Tom Thomasson is Senior Staff Engineer of Security at MarkLogic.
A recent survey by Radware found that nearly half (45 percent) of respondents had experienced a data breach in the last year, and 68 percent are not confident they can keep corporate information safe. Despite costly and constant breaches, and upcoming data privacy movements such as General Data Protection Regulation (GDPR), companies continue to leave data vulnerable due to outdated and ineffective security policies and processes.
This current state of data insecurity has arisen from the need for organizations to maximize the value of their data by broadly sharing information inside and outside the organization. The problem is that most organizations are largely focused on network security, protecting and hardening the perimeter. But often the data in the “squishy” middle is left vulnerable to threats. If attackers can get in, they’re in. And, most databases — where the critical corporate data resides — have all-or-none access, which is not sufficient to shield against growing cybersecurity threats.
Here are three steps companies should take to avoid becoming the next newsworthy data disaster.
Step 1: Implement Advanced Encryption Where the Data is Used
Some of the biggest data breaches have been a direct result of an insider getting a hold of the keys to the kingdom. The number of data security incidents involving internal actors is increasing — with Verizon predicting that internal sources are involved in one quarter of all breaches. In the healthcare industry alone, IBM reports, insiders are responsible for 68 percent of breaches.
Encryption is not a new feature in databases, but today’s encryption must be implemented in a more strategic and systematic way to protect data from cyber criminals and insider threats. You want to rely on an encryption system that not only prohibits outsiders from coming in, but also ensures that a system administrator or other inside source can’t be at a low level in the operational system. Additionally, an advanced encryption system is critical. Specifically, one that supports frequent key rotation and is fail-safe – or in other words a partial compromise of a system component or a data subset does not lead to a complete comprise of the system, leading to an organization-wide data breach.
Most importantly, encryption needs to be incorporated where the data is used. It has to be encrypted all the way until it gets in the dataset and the database decrypts it, without being accessible by the system administrator or network engineer. With automatic and fast granular key rotation and role-based access controls, advanced encryption helps to provide a separation of duties between the security administrator and any system, network or database administrator — drastically decreasing exposure.
Step 2: Use Redaction to Avoid Sharing Sensitive Data
Companies need to balance the protection of data with the ability to share it. Redaction is the process of suppressing sensitive data, such as personally identifiable information (PII). This is a critical piece to effective data security because you want to be able to remove or mask information when importing, exporting or copying data into and out of your database.
This provides organizations with the flexibility to share the right views of their data with the right audiences, while protecting sensitive information such as names and Social Security numbers from queries and updates.
Step 3: Implement Element Level Security at the Individual Document Level
Many databases are vulnerable to attacks because they all use all-or-none data access mentioned above, rather than fine-grained security controls. It’s obviously not an option to lock all of your data down. Not only do internal staff need access, but companies also have to enable data sharing for partners, contractors, consultants, auditors and other key constituents.
Organizations need to have the proper security controls to ensure that the right data is accessible and shareable with those inside and outside of the organization. Redaction is a must-have element, but companies also need to be able to implement role-based access control at the individual document level. For example, allowing an administrator to see a persona’s Social Security number, but restricting that private information from an internal call center operator.
But, organizations shouldn’t stop there. Element level security can take data security a step further, allowing administrators to apply additional, granular controls to individual parts of the document. This protects sensitive information wherever it happens to appear within the structure of documents, regardless of schema.
The bottom line: By enhancing security at the level of the database, many common data security vulnerabilities can be eliminated. Are you utilizing the three outlined tactics to keep your data safe from today’s threats, including insider actors? By choosing a database that has advanced encryption, redaction and element level security built-in, organizations get the agility they need to move at the speed of business powered by a system that protects their most critical asset — valuable corporate data.
Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.