Written by Tsvetanka Stoyanova
Data protection is a vast topic because data and the adequate measures to safeguard it against the many threats are fundamental for any IT department. Failing to provide adequate data protection is not only unprofessional; it could be a criminal act and could lead to serious damage for the affected parties and severe penalties for the parties at fault.
There are many Acts and laws, for instance the Data Protection Act of March 2000 or the Sarbanes-Oxley Act. The Sarbanes Act not only makes it highly desirable for a data center or an IT department to take data protection seriously but if you are not serious then sanctions are applied for non-compliance.
There are many reports of leaked data - not to mention the number of cases, which are not reported publicly. Data leakage is very often the result of inadequate protection and this certainly poses the question, should IT pros be responsible of ensuring the adequate protection for the data they are responsible for.
Nobody says data protection is easy. You can never be 100% certain that your data is protected and even if you make every reasonable effort to protect data, there is no guarantee that trouble will not haunt you. But when fundamental data protection rules are violated, the question is not if but when a failure will happen.
Types of Threats for Data
Before you start thinking of ways to protect data, it is essential to know what you are protecting it against. There aren't many types of threats and the degree they can destroy or damage data varies.
Basically, one classification of threats is into internal and external threats. Depending on the type of damage, there are two groups of risks:
• Physical damage. Data can be easily destroyed on deliberately or not and all this could happen in a blink of a second. Natural disasters such as fire, flood, earthquakes, etc. can damage the media on which data is kept, thus destroying it. Accidental or on deliberate data deletion is another physical threat you should provide against.
• Unauthorized access. Physical threats are dangerous but unauthorized data access is not better. Unauthorized access could destroy your data physically but this is not the worst that can happen. When data is accessed by unauthorized individuals, the damage they can do could vary – i.e. disclosure/leakage of sensitive information or modification are just a few examples. The worst is that illegitimate modification could be done by somebody who has legitimate access.
Basically all mishaps to data fall into one of the above categories and there are various measures one can take in order to prevent such events from happening. The following section mentions only some of the most important steps in that direction.
How to Protect Data against Threats
Data is tangible but yet you can't guard it with the same measures as you guard your other physical assets, though certainly some of the rules apply. For instance, while you can insure your cars and other property against theft or fire, you can't insure data against these events but you can make your best to prevent theft or fire and to minimize the damages, if these events occur. Here are some very basic recommendations how to protect the data you are responsible for:
• Physical protection. The response to the physical damage threat is physical protection. As in the OSI model, where networking starts at the physical level, data protection starts with its physical protection. This includes steps such as securing your premises against fire, flood, unauthorized access by external individuals, checking the media you backup on, etc.
• Rules for access to data. When you have rigorous procedures for external access, this minimizes one common threat but still there is more to regulating access. You must secure data along the whole path – from collection, to transit, to reaching its final destination. But even when data is inside the walls of your data center, this still does not mean that it is protected from unauthorized access. Poor corporate security is no guard against unauthorized access. Insider theft is even more common. So, if you don't have rules regarding the access to data and the means to enforce them (i.e. authentication, encryption, granting legitimate access, etc.) you can never consider the job done.
Access rights include all the operations one can perform with data – from gaining read-only access, to modifications, to deletion. Here the most secure rule is to use the least privilege principle – i.e. give a user the minimum rights he or she needs to have in order to be able to do his or her work. Additionally, limit to the minimum the number of people who have access to critical data because if an insider attack happens, it will be easier to narrow down the possible sources of the leakage.
• Intrusion detection, firewalls, malware, etc. I think it is needless to say that common security practices, such as intrusion detection, firewalls, malware scans, installing the latest patches, etc. must be performed on a 24x7 basis because it is just too obvious but let's briefly mention them – just for completeness of the list.
• Backups, disaster recovery. Backups and disaster recovery are also standard practices for data protection both on a physical level and for protection against modification/deletion. Backups and the techniques for disaster recovery allow to have a spare copy of the data, which you can use to restore data from in case it is physically destroyed or has been modified. Obviously, backups and disaster recovery won't help you against leakage and other forms of insider trading but still they have their indispensable place in the data center.
• Keep an eye on the legislation. As I mentioned in the beginning, there is quite a lot of legislation related to data protection. Sometimes the legislation itself will include mandatory provisions about the measures you need to apply in order to fulfill your legal duties, so keeping an eye on changes in the existing legislation and on any new Acts is compulsory.
0 comments:
Post a Comment