rate. Keeping up with new data sources across multiple environments creates new complexity at an unprecedented scale.
  • New privacy regulations: The General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD) and more.
  • Operational complexity: Movement to cloud, big data technologies and disparate tools from multiple vendors intensifies complexity.
  • Cybersecurity skills shortage: Organizations are already dealing with a lack of skilled security professionals, and this gap is only expected to widen over the next several years.


Data Security Best Practices[10]

There are many parts to a comprehensive data-security solution. Below is an overview of what should come together to create a good foundation for data security. What a best practice looks like for your business will depend on many factors, such as size, industry, location, and existing tools and policies.

  • Securing information
    • Manage your identity by restricting access to sensitive documents. Sometimes called data classification, managing who can see what based on their user ID is a great way to keep sensitive information restricted to only those who need to see it. This limits the amount of damage that can be done if someone's username or login details are stolen. Companies should be set up to handle different permissions based on the user, and this is a key point in a good data-security policy.
    • Encryption is one of the best tools that we have to keep data safe, but it isn't a monolith. You can't just decide to encrypt all of your data and call it a day — that's not exactly how it works. Often, software tools that you use for your business will have some sort of encryption offered, and that's a great place to start. Your information-backup service, for example, should be able to encrypt that data for you. You should also make sure you encrypt transmissions to add another layer of security onto any information you send. Think of encryption as taking your plain data and turning it into a secret code that only you can make heads or tails of — not the bad guys.
    • Be prepared for the mobile workforce. As mobile devices take over the workplace, your security threats grow. You need a mobile security plan to keep everyone in line. This should include an enforced protocol for employees, like staying off public Wi-Fi on work devices and having a company-mandated antivirus on mobile devices.
    • Protect user data at the source. When customers and employees log in for the first time (or repeated times), you can verify and secure their information with secure authentication practices like social login. This not only simplifies the process and reduces the risk of churn, but it also helps organize all of this sensitive data in a single location instead of in multiple databases and spreadsheets that can easily be lost.
  • Preparing for Threats
    • Test how good your system is. The best defense is a good offense, and the best offense in secure data recovery is working to ensure you don't lose your data in the first place. Either create an internal team to stress-test your system, or find someone outside your company to do it, but don't leave your security to chance.
    • Educate your employees. Common data-security attacks like spear-phishing emails and USB traps target employees who are unaware of the risks and have let their guard down. Circulating everyday tips on Security or implementing an executive training program can go a long way toward mitigating these risks.
    • Have an incident-management plan. When you find out that your company's security has been compromised, the last thing you want to do is panic. Having a comprehensive protocol can limit the damage done. Yes, IT needs to be aware of what to do, but you should also create guidelines for management, letting employees know, and next steps for recovery.
    • Make a secure data recovery plan in case of corruption or the unhappy scenario where something you need has been deleted or compromised. For many teams, this means having a backup copy of data that is regularly updated. The backup itself will have to be protected and should also be separate from the rest of your data.
  • Deleting information
    • Know how and when to let go. When it's time to get rid of information, you need to know how to dispose of it properly. When you have to throw out sensitive information on paper, you shred it. You cut up your credit cards and write "VOID" on checks before disposing of them. Digital data is no different. Make sure that when you're wiping information, it's really gone and not lingering somewhere that will come back to bite you.
    • Don't forget physical copies. If any of your backups are on paper, are stored on a thumb drive, are X-rays or microfilm or negatives — or anything else that's physical and totally separate from your digital systems — don't forget about them. When you're deleting digital information, make sure that part of the process is double-checking to see whether that information has a physical counterpart and, if so, destroying it in kind.
  • Compliance risks (check)
    • There are rules and regulations that govern what you should and cannot do with your business's data, and they can help lower your risks. Especially if you are dealing with sensitive information, looking toward these laws and guidelines will help give you a better sense of what is appropriate for your company. For example, it's likely that companies in the medical field are required to follow HIPAA requirements.
    • You can also reduce compliance risks by following open standards. Take identity management, which has guidelines that are available for everyone to follow, with the explicit purpose of being as safe and responsible as possible.
    • Of course, everyone is talking about the GDPR and related laws like the California Consumer Privacy Act(CCPA). These points for data privacy and sharing will help broaden and deepen your existing protocol.
    • To ensure that you are exposed to the least risk possible, be thorough in your investigation of the laws that apply to your company and the best practices that have developed in your field or for your concerns. This will depend heavily on industry and location, but it needs to be done correctly to ensure that your data security is as good as possible.


See Also

Data Access
Data Analysis
Data Analytics
Data Architecture
Data Asset Framework (DAF)
Data Buffer
Data Center
Data Center Infrastructure
Data Center Infrastructure Management (DCIM)
Data Cleansing
Data Collection
Data Compatibility
Data Consolidation
Data Deduplication
Data Delivery Platform (DDP)
Data Description (Definition) Language (DDL)
Data Dictionary
Data Discovery
Data Driven Organization
Data Element
Data Enrichment
Data Entry
Data Federation
Data Flow Diagram
Data Governance
Data Health Check
Data Hierarchy
Data Independence
Data Integration
Data Integration Framework (DIF)
Data Integrity
Data Island
Data Item
Data Lake
Data Life Cycle
Data Lineage
Data Loss Prevention (DLP)
Data Management
Data Migration
Data Minimization
Data Mining
Data Model
Data Modeling
Data Monitoring
Data Munging
Data Portability
Data Preparation
Data Presentation Architecture
Data Processing
Data Profiling
Data Proliferation
Data Propagation
Data Protection Act
Data Prototyping
Data Quality
Data Quality Assessment (DQA)
Data Quality Dimension
Data Quality Standard
Data Reconciliation
Data Reference Model (DRM)
Data Science
Data Security
Data Stewardship
Data Structure
Data Structure Diagram
Data Suppression
Data Transformation
Data Validation
Data Value Chain
Data Vault Modeling
Data Virtualization
Data Visualization
Data Warehouse
Data Wrangling
Data and Information Reference Model (DRM)
Data as a Service (DaaS)
Database (DB)
Database Design
Database Design Methodology
Database Management System (DBMS)
Database Marketing
Database Schema
Database System
Security Architecture
Security Policy
Security Reference Model (SRM)
Information Security Governance
Information Security
Adaptive Security Architecture (ASA)
Business Model for Information Security (BMIS)
Cognitive Security
Common Data Security Architecture (CDSA)
Federal Information Security Management Act (FISMA)
Payment Card Industry Data Security Standard (PCI DSS)
Data Security
Computer Security
Enterprise Information Security Architecture (EISA)
Fault Configuration Accounting Performance Security (FCAPS)
Graduated Security
Information Systems Security (INFOSEC)
Information Security Management System (ISMS)
Information Technology Security Assessment
Mobile Security
Network Security
Cyber Security


References

  1. Definition - What Does Data Security Mean? Wikipedia
  2. What is Data Security? Techopedia
  3. Data Security Vs. Data Privacy Data Privacy Manager
  4. Why Data Security? Microfocus
  5. How Do You Ensure Data Security? Varonis
  6. Types of Data Security Controls Looker
  7. Data Security Compliance and Standards ForcePoint
  8. What are the Benefits of Data Security and t he Potential Risks of Poor Data Security Digital Guardian
  9. What are the top data security challenges? IBM
  10. What Are Best Practices for Data Security? Auth0