Layered security approach to safeguard Digital Data

In this era of the digital world, everything is moving to online from electronics to groceries, making it more important for an organization that its digital experience is always available for intended users. But as digital world is becoming more prominent, it's also becoming a major target for attackers

According to a recent report, DDoS and Malware attacks growing rapidly and the volume of damage caused by these attacks also have a subsequent growth.

Whether the lack of availability is because of an attack or theft of data, digital experiences need to be protected as they are the focal point for consumer engagement, interaction, and commerce.

Safeguard Digital data

Protecting the digital data isn't one magic solution. It often involves multiple techniques and layers of security. Here is list of methods or technological solutions that an organization can embrace to secure its digital data:

  • HTTPS
  • User Authentication
  • DRM
  • Encryption
  • Obfuscation and Tokenization
  • Regional Access
  • DDoS Protection
  • Web Application Firewall (WAF)

Let's have brief looks about these technologies below:

HTTPS:

The first & most fundamental level of protection you can offer is the assurance to the user that they are accessing your digital content. One way to accomplish this is to deliver the data over HTTPS.

HTTPS or HTTP-Secured refers to the encryption of communication between a client and the server, through a trusted certificate that verifies ownership of the destination. When a successful HTTPS connection is established, any data that passes over that connection is encrypted, thus protecting it from anyone who might intercept the transmission.

User Authentication:

The simplest way to protect your data is by prompting users to provide valid credentials, for accessing specific areas or types of content. Depending on the complexity of the application, the required credentials can include a number of static and dynamic content elements like:

  1. Username
  2. Password
  3. Personal Identification Information
  4. Answers to security questions
  5. CAPTCHA
  6. Server-side scripting authenticates the user by processing these data elements and provide access to Valid users only.

Digital Rights Management (DRM):

When part of your digital data is of video format, you may be required to protect that content by preventing unauthorized people from viewing. For example, if you are licensing the material from a third-party they may want to ensure that their videos can’t be stolen and redistributed on the Web. That’s where DRM packages come into action.

A DRM package refers to how the content is encrypted for playback. Packages often require a specific player in order to decrypt the content. Some of the today’s more popular DRM formats include:

  1. Microsoft PlayReady
  2. Widevine
  3. Adobe Access
  4. Marlin
  5. Ultraviolet

Encryption:

Websites have become more dependent upon back-end databases to enable high-end functionality and some of the stored data can be “personally-identifiable information” (PII) such as names, addresses, emails, and credit card numbers which need to be protected, which can be achieved by Encryption. There are lots of programmatic ways that can be used to encrypt the data using server-side scripting.

Common algorithms used for encryption are:

  1. Triple DES
  2. RSA
  3. Blowfish
  4. Twofish
  5. AES
  6. MD5

Obfuscation and Tokenization:

It's equally important to protect our content from getting displayed on another website (content scraping and deep linking) without our permission, which can be achieved by masking the content location using a server-side script called Obfuscation.

For example, consider these two URLs:

https://website.com/dir1/dir2/mycontent/testplay.mp4

https://website.com/dir1/dir2/mycontent/testplay.php

In the first URL, content location can be easily identifiable as a .mp4. But in the second, the content location is obfuscated by referring the request to a server-side script(test play.php) which processes and returns the result directly to the browser without a visible URL.

A more advanced form of obfuscation is called tokenization, which refers to “the process of substituting a sensitive data element with a non-sensitive equivalent(called as a token) that has no exploitable meaning or value.

The token is a reference that maps back to the sensitive data through a tokenization system (mapping from original data to token is irreversible in the absence of the tokenization system.)

Regional Access:

In some cases, when licensing content from a third party, you may be required to restrict access to specific geographic regions. In the digital content delivery world, this security mechanism is known as geofencing and refers to the use of geographical data (i.e., world region, country, zip code, etc.) to either allow or deny access to specific content.

The way geofencing works is relatively simple. When a user request is made to the CDN(Content Distribution network), the IP address of the user’s location is taken from the request header. A business-rules engine then compares that IP against a database of geolocations to either approved or denied.

DDoS Protection:

Ensuring your digital content and experiences are available is just as important as encrypting sensitive data or protecting against theft. And with the rising number of attacks, it’s critical that you enable a layer of security in front of your origin that mitigates the potential of Distributed Denial of Service (DDoS) attacks like

You can host on-premise equipment in front of your origin

You can employ cloud-based services.

Cloud-based DDoS security actually has more advantages over on-premise equipment.

Web Application Firewall(WAF):

The sophistication of cyber-attacks sometimes warrants a layering of security technologies in front of a website. For example, where DDoS protection can help prevent a flood of malicious traffic, a WAF can help filter traffic against a set of rules to prevent more targeted activity like cross-site scripting (XSS) and SQL injections.

A web application firewall (WAF) is an appliance, server plugin or filter that applies a set of rules to an HTTP conversation. By customizing the rules to your WAF, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Conclusion

Securing the digital data is critical for ensuring the best possible user experience. From verifying your identity (with HTTPS) to encrypting sensitive data, to restricting access and protecting multimedia content, you must approach security in a layered manner by employing multiple means and techniques to protect the digital content. 

Authored By - Rajesh Rao
TCS Cyber Security Practice

Rate this article: 
No votes yet
Article category: