Data Security is a process of protecting files, databases, and accounts on a network by adopting a set of controls, applications, and techniques that identify the relative importance of different datasets, their sensitivity, regulatory compliance requirements and then applying appropriate protections to secure those resources.
Similar to other approaches like perimeter security, file security or user behavioral security, data security is not the be all, end all for a security practice. It’s one method of evaluating and reducing the risk that comes with storing any kind of data.
Get the Free Pen Testing Active Directory Environments EBook
What are the Main Elements of Data Security?
The core elements of data security are confidentiality, integrity, and availability. Also known as the CIA triad, this is a security model and guide for organizations to keep their sensitive data protected from unauthorized access and data exfiltration.
- Confidentiality ensures that data is accessed only by authorized individuals;
- Integrity ensures that information is reliable as well as accurate; and
- Availability ensures that data is both available and accessible to satisfy business needs.
What are Data Security Considerations?
There are a few data security considerations you should have on your radar:
- Where is your sensitive data located? You won’t know how to protect your data if you don’t know where your sensitive data is stored.
- Who has access to your data? When users have unchecked access or infrequent permission reviews, it leaves organizations at risk of data abuse, theft or misuse. Knowing who has access to your company’s data at all times is one of the most vital data security considerations to have.
- Have you implemented continuous monitoring and real-time alerting on your data? Continuous monitoring and real-time alerting are important not just to meet compliance regulations, but can detect unusual file activity, suspicious accounts, and computer behavior before it’s too late.
What are Data Security Technologies?
The following are data security technologies used to prevent breaches, reduce risk and sustain protections.
The question isn’t if a security breach occurs, but when a security breach will occur. When forensics gets involved in investigating the root cause of a breach, having a data auditing solution in place to capture and report on access control changes to data, who had access to sensitive data, when it was accessed, file path, etc. are vital to the investigation process.
Alternatively, with proper data auditing solutions, IT administrators can gain the visibility necessary to prevent unauthorized changes and potential breaches.
Data Real-Time Alerts
Typically it takes companies several months (or 206 days) to discover a breach. Companies often find out about breaches through their customers or third parties instead of their own IT departments.
By monitoring data activity and suspicious behavior in real-time, you can discover more quickly security breaches that lead to accidental destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Data Risk Assessment
Data risk assessments help companies identify their most overexposed sensitive data and offer reliable and repeatable steps to prioritize and fix serious security risks. The process starts with identifying sensitive data accessed via global groups, stale data, and/or inconsistent permissions. Risk assessments summarize important findings, expose data vulnerabilities, provide a detailed explanation of each vulnerability, and include prioritized remediation recommendations.
The last decade of IT management has seen a shift in the perception of data. Previously, having more data was almost always better than less. You could never be sure ahead of time what you might want to do with it.
Today, data is a liability. The threat of a reputation-destroying data breach, loss in the millions or stiff regulatory fines all reinforce the thought that collecting anything beyond the minimum amount of sensitive data is extremely dangerous.
To that end: follow data minimization best practices and review all data collection needs and procedures from a business standpoint.
Purge Stale Data
Data that is not on your network is data that can’t be compromised. Put in systems that can track file access and automatically archive unused files. In the modern age of yearly acquisitions, reorganizations and “synergistic relocations,” it’s quite likely that networks of any significant size have multiple forgotten servers that are kept around for no good reason.
How Do You Ensure Data Security?
While data security isn’t a panacea, you can take several steps to ensure data security. Here are a few that we recommend.
Quarantine Sensitive Files
A rookie data management error is placing a sensitive file on a share open to the entire company. Quickly get control of your data with data security software that continually classifies sensitive data and moves data to a secure location.
Track User Behavior against Data Groups
The general term plaguing rights management within an organization is “overpermissioning’. That temporary project or rights granted on the network rapidly becomes a convoluted web of interdependencies that result in users collectively having access to far more data on the network than they need for their role. Limit a user’s damage with data security software that profiles user behavior and automatically puts in place permissions to match that behavior.
Respect Data Privacy
Data Privacy is a distinct aspect of cybersecurity dealing with the rights of individuals and the proper handling of data under your control.
Data Security Regulations
Regulations such as HIPAA (healthcare), SOX (public companies) and GDPR (anyone who knows that the EU exists) are best considered from a data security perspective. From a data security perspective, regulations such as HIPAA, SOX, and GDPR require that organizations:
- Track what kinds of sensitive data they possess
- Be able to produce that data on demand
- Prove to auditors that they are taking appropriate steps to safeguard the data
These regulations are all in different domains but require a strong data security mindset. Let’s take a closer look to see how data security applies under these compliance requirements:
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act was legislation passed to regulate health insurance. Section 1173d—calls for the Department of Health and Human Services “to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, and the value of audit trails in computerized record system.”
From a data security point of view, here are a few areas you can focus on to meet HIPAA compliance:
- Continually Monitor File and Perimeter Activity – Continually monitor activity and access to sensitive data – not only to achieve HIPAA compliance, but as a general best practice.
- Access Control – Re-compute and revoke permissions to file share data by automatically permissioning access to individuals who only have a need-to-know business right.
- Maintain a Written Record – Ensure you keep detailed activity records for all user objects including administrators within active directory and all data objects within file systems. Generate changes automatically and send to relevant parties who need to receive the reports.
The Sarbanes-Oxley Act of 2002, commonly called “SOX” or “Sarbox,” is a United States federal law requiring publicly traded companies to submit an annual assessment of the effectiveness of their internal financial auditing controls.
From a data security point of view, here are your focus points to meet SOX compliance:
- Auditing and Continuous Monitoring – SOX’s Section 404 is the starting point for connecting auditing controls with data protection: it asks public companies to include in their annual reports an assessment of their internal controls for reliable financial reporting, and an auditor’s attestation.
- Access Control –Controlling access, especially administrative access, to critical computer systems is one of the most vital aspects of SOX compliance. You’ll need to know which administrators changed security settings and access permissions to file servers and their contents. The same level of detail is prudent for users of data, displaying access history and any changes made to access controls of files and folders.
- Reporting – To provide evidence of compliance, you’ll need detailed reports including:
- data use, and every user’s every file-touch
- user activity on sensitive data
- changes including permissions changes which affect the access privileges to a given file or folder
- revoked permissions for data sets, including the names of users
General Data Protection Regulation (GDPR)
The EU’s General Data Protection Regulation covers the protection of EU citizen personal data, such as social security numbers, date of birth, emails, IP addresses, phone numbers, and account numbers. From a data security point of view, here’s what you should focus on to meet GDPR compliance:
- Data Classification – Know where sensitive personal data is stored. It’s critical to both protecting the data and also fulfilling requests to correct and erase personal data, a requirement known as the right to be forgotten.
- Continuous Monitoring –The breach notification requirement enlists data controllers to report the discovery of a breach within 72 hours. You’ll need to spot unusual access patterns against files containing personal data. Expect hefty fines if you fail to do so.
- Metadata – With the GDPR requirement to set a limit on data retention, you’ll need to know the purpose of your data collection. Personal data residing on company systems should be regularly reviewed to see whether it needs to be archived and moved to cheaper storage or saved for the future.
- Data Governance – Organizations need a plan for data governance. With data security by design as the law, organizations need to understand who is accessing personal data in the corporate file system, who should be authorized to access it and limit file permission based on employees’ actual roles and business need.
How Varonis Helps with Data Security
For companies that have a hold on data and have security obligations due to GDPR or other regulatory requirements, understanding our mission at Varonis will help you manage and meet data protection and privacy regulations requirements.
The mission at Varonis is simple: your data is our primary focus, and our data security platform protects your file and email systems from cyberattacks and insider threats. We’re fighting a different battle – so your data is protected first. Not last.
We continuously collect and analyze activity on your enterprise data, both on-premises and in the cloud. We then leverage five metadata streams to ensure that your organization’s data has confidentiality, integrity, and availability:
- Users and Groups – Varonis collects user and group information and maps their relationships for a complete picture of user account organization.
- Permissions – We add the file system structure and permissions from the platforms that we monitor, and combine everything into a single framework for analysis, automation, and access visualization.
- Access Activity – Varonis continually audits all access activity, and records & analyzes every touch by every user. Varonis automatically identifies administrators, service accounts and executives and creates a baseline of all activity. Now you can detect suspicious behavior: whether it’s an insider accessing sensitive content, an administrator abusing their privileges, or ransomware like CryptoLocker.
- Perimeter Telemetry – Varonis Edge analyzes data from perimeter devices such as VPN, proxy servers, and DNS – and combines this information with data access activity to detect and stop malware apt intrusions and data exfiltration.
- Content Classification – Varonis scans for sensitive and critical data, and can absorb classification from other tools like DLP or e-Discovery. Now we know where sensitive data lives and where it’s overexposed.
These five metadata streams are critical to achieving data security nirvana. When you combine them, you can get reports on sensitive data open to global group access, stale data, data ownership, permissions changes and more. Then, prioritize your custom reports and act to remediate your risk. Meanwhile, you’ll know that your data is continuously monitored and that you’ll receive real-time alerts when suspicious behavior is taking place.
Get a free data risk assessment to see whether your data security strategy is where it needs to be.