Cybersecurity is a constantly moving target with new and tried-and-true threats and adversaries to contend with daily. From ransomware attacks and malicious insiders to accidental misuse and nation-state actors, threats come in many forms.
Valuable enterprise data must be protected at the source to prevent compromise. But, with data being created and residing across users, networks, clouds and devices, it takes a lot of effort to protect it. Fortunately, technologies, frameworks and procedures are available to help ensure its security.
Follow these 10 data security best practices to help keep your company's valuable information safe.
1. Catalog all enterprise data
To protect data, it is critical to know what data exists. Data flows throughout and is retained within a distributed network of data centers, network-attached storage, desktops, mobile and remote users, cloud servers and applications. Security teams must understand how this data is created, used, stored and destroyed.
The first step is to create and maintain a comprehensive data inventory. All data -- from mundane data to sensitive data -- must be cataloged. Not conducting and maintaining this due diligence function ensures some data will be unprotected and vulnerable.
This article is part of
The vast array of data created, stored and used by organizations makes gaining visibility into data operations a daunting task. Consider using a data discovery tool to automate the process. These automated tools use various methods -- crawlers, profilers and classifiers -- to find and identify structured and unstructured data.
2. Understand data usage
Data is not a static entity; it moves as it is used by applications. Data can be in motion, at rest or in use. To properly safeguard data, it is important to understand the different states data occupies and how data transitions between modes. Knowing how and when data is traveling, being processed and stored enables for a better understanding of the protection required. Not properly identifying the data state results in less-than-optimal security.
3. Categorize data
Not all data has the same value. Personally identifiable information (PII) and financial records, for example, are considerably more valuable than a technical white paper.
After inventorying data and understanding its use, put a value on the data, categorize it and tag it. Classification labels enable organizations to protect data in accordance with the applied value. The classification terminology used is determined based on your organization's needs, but data generally falls into four classes:
- public (freely available);
- internal (to remain within an enterprise);
- sensitive (protection mandated by compliance); and
- confidential (noncompliance data detrimental if released).
Consistent and proper data categorization also helps determine when and where data should be stored, how it is protected and who has access to it. It also improves compliance reporting.
Many data discovery tools can classify and label data to correspond to a data classification policy. These tools can also enforce classification policies to control user access and avoid storing it in insecure locations.
4. Use data masking
A strong weapon against data loss is making any information stolen unusable to the attacker. Confidentiality tools provide this function.
Data masking enables users to perform tasks on functionally formatted data based on authentic data, all without requiring or exposing the actual data. Data masking techniques include encryption, character shuffling and character or word substitution. One of the most popular techniques is tokenization, which substitutes real values with dummy data that is fully functional. Authentic data, such as PII or credit card numbers, is located in a hardened central location with access limited to only required users.
5. Use data encryption
Encryption uses a cryptographic algorithm and secret keys to ensure only intended entities can read the data. Encryption is used for data stored on a drive, within an application or in transit. It is widely available within OSes, applications and cloud platforms, as well as from independent software programs.
If encrypted data is stolen by attackers, it cannot be read, and therefore, the attackers gain no value from the data. Encryption is considered so effective that many regulations make it a safe harbor that limits liability following a data breach. Encryption should not be considered a data security silver bullet, but it is one of the best ways to safeguard valuable information.
6. Implement strong access controls
Data, especially data valued or subject to regulations, must only be available to those who require access to do their jobs. Establish strong access control mechanisms to identify which entities should be able to access which data, and manage and regularly review the privileges of those entities.
Authorization and access controls range from passwords and audit logs to multifactor authentication, privileged access management and mandatory access controls. Whichever mechanism is used, ensure it validates entities and grants access based on the principle of least privilege. Strong access controls require full monitoring and auditing to quickly identify abnormalities or abuse.
7. Create data collection and retention policies
Policies are an unpopular subject, but there are reasons they exist. Data collection and retention policies establish the norms associated with data management and protection. These policies establish rules on the following:
- what data is collected;
- when and how it is retained;
- what data must be encrypted; and
- who has access to the information.
Data that does not adhere to data usage and retention policies should be purged. In addition to supporting internal operations, policies support compliance efforts with regulations such as GDPR and CCPA.
8. Conduct security awareness trainings
Data protection, like cybersecurity, is a team effort. Educate employees and users who have access to data about the importance of data security. Talk about their role in data security, as well as about what data users should collect and store and what data should not be shared.
Informed and empowered employees are more likely to support security efforts than undermine them by attempting to bypass controls. The people closest to data management efforts can also provide valuable support by identifying anomalies that could signify a potential issue.
9. Back up data
Availability and integrity are as important to security as confidentiality. Data backup provides these functions. A backup is a copy of the data that resides at a different location. Backups make data retrieval possible should the working copy become unavailable, deleted or corrupted.
Conduct backups on a scheduled basis. They can be a complete data replication or an incremental backup that only saves changes to the data. Be sure to keep any backups protected as they can also be a target of attack.
10. Use DLP
Data loss prevention (DLP) platforms are a key element of any data security strategy. DLP consists of technologies, products and techniques that automate the tracking of sensitive data. DLP safeguards use rules to review electronic communications and data transfers. They prevent data from leaving corporate networks or being routed to internal resources that fall outside of policy. DLP can also be used to prevent corporate data from being transferred to unverified entities or via illicit transfer methods.
Pulling it all together
Data security doesn't just happen. It requires these best practices be used not as standalone activities, but as part of a defense-in-depth strategy. The combination of most, if not all, of these components should be adopted to create an efficient and effective data security program.