5 facets of data security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/article/2980728/big-data/5-facets-of-data-security.html

When confronted with the potential of data breaches, owners of this data
and system administrators often consider first the most obvious angle of
security: preventing individuals with malicious intentions to gain access
to data. But there are several facets that need to be accounted for to
ensure that confidential data is not found in places where it shouldn't be.

Securing data from malicious attacks

Protecting data from hackers and other ill-intended individuals is often
the first order of priority -- as it should be. The domain of IT security
experts, it includes -- but is not limited to -- the deployment of
perimeter protection technologies, the proper management of user accounts
and permissions (including the deprovisioning of accounts when employees
leave or change roles), and a wide range of intrusion detection that detect
attacks and shut down accesses when needed.

Securing data from unauthorized access

Unauthorized access is broader than malicious attacks. It can be caused by
poorly defined permissions, that will allow a user to access or query data
they should not be allowed to access -- for example a business intelligence
user gaining access to HR or payroll information while analyzing sales
performance. This type of unauthorized access creates less risk that
malicious attacks, and can be partially alleviated through clearly
communicated governance policies and reliance on professionalism of users
(i.e. it's not because you have access to confidential data that you will
necessarily attempt to view it, and even less disseminate it).

Securing data from unusual extraction

Users may have access to certain data sets in the normal course of their
business, but when they attempt to extract a vast amount of records, is it
because they need to process an historical report -- or because they plan
to quit tomorrow and leave with the client database? Or maybe because they
have been the victim of some social engineering scheme, or have compromised
their credentials? Identifying the boundaries of normal/expected behavior,
and placing limits on what a user is permitted to do with data they use on
a daily basis, is an important measure to prevent this type of situation.

Securing data from unintended use

Used in a certain context, the same data can be immensely damaging when
used in another one. A good data governance polity should make clear which
data can be used in which context. It's not always easy, as many modern
usages of data are by definition unplanned. In these contexts, the data
steward must abide by the spirit of the policy, if the letter isn't
applicable.

Securing data from unexpected dissemination

Source data is often as secure as it can be. But what about reports,
extracts and other target datasets? How many stories have we read in the
news about "a laptop has been stolen with x million confidential records on
it?" Once the data leaves its home database, it will end up in emails, USB
sticks, Dropbox accounts, hard drives, and other highly unsecure places. In
many cases, this will be because IT does not offer a convenient and secure
way to transfer large files -- and so users figure out their own ways.
Securing data extends all the way to the full IT infrastructure, and needs
to take into account the habits and convenience of users -- but also
establish clear guidelines that extend beyond simple data manipulation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!