Article

What is data security?

Security
Time to read: 13 minutes

Data security is comprised of the practices used to protect digital information throughout its lifecycle from any unauthorized access (e.g., cybercriminals, malicious insiders, human errors) that could result in theft, exposure, corruption, or deletion. An array of business, organizational, and IT processes and technology are foundational to data security, including access to all hardware and software as well as physical structures that house them.

A common model and framework that is the basis for data security is the CIA (Confidentiality, Integrity, and Availability) Triad. The role of each component in data security is:

  1. Confidentiality
    Data security measures are in place to ensure that information is accessed only by authorized users with the proper credentials.
  2. Integrity
    Data security systems are implemented to ensure that information remains reliable, accurate, and protected from unwarranted changes.
  3. Availability
    Data security checks are in place to ensure that data is readily accessible and available for the ongoing needs of authorized users.

In addition to the risks related to malware and advanced persistent threats (APTs), data security aims to mitigate human-based threats, such as:

  1. Falling for social engineering ploys
    Social engineering is one of the most effective cybersecurity threat vectors as it exploits one of an organization’s weakest data security links—people. These attacks cause data security breaches by manipulating authorized users to share sensitive information, such as credentials or personally identifiable information (PII).
  2. Human error
    Data breaches are usually associated with cybercriminals or malicious insiders, but simple human error is often a cause of sensitive data or information being exposed. This can result from accidental sharing of, granting access to, losing, or mishandling sensitive information.
  3. Malicious insiders
    These internal threats can include employees, contractors, vendors, or partners who intentionally threaten data security. Malicious insiders use their knowledge of an organization to override data security measures to steal, leak, damage, or destroy sensitive information.

Beyond protecting information from cybercriminals, data security provides other benefits:

  1. Helps organizations maintain a good reputation with customers, partners, and employees by providing assurances that the organization is taking measures to keep sensitive information safe.
  2. Delivers a competitive edge, differentiating the enterprise from others who have suffered data breaches.
  3. Ensures that information is available for authorized systems and users.

Why data security is important

The importance of data security has grown significantly with the rise in remote work, cloud services, and Internet of Things (IoT) devices. These trends have expanded attack surfaces exponentially, providing more opportunities for unauthorized access than ever before.

This trend continues to drive demand for data security as organizations struggle to protect sensitive information. Three of the key reasons most often cited for the importance of data security are related to compliance requirements, brand equity and value, and proprietary information.

1. Data security requirements for compliance

  1. Public and private organizations are subject to a wide range of standards and regulations, including strict data security requirements.
  2. Industry-specific regulations include:
  3. Anti-Money Laundering (AML)
  4. Customer Due Diligence (CDD)
  5. Family Educational Rights and Privacy Act (FERPA)
  6. Federal Information Security Management Act of 2002 (FISMA)
  7. Gramm-Leach-Bliley Act (GLBA)
  8. Health Insurance Portability and Accountability Act (HIPAA)
  9. Know Your Client (KYC)
  10. Payment Card Industry Data Security Standard (PCI DSS)
  11. Sarbanes-Oxley Act (SOX)
  12. Regulations that span all organizations in a geographic area include:
  13. California Consumer Privacy Act (CCPA)
  14. Children’s Internet Protection Act (CIPA)
  15. Children’s Online Privacy Protection Act (COPPA)
  16. European Union General Data Protection Regulation (GDPR)
  17. Personal Information Protection and Electronic Documents (PIPEDA)

A data breach can also trigger significant financial losses, including fines if the data security protocols dictated by compliance requirements were not followed, along with legal fees related to addressing settlement claims related to losses and damage repair if sensitive data has to be recovered.

2. Data security to prevent damage to brand equity and value

Data security is also instrumental in addressing the reputational risk accompanying a data breach, which can result in losing customers’ trust and the subsequent ceding of market share to competitors.

The cost of a damaged brand cannot be exaggerated – a high-profile data breach can destroy years, and even decades, of brand equity and value that cannot be bought back at any price; in fact, this is cited as the top impact of a data breach, which reinforces the criticality of data security.

3. Data security to protect proprietary information

At its core, data security is meant to protect an organization’s digital assets and systems, including intellectual property, networks and servers, and critical infrastructure. In addition to financial theft, cybercriminals routinely target organizations to steal trade secrets and valuable customer information.

Other attacks focus on disruptions by targeting IT infrastructure that upends operations and critical infrastructure that can dismantle vital services, such as power or water. Data security provides the protections needed to defend against these attacks.

Types of data security

The five most common types of data security used to protect information, devices, networks, systems, and users are data encryption, data erasure, data masking, data resiliency, and tokenization. Depending on the use case, these are used separately and in combination.

1. Data encryption
Data encryption uses an algorithm to change human-readable text into a string of characters. This encrypted data can only be decoded back to plaintext by an authorized user with a unique decryption key. Encryption is an effective data security tool widely used to protect data at rest and in transit.

2. Data erasure
Data erasure is a more secure way to permanently remove data from a system than data wiping. Data erasure is key to data security, ensuring that any information left on a device is completely overwritten and verified unrecoverable.

3. Data masking
Data masking allows organizations to present users with human-readable text, but hide sensitive information using substitute text, “masking” or hide key information by substituting human-readable text for proxy characters. The content is reverted to its original form when authorized users access it.

4. Data resiliency
Data resiliency is key to data security as it ensures data availability. Employing data resiliency systems and processes, such as data backups, minimizes disruption in the case of accidental destruction or loss of data in the case of a cyber-attack (e.g., ransomware) or a cyber-disaster.

5. Tokenization
Like data encryption, tokenization replaces plaintext with a string of characters. Tokenization substitutes the plaintext for an unreadable version of the same data called a token.

This string of characters represents the original data, which is stored in a secure token vault. This data security solution protects sensitive information, such as personally identifiable information (PII) or protected health information (PHI).

Data security tools and solutions

Commonly used data security tools and solutions include:

  1. Access management and controls
  2. Authentication, such as biometrics, single sign-on (SSO), and multi-factor authentication (MFA)
  3. Data and file activity monitoring
  4. Data discovery and classification
  5. Data loss prevention (DLP)
  6. Email security
  7. Identity and access management (IAM)
  8. Network and endpoint protection, monitoring, and controls
  9. Real-time systems and data monitoring
  10. Vulnerability assessment and risk analysis

Data security strategies

A comprehensive data security strategy combines tools and solutions with processes focused on people. Following are several of the important data security strategies that should be employed with tools and solutions.

  1. Apply patches and keep software updated
  2. Create policies to ensure preparedness for a cyberattack
  3. Do not forget mobile data security
  4. Educate employees about the importance of data security
  5. Employ data management strategies, including:
  6. Ensure the physical security of servers and user devices, such as:
  7. Know where data resides
  8. Partition sensitive files
  9. Restrict high-risk activities
  10. Test processes and systems
  11. Track user access
  12. Use behavior-based permissions
  13. Data auditing
  14. Data minimization
  15. Data risk assessment
  16. Purge stale data and applications
  17. Hiring security personnel
  18. Implementing access control using key cards or biometrics
  19. Keeping filing cabinets locked
  20. Locking office doors
  21. Shredding paper records
  22. Using surveillance cameras

Data security best practices also recommend implementing administrative and operational security.

  1. Administrative security addresses risks that originate outside of an organization with measures such as:
  2. Operational security involves protecting information from internally originating vulnerabilities with tactics such as:
  3. Conducting third-party risk assessments
  4. Developing privacy, incident response, and information security policies
  5. Having cybersecurity insurance
  6. Implementing audit controls
  7. Providing security awareness training
  8. Adding security messages to log-on screens
  9. Developing and implementing employee onboarding and exit procedures
  10. Fostering a culture of security
  11. Monitoring users’ devices
  12. Training internal and external users

Trends in data security

Expanding attack surfaces from Iot devices

Internet of Things (IoT) devices present one of the gravest data security risks due to the scale and velocity of deployment—billions worldwide. These devices can be found almost everywhere, and because so many are connected to networks, they have increased attack surfaces exponentially.

Beyond the number of IoT devices deployed, their vulnerability makes them a particular threat to data security; most IoT devices were not built with security as a priority and are often deployed without security.

Because IoT devices have limited processing and storage capacity, installing data security software on them is challenging. In addition, due to the number and dispersity of them, it is difficult to keep security systems updated and install updates and security patches.

Growing threat of ransomware

While ransomware has been part of the cyber threat landscape since 1989, it has become the malware of choice for many cyber criminals. It is relatively easy to deploy with its payload delivery the same as other commonly used malware.

Ransomware is also widely accessible on the dark web. Even individuals or small cybercriminal groups can effectively utilize it, taking advantage of ransomware-as-a-service.

Data security solutions are used to combat ransomware. However, data security systems are challenged to stop ransomware as it commonly uses social engineering to bypass these solutions.

Increasing use of artificial intelligence in data security

Artificial intelligence (AI) is increasingly used with machine learning (ML) to improve the efficacy of data security solutions. AI and ML are used to automate security processes and threat detection with continuous improvement as collected data is used to enhance the identification of suspicious activity. The importance of AI for data security is that it can process large amounts of data and apply rapid decision-making based on analysis to inform incident response thousands of times faster than humans and basic software.

Another branch of AI, natural language processing (NLP), is used to combat phishing attempts as AI and ML-enabled tools can better identify malicious messages than humans. AI also enhances the accuracy and performance of biometric screening for authorization, such as facial, fingerprint, and voice recognition. It is also being used to develop additional biometric screening methods to advance data security, such as behavior recognition.

Enterprise data security

Enterprise data security requires a multi-layered approach to ensure that data and applications are always secure and available. It also includes business continuity preparedness to minimize service disruptions in the case of a cyberattack or disaster.

The scope of enterprise data security continues to expand with the growing number of people working from home, the wide use of mobile devices, and the explosion of IoT devices. Each of these use cases heavily depends on information that is often sensitive. This raises the bar for enterprise data security as complexity, the volume of users (i.e., machine and human), and attack surfaces expand.

Cloud data security

Data security extends beyond the confines of internal IT to cover the growing footprint of cloud-based infrastructure and services. Usually, data security for cloud-based infrastructure and services is provided in concert with cloud service providers and enterprise IT teams.

Cloud computing presents many of the same threats as on-premises deployments. Data security solutions have been optimized to manage cloud environments, but additional precautions must be implemented. Among the additional data security considerations for cloud-based infrastructure and services are related to protecting cloud migration and avoiding misconfigured cloud settings that create vulnerabilities.

Data security and bring your own device (BYOD)

Bring your own device (BYOD), or the use of personal computers, tablets, and mobile devices in enterprise computing environments, is here to stay and expanding despite the well-founded outcry from IT security teams about the risks this practice presents. Data security measures continue to grow to try to protect these devices.

Data security protocols employed to shore up protections against the threats BYOD brings requires employees who use personal devices to install security software to access corporate networks. The intent of this data security practice is to try to centralize control over and visibility into data access and movement to and from personal devices. Other data security tactics that help provide security around BYOD enforce the use of encryption, strong passwords, multi-factor authentication, regular installation of patches and software updates, and backups.

Monitoring is another important data security measure used to mitigate the risk of BYOD. This approach also addresses the use of unsanctioned BYOD by identifying all devices.

Staying on top of advances in data security

A presence since the advent of information, data security has played a vital role in ensuring its integrity and availability—from early manual ciphers to crypts for storing secrets. Like most technology, data security continues to evolve. To take full advantage of the power and efficacy of data security, take time to keep abreast of developing trends and the related solutions that become available.

Take control of your cloud platform.

Learn more about SailPoint Identity Security.