Data is the mountain of unorganized fact that inhabits our computer systems and networks. It is analogous to unrefined ore in mining: we mine ore and then process it until we end up with useful metals. Similarly, we mine our computer networks for raw data and process it until we end up with useful information.
It is amazing what information we can glean from seemingly innocent and unrelated facts! People can combine bits of data and deduce who we are, where we live, how we shop, how many kids we have and a plethora of other information that we don’t really want to be common knowledge. This is true not only on the personal level, but on the business and government levels as well. Hence the rise of laws like GDPR, the California Consumer Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act and the Colorado Privacy Act. We can expect more privacy and data protection laws from more states and countries in the future. To address these problems, it is very important for organizations to develop and maintain a data management policy and the processes necessary to carry it out.
Among the most important of these processes is data inventorying. A data inventory (or data map) should fully describe the data asset and should include such information as the data’s name, contents, ownership, classification (sensitivity level), retention factors, origin, and other considerations that are important to the organization. Setting up such an inventory may be a daunting task, but once in place, will greatly simplify complying with regulatory requirements and other data management tasks. Along with data inventorying, it recommended that data flows should be tracked. Knowing what data you have and where and how it flows across the network is vital to protecting it.
Another important consideration in data protection is ensuring access to specific data is limited to only those individuals with a legitimate need for that access. This is where access control lists come into play. Access control lists should be strictly maintained and reviewed regularly. It is important to adjust these lists immediately when individuals change jobs within the organization, quit or are terminated. It is also highly desirable to employ strong access controls such as MFA to ensure that the person who is accessing protected data is indeed the person they claim to be.
Another way to protect data is through the use of encryption. Encryption is highly effective in protecting data if it is implemented correctly. Data should be encrypted when at rest and when it is being transmitted across networks. This is especially important in keeping ransomware attacks from becoming devastating. Even if attackers gain access to private data on your system, encryption means they can’t actually read it. This limits their attack to availability only, and eliminates compromise of confidentiality, which can save the organization from regulatory and legal penalties. Strong encryption algorithms should be employed, and a usable and secure key management system should be employed. Encryption keys should be among the most highly protected data assets you have, and ideally should be air-gapped from the rest of the network.
Data backups should be made regularly depending on business requirements of the organization. Backups should be stored in more than one location and should be protected as diligently as information on your production network. Backups of sensitive data should be encrypted and tested on a regular basis.
In addition, access to sensitive data, it’s modification and disposal should be logged and monitored. This should include access to encryption keys and security logs themselves. Protecting and managing data is not easy, but will provide your organization with a bounty of advantages that could help your reputation and save you time and money in the long run.