Data security is the protection of digital data and accounts in accordance with laws and industry standards in order to mitigate risks and repel attackers. It encompasses business data, employee information, and customer and user data. If that sounds multifaceted, it is: putting data security into practice isn’t one size fits all.
With companies across the globe adjusting to a new working reality and hackers looking for—and finding—new loopholes in distributed systems, data security has become more important than ever. Everyone is looking for it, and a lot of solutions are promising it. But when data can mean everything from a customer’s birthdate to your organization’s payroll, how do you approach making your business and its employees secure?
What are the elements of data security?
Done properly, data security requires a careful evaluation of the functions your datasets serve, an understanding of the level of sensitivity of the information, and a working knowledge of regulatory requirements. It is also helpful to consider the CIA (confidentiality, integrity, and availability) triad as a guide for keeping your organization’s data protected:
- Confidentiality reinforces data privacy. Some data is best handled on a need-to-know basis and should only be available to approved parties.
- Integrity ensures that the accuracy of data is maintained without unauthorized deletions or revisions. Maliciously or unintentionally altered data can be just as damaging to an organization as stolen or compromised data.
- Availability mandates that authentication processes, access channels, and systems need to be kept in good working order. That way, the data is where people need it, when they need it.
The importance of data security
For any business in any vertical, data is a source of predictive power, actionable insights, and operational efficiency. Data security ensures that valuable information is kept safe, and that your organization can continue to build its reputation as a trustworthy business.
The benefits of following data security best practices
- Protection from exposure. Data security ensures sensitive information stays where it’s supposed to be, and isn’t affected by leaks or breaches.
- Maintained stakeholder confidence. Your customers, employees, and partners can rest easy knowing their information is protected and secure.
- Manageable costs. The price of getting outdated security systems up to speed can be prohibitive. The sooner you take a holistic approach to data security, the sooner your developers can go back to focusing on their primary mandates.
- Plotting a course for the future. By preventing data leaks and keeping your plans safely hidden from your competitors, your organization stands a better chance of being first out of the gate on new initiatives.
The risks of ignoring data protection and security
When it comes to data, many benefits are also potential risks.
- Leaving the door open to attackers. Stored financial or payment data allows companies to maintain an easy transactional relationship with their customers. But this is exactly the type of information that a hacker wants to acquire and exploit in order to reach a payout.
- Exposure to legal action. Depending on the severity of the breach, a failure in data security can result in hefty fines and costly litigations for your organization.
- Loss of business-critical data. It’s one thing for attackers to steal and exploit existing information; it’s another thing altogether for them to delete that information so your company can no longer use it. Hostage viruses like ransomware mean your organization could face both the inability to access data and a decline in business as a result of that loss.
- Reputational injury. Customers are understandably unwilling to do business with companies that can’t keep their information protected. Becoming known as an unsafe organization can mean your company loses more than just customer confidence.
Through proper data security, corporate reputations can be bolstered; without it, they can be permanently damaged. Data breaches erode consumer trust as well as profit margins, resulting in average costs of $242 per stolen record.
Data security considerations
Organizations should regularly revisit and clarify their approach to data security to ensure they’re still protecting their customers and teams. Your processes should be adaptive, and take the following factors into account:
- The size of your company and where you’re located
- Whether you have a localized or dispersed perimeter (hint: it’s becoming more and more dispersed)
- The kinds of devices you need to secure, whether desktop or mobile
- Where your sensitive data is stored and who has access to it
- Your team’s current level of data security knowledge and the time they have available for monitoring and maintenance
- What data you’re currently collecting from customers
- Whether you’ve already implemented continuous data monitoring and real-time alerting
Data in motion, data at rest
When reviewing and securing data, it’s important to have different considerations for data that’s in motion and data that’s at rest.
- Data at rest is data that is not traveling from a network or device. Data at rest is not at risk of interception, and instead a hacker’s goal would be to gain access to that drive or cloud storage. Data at rest needs to be kept secure on an infrastructure level and also on an employee level. In either case, administrators will want to ask themselves: what external and internal controls do I have in place?
- Data in motion is data that is being transferred between networks or between the cloud and local devices. This is data that can potentially be intercepted or altered as it moves from one place to the other, so hackers will attempt to compromise those connections. As consumers and employees increase the number of devices they use to access sensitive information, so do the connections that need to be protected.
Applications with multi-factor authentication (MFA) can ensure that people are who they say they are when they access information, but then there's the in-between—when data is in transit—where strong encryption is required.
At the same time, the use of Transport Layer Security (TLS) protocols allow for data to travel in an accurate, consistent, and private way. TLS is widely considered to be better than variants and predecessors, due to its message authentication, key-material generation, and other encryption algorithms.
Types of security controls
Data security technologies and controls can be used to safeguard data. There’s a wide array of effective technologies and practices, but some of the top data security methods include the following:
- Authentication and authorization technology does the work of confirming a user’s credentials—whether a password, pin, biometrics, or security tokens—are correct, and determines which apps and services they are approved to access.
- Data auditing captures who has access to data and when it was accessed, providing useful information in the event of a breach. Automated data auditing can keep your data secure without adding to your teams’ workloads.
- Encryption uses an algorithm and encryption key to turn regular text into ciphertext. Without the key, ciphertext is illegible to both the sender and the receiver, adding a layer of security to your communications and data.
- API access management gives administrators a method of centralized authorization, which could be an extreme time-saver if they’re responsible for multiple app development teams and gateway vendors. With API access management taken care of, developers are freed to focus on enhancing their product and delivering optimal user experiences.
- Data masking or obfuscation is a cybersecurity method that hides original data by creating a structurally similar version. This allows for data to be used for testing and development purposes in a high fidelity manner while eliminating the hurdles of user clearances.
- Real-time alerts bring exposed sensitive data to your attention as it happens, identifying breaches early. It takes companies an average of 206 days to notice a data leak; an alerting system can save your business months of compromised information.
- Scheduled backups and recovery protocols ensure you have a plan in place to minimize the effects of system failure or security breach. Having secure backups stored away from your regular workflows keeps your information available even if an attacker accesses your main system.
- Incident management enables you to have a planned response if a breach does occur. Build a comprehensive protocol so that everyone from administrators to management knows what steps to take in the event of a successful attack. Back up your processes with a data recovery plan.
Data security best practices
Modern digital partnerships mean that companies have access to a clearer, more collaborative form of cybersecurity. The shared security responsibility model lays out the distinct responsibilities of both customers and providers, ensuring that hackers aren’t able to take advantage of any confused expectations. Cloud providers and cybersecurity vendors offer infrastructure security, and are responsible for thwarting attacks, snooping, and other attempted exploitations; meanwhile, their customers take ownership of their applications, content, and settings.
Along with clear responsibility sightlines, secure user authentication is a critical aspect of data security best practices, and it can be approached with the following processes:
- SSO: With single sign-on (SSO), users have the convenience of authenticating multiple applications and websites, both behind the firewall and in the cloud, through one log-in. This reduces time and costs, and also makes authentication systems especially critical.
- MFA: Analyzing the context of a login, MFA verifies a user’s identity by requesting two or more credentials and doesn’t rely on passwords. Okta’s annual Businesses @ Work (from Home) report depicted a shift in how companies are using MFA: they’re adopting fewer but stronger authentication factors. Okta Verify and Google Authenticator are gaining popularity over factors like SMS, which is easily deployed but also easily compromised.
- Passwordless authentication: By verifying users’ identities through email magic links, factor sequencing, or WebAuthn, passwordless authentication removes the risks associated with weak or stolen passwords.
- Training: Educate your teams to protect your business from common data security threats, whether that’s spear-phishing emails or poor data use practices. Have security policies and guidelines at hand, and run regular refresher courses.
Data security standards
As new technologies change the fabric of daily life, there is an increased amount of attention paid to data governance and regulations. These are a few to be aware of.
- The Health Insurance Portability and Accountability Act (HIPAA) blazed the regulatory trail, in many respects, in 1996. It was meant to modernize the flow of healthcare information. HIPAA compliance requires continual monitoring, need-to-know access controls, and the maintenance of detailed activity records.
- The Sarbanes-Oxley Act of 2002 established auditing and financial requirements for public companies, which includes continuous monitoring and detailed reporting.
- General Data Protection Regulation (GDPR) has commanded a large amount of industry attention since it was launched by the EU. It aims to give individuals greater control over their personal data. GDPR prompts organizations to develop clear, deliberate plans for data governance, to live by them, and to continually monitor their compliance or else face hefty fines.
- The California Consumer Privacy Act (CCPA) is a state statute that took inspiration from GDPR and that could be the predecessor to a federal-level, generalized consumer data privacy law. Through the CCPA, consumers have the right to access the personal data that has been collected about them, ask for it to be deleted, and other new rights.
Your cybersecurity tools and services need to be designed, built, maintained, and monitored to limit risks and boost opportunities. The CIA triad, cybersecurity standards, data regulations, and industry-specific considerations establish the goalposts, but proactive testing and innovation ensures that your goals are met. And third-party research firms and public bug bounty programs can help companies identify any oversights.
By being proactive, implementing tight controls, adhering to best practices, and remaining compliant, your organization can continue leveraging the power of data—at rest, in motion, or in use—with confidence.
For more information on our data security perspective and how Okta can help you protect your data, check out our Security Technical Whitepaper.