Data Security – lessons from Equifax and HBO

Data Security
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net

You can ask Equifax, Ashley Madison, or HBO how data security worked out for them.

With the latest high-profile attacks at large companies that hold customer data, anyone that stores sensitive information within their computer systems should take a look at their data security policies.  While this article won’t help you develop a detailed data security plan, I hope that it will start to explain several of the things that you should know and address.

For starters, let’s talk nomenclature.  Digital data has three states.  These states are agreed upon, however what each encompasses is often debated.  These three states are data-in-use, data-in-motion, and data-at-rest. Addressing these three states will encompass all of your data and potential data exposure.

Data-in-use

Data-in-use is data that resides in a processing device (like your computer) and is actively held in memory.  Most of the security risks that happen with data-in-use happen when people have physical access to the computers that are using this data, systems are in a poor state of update or malware protection, or network accounts and security are lax.

Solutions to these issues are fairly straight forward.  Keep computing resources physically secure.  Make sure anti-virus and anti-malware software up to date.  When operating systems and application updates and patches come out, install them.  Good systems administration is also key.  User accounts are secure.  Disable or delete old or unused accounts.  Educate users to recognize potential data leaks due to poor security practices.  Use means to limit access to data to only trusted resources using protocols like CHAP or ACLs.  Keep tight control over other means of access like vender portals and outside APIs that you may use.

Data-in-motion

Data that is moving from storage to processing is considered data-in-motion.  This usually means the WAN or network, where your data traverses in its journey between at-rest and in-use.  This also includes transport in the cloud, where data may be moving over very public networks on its way between -use and -rest.

The most common way to defend against data-in-motion snooping is to encrypt data.  Always encrypt data-in-motion.  Always.  Many vendors provide virtual private network (VPN) solutions, or WAN acceleration appliances that include encryption as part of the package.  This is traditionally for WAN usage and encrypts the entire communications channel.  There are also solutions for local LAN traffic.  Check out IPSec if you haven’t already.  It may also be worth your while to consider encrypting your data itself, not just the traffic tunnels.  This will become expensive, either in real dollars or in computation, so it may not be a fit for your organization.

Limiting physical access to your network is also a must.  Keep your networking gear behind locked doors, and secure any wireless access.  Again, this is all basic Network Security 101.

Data-at-rest

Data that is stored on a device, but it is not actively being used, is considered data-at-rest.  This usually means disk, appliance, tape or other removable device.  Yes, thumb drives and CDs are included in data security plans.  Data security plans often overlook backups and backup media, too.

Securing data at rest is again all about physical security and encryption.  Physically secure your storage appliances and tapes and you have solved 90% of the issues with data-at-rest security.  If no one can get to your data, then no one can steal your data.  For data encryption there are also solutions.  There are software applications that will encrypt data, and several operating system vendors have included this functionality in their OSes.  This does tend to slow systems down.

Appliances are also a solution to encrypting data.  There are speciality manufacturers that will sit in between storage media and computing resources that will encrypt data “on the fly”.  These tend to be a bit expensive and are for speciality applications.

Seagate makes a Self-Encrypting Disk (SED).  Special chipsets encrypt everything written or read from this disk.  This disk tends to be a bit slower than traditional disk (figure a 10% penalty on reads and writes), but is a nice solution for those clients that may be trying to meet data security standards.  The disk does not store encryption keys.  Therefore, taking disks does not compromise data.  But for heaven’s sake DO NOT FORGET OR LOSE YOUR KEYS.

Summarizing Data Security

In this article, we have discussed data security.  A data security plan must consider each state of data separately.  Security measures may span more than one state, but remember they are implemented differently dependent on state.  This article is an introduction to basic data security.  It is not all encompassing.  We have only scratched the surface.  Read up, work with your in-house security people, or engage competent data security consultants to get the best security that you can.  Your data may not include government officials looking to “hook-up”, or the spoilers for next season’s Game of Thrones but you never know.

 

 

 

 

 

 

Share this: