What is data security?

Nirmal Ranganathan, Jared Jacobson

hands holding smart phone with security image displayed

Data security refers to your policies and standards for protecting your data — across your network, infrastructure and applications and at multiple layers. Data security methods span on-premises and cloud environments and include encryption, masking, tokenization, erasure, authentication, access control, backups and recovery and data resilience. Data security also involves compliance-related demands driven by government regulations or industry standards like PCI or HIPAA.

 

The importance of data security

According to a recent Verizon report, one in eight breaches are financially motivated, and all breaches create financial turbulence for the victims. A data breach can cause just as much disruption as being found in non-compliance. Without a solid data security strategy, you could be at risk for public relations fallow, non-compliance penalties and productivity losses. Some common consequences of a data breach include:

 

Public relations fallout

Online consumer expectations are on the rise. So when potential customers or investors hear that your organization has been breached, it makes you appear careless and unreliable — even if you did everything that you were supposed to do. This perception could result in losing market share and may even impact your stock price. The effort and cost to clean up the initial breach, manage the media, communicate with customers and re-build your brand detracts resources from your core mission.

 

Non-compliance penalties

Not following regulatory and legal requirements around retention, permissions and storage can lead to big fines for non-compliance. Primarily, those fines are penalties from the regulatory board. In addition to that, there may also be associated fees — such as direct payments to breach victims, supplying remediation services (credit monitoring or identity protection) or lawsuits for damages.

 

Productivity losses

After a data breach, IT teams must drop whatever they’re doing to respond and resolve the threat. If data loss occurs, there’s time spent on restoring backups. A security breach will likely impact the ability of some employees to access and use data needed to complete their jobs. In a recent CISO study conducted by Cisco, 48% of companies with over 10,000 employees experienced at least four hours of downtime related to a data breach, and a third experienced up to 16 hours of downtime. 

 

Types of data security technology

Protecting data in the cloud or on-premises will involve using one or more of the following technologies:

  • Data encryption
  • Data masking
  • Tokenization
  • Data erasure
  • Authentication
  • Access control
  • Backups and recovery
  • Data resilience

 

Data encryption

Data encryption prevents unauthorized users from accessing data. This technique requires some type of authorization or key to decrypt and view or edit data. Encryption primarily applies at the network and infrastructure level; however, physical assets, flash drives or hard disks can also employ this data security method. Encryption can be applied within applications as well. For example:

Original data: John Smith

Encrypted: 393938383838

Decrypted: John Smith

Locked status: Locked; can unlock

Access: End users can access the entire set of data

 

Data masking

When data is masked, all or parts of the data are replaced. This is often seen when credit card or social security numbers are displayed. The data is there, but it’s not accessible. This technique is used for situations where the data is saved into the system, but due to compliance issues, like PCI or HIPAA, users can't view the actual data. Masking is non-reversable. Once masked, the data loses its value and is not available for use in any other functions. For example:
 

Original data: John Smith

Masked: 393938383838

Unmasked: n/a

Locked status: Locked; can’t unlock

Access: End users cannot access the data and the data can’t be used for analysis

 

Tokenization

Though it’s important to leverage the value of all data, certain data elements — like Personally Identifiable Information (PII), medical details and financial information — need to be handled with particular care. Tokenization allows organizations to hide sensitive information but retain its meaning. Unlike encryption, where the data can be unlocked, or masking, where the data loses its value, tokenization cannot be unlocked but its characteristics are still valuable. You may not know each customer’s name and address, but you can pull data to determine, for example, when customers in a particular region spend more on a particular item.
 

Original data: John Smith

Tokenized: 838383838

Unerased: n/a

Locked status: Locked; can’t unlock

Access: End users can access the data insights but not the actual data set

 

Data erasure

Due to the rise in privacy protection regulations, like GDPR and CCPA, businesses need to not only protect the data they ingest, but allow for a process to delete that data as well. Messy data hygiene and careless data governance adherence may make it impossible for some organizations to fully comply with data erasure requests because they don’t have a good handle on all of the places data points could be housed. When done correctly, data erasure works like this:
 

Original data: John Smith

Erased: [no data]

Unerased: n/a

Access: Data is non-existent. End users never knew the data existed.

 

Authentication

Authentication is the process by which users identify who they are and can access information. For some systems, it’s a password; for other systems, it might be a biometric indicator like fingerprints or face scans. Authentication unlocks locked data for use by authorized parties. This is applied at the network, application or file level.

 

Access control

By establishing user groups and role-based access methods, organizations can control which users see what data. This ensures that employees who need to see sensitive data are properly authorized to do so. Access control is written into most data compliance standards to prevent, for example, a receptionist in a doctor’s office from seeing a patient’s full medical record as opposed to just the insurance information needed to register and schedule patients.

 

Backups and recovery

Backups and recovery refer to the way you store data and plan to restore it in case of an incident. Much like consumer-level services that cover you if you accidently delete a file or lose your phone, backup at the enterprise level means spreading data out into multiple secure locations to provide redundancy. If one location fails, the other location kicks in with an exact snapshot of the data. Organizations use Recovery Point Objective (RPO) and Recovery Time Objective (RTO) metrics to determine what data is recovered and how long it takes to be recovered.

 

Data resilience

Data resilience refers to how quickly you’re able to recover and restore operations in case of a data breach. In the past, this was achieved by deploying multiple servers in multiple locations. After experiencing the recent global crisis, many organizations are faced with data centers that they are unable to access and are considering cloud-based alternatives that can be managed remotely, failover automatically and don’t require huge upfront capex investments.

 

 

Data security best practices

Data security best practices fall into three main categories:

  • Data risk management
  • Data governance
  • Data compliance

 

Data risk management

Data risk management is the where. It provides the roadmap for data security priorities. This is where an organization determines which regulations it needs to follow, what its security posture should be, and the KPIs required to demonstrate adherence. For example, although you might not house credit card information, you might still choose to follow PCI because it sets a higher standard for data security.

Another element of risk management is data classification. If legal documentation is requested and data isn’t tagged, or it’s improperly tagged, organizations could face penalties or hours of tedious labor looking for the data — a virtual needle in a haystack.
 

Data governance

Data governance is the what. Based on risk management obligations, data governance encompasses the policies and practices that serve as a foundation for data management. It also determines accountability and defines how data is stored, transferred, accessed, retained and destroyed. In addition to the rules and techniques, it should also provide guidance and expectations for users to maintain clean, secure data.
 

Data compliance 

Data compliance is the how. All of the actual work that it takes to comply with governance standards are executed here. This is where, for example, the role-based access is set based on the PCI standard you’ve chosen to adopt. Compliance represents the execution level of selecting the tools, technologies and processes to support encryption, firewalls, antivirus, monitoring and response.

Unlike risk management and governance, data compliance is ever evolving. Though the goal of maintaining PCI or HIPAA may remain consistent from a risk and governance perspective, the auditing bodies are constantly adapting and revising what it means to be compliant.

 

 

The benefits of data security

Maintaining a defined data security strategy protects the entire organization. Small businesses that experience a breach often go out of business within a year and wind up spending an average of $200k. And for those who barrel through the fallout of a data breach, there will be a huge financial hole around the added resources and labor needed to recover from a technology perspective and from a business perspective.

With a solid data security policy, organizations foster trust, save resources and avoid disrupting business by having to manage a breach or an outage.

 

 

Data security solutions from Rackspace Technology

With over two decades of experience securing and managing data for some of the largest companies in the world, Rackspace Technology delivers proven, end-to-end data security solutions. Our methodology spans people, processes and technology to provide the solutions you need to implement enterprise-grade security, maintain compliance and earn customer trust. Solutions include managed security services, compliance assistance, privacy and data protection, security tools, and security policy — as well as our Quickstart solution that gets you up and running fast.

 

Editor’s note: October is National Cybersecurity Awareness Month (NCSAM)! Be sure to check out our entire series of security-focused resources for NCSAM 2020, including:

 

Define and maintain your data security strategy, with help from our experts.