Data Security is vital to secure the personal and sensitive data. Increased data movement and storage of data over multiple channels and devices have benefitted organizations to grow business; however, it adds a huge risk and threats to securing data from attacks.In addition, there are numerous Regulatory and Compliance bodies mandate standards to secure the personal and sensitive data. Organizations must comply with standards on securing the data to avoid penalties and charges.
Threats to Data Security
- Internet-facing web application - If the public-facing applications are not developed properly using secure coding method and do not have other appropriate network security controls for defense-in-depth, then they would be vulnerable to data leakage.
- Software vulnerabilities - Software which is not updated with latest patches and security fixes are vulnerable to weaknesses.
- Zero-day attack - Organizations must always have compensatory controls to provide defense-in-depth and apply least privileged access method to limit the exposure and impact of zero-day attacks. Especially defense-in-depth would provide sufficient layer of security to safeguard the zero-day attack.
- Phishing and Targeted attacks - Phishing emails and messages would trick the users to leak the data; however there must be proper email and gateway level security to ensure SPAM emails are filtered and scanned to reduce the attack vector.
- Cloud Computing - Considering the current trend on having data stored on Cloud and being accessing anywhere, anytime with reduced cost model, there is a high risk of data leakage unless stringent security controls are applied at all levels.
- Mobile devices - With increased usage of Mobile and BYOD devices, the data is accessible at different endpoints. Especially on mobiles, the controls are to be applied by using MDM or MDA approaches.
- The non-existence of Security architecture framework - An organization must have proper Security architecture framework to define, build, deploy and maintain the security posture through its security standards and policy, which are to be aligned with regulatory, compliance and industry best practice approach.
- Unsecured backup and recovery - Backup and recovery devices are mostly overlooked by organizations, where they need to tighten with proper security controls like access control, encryption, network segregation etc...
Organizations have to classify the data in order to apply relevant security controls during the transit and rest, either on-premise or external (Cloud). Example, Highly Confidential data must be encrypted end-to-end during the transit at the transport tunnel and payload level to ensure confidentially and integrity, whereas public data does not require any encryption. Few important data classification/label listed below:
- Highly Confidential / Restricted
Data Discovery on systems
- Databases - Business and IT applications will use its own RDBMS database to store data for processing. As part of data discovery process, the personal/sensitive/highly confidential data has to be identified. As required the encryption/hashing cryptographic techniques to be applied like column-based encryption or full database encryption.
- Client systems (Laptop/Workstations/Mobile) - The Client systems like windows 7 and 10 are majorly used to access the Business and IT applications. There is high chances of business sensitive and personal information being stored locally, especially with top management users. To secure the client machine data at rest a disk encryption solution must be used. Even in case of device lost the encrypted data are safe, as they are not accessible without decryption.
- File servers - Within the organization, the file servers are used by systems and users to store the information. Based on the data classification the appropriate encryption or hashing techniques must be applied. Desktop encryption software to use they would encrypt the data specific on particular folders rather than the whole disk.
- Backup systems - All Critical and sensitive information is stored in backup media for any Disaster recovery and Business continuity purposes. Most organization overlooks the security of backup systems which are one of the main areas for attackers to retrieve data at rest. Appropriate tape and disk encryption techniques along with tightened access control must secure the data.
- API Communications - The data at transit between two systems especially when dealing with highly confidential information must be encrypted minimum either at tunnel or payload level.
- Email systems - Email gateway security must be implemented to have DLP and Encryption solution. The sensitive and critical data must be filtered and encrypted appropriately to secure the communication.
- Gateway scanning systems - The network perimeter security zones must have appropriate security controls to have Firewalls, Load balancers, and WAF to filter malicious traffic to prevent major attacks like DDOS and DOS.
Security Mechanism for Data at rest and transit
Encryption is most demand requirement to secure the data at rest and transit. In Transit, it can be encrypted using TLS and an additional layer of payload level encryption using any symmetric cryptographic algorithm will provide strong security.
Data at rest on RDBMS can choose for column-level encryption or full database encryption based on the required. All client systems can implement full disk encryption.
- Secured communication
The data transmission especially from an internal network to external cloud-based network. There must be multilayer AAA and security-scanning checks must implement to ensure the data sent and received appropriately between authorized systems only.
- Access control – RBAC
Each system and applications must have access controls defined and control through any of methods like RBAC (Roles-based access control), DAC (Discretionary Access Control), ABAC (Attribute Based Access Control) and CAC (Context-based access control) etc.
- Key management
The certificates and keys used for encryption, decryption and signing must have strong key management standards to cover areas like Key generation, rotation, expiry, distribution etc... Also, define standards to confirm stronger Cryptographic algorithm and key length to be used.
- Security testing
During the application development, a secure coding practice must adhere. The security testing like SAST, DAST, Penetration, and compliance must perform regularly in a defined frequency and process. Any identified vulnerabilities must be rated as Critical, High, Medium and Low to have an appropriate plan for a fix.
Auditing the access controls and monitoring of the log reviews will provide an additional layer of security. Continuous monitoring of data based on pattern or signature-based would prevent a lot of intrusion access.
- Data Erasure (disposal)
When data are erased from databases, disk, and media must have an appropriate securing mechanism to ensure the information cannot be retrieved. Hardware media devices must be completely scrapped if they no longer required, where software-based overwriting also be considered based on requirement.
Data Security: Regulatory and compliance requirements
Securing the sensitive and personal data are key for any organization, where they are also driven by regulatory and compliance requirements. Organizations must comply with the requirements to avoid any huge penalty and charges. Below the list are few regulatory requirements which have stringent data security controls.
- GDPR (General Data Protect Regulation)
- SOX (Sarbanes-Oxley Act)
- HIPAA (Health Insurance Portability & Accountability Act)
- DPA (Data Protection Act)
Authored By - Gopal Pandurengan
TCS Cyber Security Practice