Data Security

Data security is defined as the technical process of protecting any

computer system’s information from unauthorized access or
destruction. This encompasses any type of device, server or network of
computer devices (like your home wifi).

Let us look at the key components of data security to understand further:

 A three-fold resource set – It’s a common mistake to assume

that the definition of data security applies only to data security
tools and technologies. In reality, the security strategies,
processes to enact them, and resource allocation are equally
important to protect enterprise data assets.
 Identifying valuable data – To formulate a data security policy
framework, first you need to prioritize your data in terms of
security investments. For instance, investing the same level of
resources to 50-year-old data as you would to a newly inked IP
document is inefficient when there are expense constraints,
especially after the Covid lockdowns. This especially becomes a
major challenge when replicated at scale. That’s why
identifying, classifying and prioritizing your data security needs
is crucial.
 Data may never be 100% secure – Valuable data could lie
exposed to new forms of malware and viruses for which your
current security mechanisms may not be enough. This is
because both sides are constantly innovating- one tries to hack
and your data security protocols and systems try to detect and
 neutralize it. But this doesn’t take away from the level of
security it provides and the highly reduced probability of
security breach.
 Data security is key for work data– While personal devices
also need and often have data security inbuilt while
purchasing, an enterprise/ organizational system is much
more prone to attacks given that the value of information/cost
of damage is much higher.
To cover all of these touchpoints effectively, companies need a robust
data security plan.

Data Security Plan and Policy: 6 Key

Steps With Examples
It is easy to take a set-up-and-forget approach to data security. You
partner with a vendor, install a data security solution, and keep doing
business as usual. But without the critical steps mentioned below,
companies are likely to face glaring gaps along the way. That’s why it is
advisable to:

1. Rethink network-based cybersecurity

frameworks
Network-based security divides up the enterprise ecosystem into an
application, device, and perimeter levels. But this is only one step of the
solution. As companies embrace widespread remote working in 2020,
employees will log in to data applications from endpoints that are outside
of this traditional strategy.

“To protect customers, employees, and reputations while ensuring

compliance with evolving regulations, companies should shift their
security strategies from an outdated reliance primarily on ‘perimeter
protection’ to a companywide approach based on ‘secure data
access,’” says Nick Halsey, CEO of Okera, a data governance and access
software company. For example, protecting the perimeter isn’t enough
when so many employees are working outside the enterprise firewall.
Device-based security doesn’t factor in human folly and digital bad habits.

In contrast, secure data access at every level helps in adherence to

security protocol, no matter the device of access or employee role.

2. Shape your data security policy

around the cloud

Cloud migration was already on most organizations’ digital

transformation roadmaps, and remote work has only accelerated the
pace due to Covid lockdowns. Cloud adoption means you are using
shared resources, with far more security vectors than you would have in
an on-premise-only set-up. Your data security policies for the cloud
should also be scalable. As you leverage cloud resources dynamically, the
framework adapts in tandem without leaving any vulnerability.

Technology advancements make it possible to achieve this with minimal

effort investment. For example, a hybrid cloud data warehouse company,
Yellowbrick Data, has just partnered with data security provider Sotero,
for a solution along these lines. You can integrate your existing database
infrastructure, even in a hybrid environment, with a strong security layer
that requires little operational and maintenance intervention.

3. Make data security a parameter for

SaaS investments

Every new SaaS license you purchase brings with it its own set of security
risks and vulnerabilities. In the last few months, there have been
repeated headlines on security flaws in Zoom and how it exposed
confidential communication data. When shopping for a SaaS product,
submitting RFPs, and writing the SLAs, make data security a central
parameter.

For example, Slack has recently enhanced its data security controls to give
admins better visibility and simplify data-related compliance. Its new
enterprise key management feature encrypts a custom workflow from
end to end, while Slack audit logs maintain detailed records – which, as
we mentioned, is a key component of data security.
Going through the product documentation and holding data security
workshops with your vendor will help to make safer purchase decisions.

4. Opt for a zero-trust strategy for user

authentication

A large or even a mid-sized enterprise will see hundreds of stakeholders

logging into its data applications every day. From local contractors in the
public sector to digital payment enablers for banks, from insurance
brokers in healthcare to logistics managers in manufacturing — there is
no end to the number of roles present in a typical enterprise ecosystem.

A zero-trust data security policy assumes every stakeholder to be a

potential risk, regardless of their credentials. It monitors your digital
assets and assesses every user who attempts to connect to these assets,
maintaining records for a possible worst scenario. Cybersecurity analysts
and experts increasingly recommend this policy, suggesting that every
user, device, service, and dataset are bucketed into separate categories
inside the trust framework to limit access. For example, the National
Institute of Standards and Technology (US) has released new guidance to
implement zero-trust architectures.

5. Maintain transparency and

accountability for data breaches
The steps we mentioned so far will give you an accurate view of where
your data is located, the measures in place, and how, who, and why it is
being accessed. This accountability map is useful if at any time you face a
data breach.

Depending on the nature of the data, companies are obligated to report a

breach to the right authorities and make reparations. The failure to do so
could invite millions of dollars in penalties, not to mention irreversible
damage to brand reputation. That’s why the response step is a critical
part of any data security policy, outlining an action plan for when the
“prevention is better than cure” adage is no longer applicable.

Take lessons from recent attacks where the company failed to assume
accountability on time. For example, Uber’s former Chief Security
Officer now faces a summons with U.S. Marshals for not reporting a 2016
hack, trying to pay off the threat actors instead. In such cases, it is
advisable to consult an experienced domain expert – which brings us to
the next step.

6. Partner with a data privacy and

security law specialist

A legal specialist can help you better navigate the evolving laws around
data security, privacy, and utilization, tailoring your strategy to the needs
of a specific region or industry. Involving a specialist at the early stages of
policy implementation can help configure your framework more
effectively, select the most security-friendly technology enablers, and
respond appropriately in a worst-case scenario.

There are several organizations to help you with this. For example, the
global law firm, Winston & Strawn LLP, has a new practice for global
privacy and data security. “The almost-universal remote work
environment caused by the COVID-19 pandemic has added to the
challenge of providing access to information while ensuring systems are
not vulnerable and abiding by the privacy and data security
laws,” says Sheryl Falk, co-leader of the practice.

Key Challenges and Solutions for

Data Security in 2021
2020 is a landmark year for cybersecurity, as any gaps in enterprise digital
frameworks will likely start to show. As employees switch to remote work
and use digital-only mechanisms for communication and productivity,
companies are scrambling to scale their data security infrastructure.
Over 50% of the organizations have made new investments in VPN and
cloud security, while only 37% are using multi-factor authentication.

Several challenges need to be resolved before we can adequately address

all gaps:

 Employees are still open to scams like phishing

A sense of uncertainty is now propelling employees to click on links or
open emails they would have otherwise avoided. Since February, there
has been a 667% uptick in phishing attacks, and recently Microsoft seized
control of several domains used for COVID-19-themed phishing.

The best solution to this challenge is security-awareness training.

Educating employees about online risk and fostering a culture of
skepticism will nip the problem at its source. Bolster your training
campaign with specialized products like Sophos Phish Threat – it
simulates a realistic and challenging attack based on threat intelligence.
Employees can work through 30+ training modules for a hands-on
understanding of what to do when faced with suspicious content.
 Everyone is a privileged user, especially in small businesses
As small and mid-sized businesses digitize in 2020, IAM and user-privilege
definition often takes a backseat. Business leaders are eager to equip
employees with all the resources they enjoyed in a physical office and
empower them to stay productive, often going against pre-pandemic data
security policies.

There is a two-fold answer to this challenge: technology and culture.

Small businesses must embrace a culture of security awareness, where
honoring data privacy is a top priority. Technology can work to augment
this – consider IAM tools like OneLogin that are available for as low as $2
per user per month, providing industry-leading security measures at just
$100 for a 50-member small business.

 Shadow IT leads to a sprawling data environment

2020 has introduced an unseen level of decentralization, where individual
business units try to become self-sufficient and continue operations with
little to no physical interactions with the HQ. This leads to shadow IT – as
the IT team can’t be physically present to resolve issues, BUs are forced
to pick up the mantle. But shadow IT may not (and usually does not)
follow the same stringent data security policies as the HQ, despite
consuming 30-40% of costs.

The solution to this challenge lies in better consolidation and integrated

visibility, preferably via a unified dashboard. Software like the Trustway
DataProtect App encrypts data across disparate applications and brings
them together in a centralized platform, minimizing risk from shadow IT.
CoreSaaS is another handy tool that helps you discover all your active
SaaS applications, monitor activity, and govern SaaS data.
 Applications aren’t built on safe data principles
This is a major challenge for large enterprises, ISVs, and digital-first
companies that regularly develop in-house applications. Application
design must follow data security best practices, and testing data needs to
be adequately anonymized – these needs have given rise to the DataOps
field, where strong data governance is tightly woven into the application
development CI/CD landscape.

In an agile world, where iterations and updates are released every next
month or week, security flaws in your applications have a very large
reach. Choose a DataOps solution like Delphix to maintain development
speeds without compromising on data security. Delphix can create a
secure virtual environment, manage sensitive data, maintain data version
control, and revert data to any historical point as needed during
development.
 There is no clear data security policy for retiring datasets
Most data security laws come with storage limitations, restricting
companies from holding onto data beyond a justifiable cause. In other
words, you can’t store data for future analysis unless you have already
identified the purpose and impact of the said analysis. To comply,
enterprises must institute a clear data retention period, after which it
enters the retirement stage.

Fortunately, there are several solutions available to address this

challenge, like Blancco. Blancco’s data erasure software adheres to 25+
standards and provides you with a tamper-proof report for compliance. It
maintains an accurate chain of custody for complete transparency and
analyzes your mobile endpoints to find errors.

The proliferation of digital tools will only add to the challenges in data
security. That’s why it is essential for enterprises to take a proactive
stance and follow data security best practices, keeping pace with evolving
threat variants.

8 Best Practices for Data Security in

2021
So far, in 2020, a total of 16 billion data records have been exposed,
which is a 273% uptick from the same period of the previous year. This
trend highlights the importance of data security best practices, from the
grass-root level to business leaders, if we are to keep sophisticated
cyberattack tactics at bay. These best practices include:

Best Practices for Data Security in

2021

1. Carefully formulate access privileges

in IAM
Identity access management or IAM forms the crux of data security
policies at several organizations, giving users access to data based on
their role/persona. Typically, experts recommend a least-privilege
approach, where employees have access to only what’s relevant to their
work and must seek approval for everything else. IAM also requires that
you keep detailed records of user authentication, access logs, and
device/origin of access. This comes in handy for future compliance and
data security audits.

2. Adhere to data privacy and security

regulations wherever applicable

Governments around the world are fast adapting to an evolved

cybersecurity climate, where consumers are sharing data at scale,
opening up new vulnerabilities. Apart from the well-known GDPR law for
EU citizens and CCPA, which is specific to California-based companies,
almost every region (and sector) calls for dedicated compliance. For
example, all health data records must follow HIPAA norms, which are
specific to the healthcare sector. This could require intervention from a
legal professional, which is why partnering with a privacy and security law
specialist should be a part of your data security plan.

3. Set clear data security priorities

before policy implementation
How do you know which data to protect, which ones need universal
access, which datasets should have multi-layered authentication, and
which data should be retired entirely? A detailed and regular risk
assessment exercise assigns data sets a risk score depending on its value
to the enterprise, its value to the originator (employee or customer), and
the possibility of exposure through daily digital activities. Prioritization
also makes your data security plan more efficient, as you are focused on
the most vulnerable/severe-criticality areas. It will also help you allocate
your security resources more effectively.

4. Don’t ignore your internal customers

– the employees

Data security rules apply equally to both external and internal users. For
example, laws like GDPR and CCPA mandate similar privacy, consent, and
autonomy rights for every user, regardless of whether they are an
external customer or they fall within the purview of contractual employee
agreements.

Enterprises must balance the need to monitor data activities, restrict

access, and scan for unusual activity, with a conscious acknowledgment
and upholding of individual employee rights. Be mindful of data collection
via cookies, the reasons for collecting employee data, and where you
store your most valuable information like employee social security
numbers. Weak measures could open a company to a variety of risks,
including legal liability.
5. Maintain regular back-ups

Losing access to data is as much of a problem as having data exposed in

the public domain. Cyber-attack strategies like malware target valuable
data like customer information, which delivers analytics, or intellectual
property to extract a ransom from the data owner (like the WannaCry
ransomware attack of 2017).

Data loss could also be an unforeseeable consequence of a natural

disaster when a physical server is damaged. Without access to the data,
critical business functions could come to a halt. That’s why a useful DLP
best practice is maintaining data backups that are as close to real-time as
possible. Look for advanced backup techniques that let you record data
changes/updates, without revising the entire dataset, to optimize
resource utilization.

6. Enforce proper password

management guidelines

Did you know that even in 2020, where so many companies are facing
high-value data breaches, 1 out of every 142 passwords continues to be
123456? This statistic illustrates the human tendency to get lazy about
password management for the sake of convenience. Add to this,
common password management bad habits like writing it down on a
piece of paper that’s readily accessible and using the same password for
multiple applications. Proper password management guidelines are
essential to not just protecting data, but also your enterprise assets as a
whole.

7. Adopt privacy by default

Privacy by default entails that your system configurations – across the

entire digital landscape – will record as little data as possible. For
instance, your website might ask for the user’s permission before
displaying a video ad, because it does not want to intrude on the user’s
privacy and browsing experience. A simple way to adopt this principle is
by enabling only the absolutely necessary cookies on your website
and requesting the user to consent to additional cookies for a more
personalized experience.

8. Restrict network access to non-work-

related sites

Accessing suspicious websites on a work device is among the most

common causes of vulnerabilities. Malicious software can creep in the
form of harmless downloads and aid in data theft. That’s why it is a good
idea to block commonly known malicious pages on the enterprise
network and company-owned devices. However, ensure that
your network access restrictions don’t get in the way of employee
productivity and workflows. There should be an easy verification and
approval process in place if an employee requires access to an unknown
website.
It can be difficult to follow stringent data security policies given the
current IT cost crunch. However, intelligent investment in data security
across all of 2021 is essential to enterprise success during the pandemic
and the recovery period. By remembering the above basic best practices
and formulating an effective policy framework, you can ward off security
threats and continue BAU even in today’s complex times.