Authorized Access: 5 fast facts about data protection

For IT administrators, keeping up with security can get overwhelming. Keep up with software patches, secure the endpoint, monitor incoming and outgoing traffic, and the list goes on. Even with all that, it feels like the data is still not secure.

IT has traditionally focused on perimeter security and network-based monitoring to detect when outsiders are coming into the network and trying to access data. Or worrying about what devices the attacker may try to use. The problem is, once the adversary has made it into the network, that no longer looks like malicious. If the breach was the result of stolen user account credentials, that attacker now looks like a normal user, with all the privileges and rights granted to that account.

Keeping that in mind, IT needs to shift their energies to a more data-centric view of security. It doesn’t pay to have all kinds of secure authentication and network monitoring tools in place, if once in, all the data is in plain text and accessible through the database.

Administrators need to think about data protection – both for data at rest and while in transit. Below, we go over five things to keep in mind when protecting data from criminals, spies, and malicious insiders.

1. Identify your data security needs

The first step is to really understand what kind of data you have in the first place. Security is not about protecting every single file and information the same way, but rather, about applying appropriate levels of protection to different types of data. A proper audit will help identify all instances of data that needs higher levels of protection because of compliance reasons, to be in line with security best practices, or because they happen to be the company’s crown jewels.

2. Encrypt the data

Encryption is a critical part of data-centric security. The file is encrypted using a strong encryption algorithm so that even when attackers breach the network barriers, the information is not accessible. Selecting strong encryption is important, as there is no security in using algorithms that have already been found to be weak or easy to brute-force.

Encryption doesn’t apply to just data on servers and databases, but on endpoint devices, such as portable hard drives, laptops and USB sticks. That way, even if the device is lost, the information doesn’t get exposed.

3. Emphasize strong passwords

Employees need to be reminded to select strong passwords so that attackers can’t just brute-force their way into applications and servers to steal data. The IT department also has to make sure there are no default passwords or hard-coded passwords that can give attackers a backdoor into the network. Whether we are talking about default passwords for printers, VoIP systems, or content management systems, enemies try to break in using default login credentials.

4. Transfer files securely

Have policies set up so that employees know they shouldn’t just email sensitive documents around. Instead, they should be using secure file transfer services, where users can send encrypted messages or use secure networks to ensure the information does not leave corporate servers. The same policies should remind employees they shouldn’t be using open wireless networks without the protection of VPNs. Sending files to people over an open wireless network means anyone eavesdropping on the network would be able to intercept that file. Users should have access to encrypted USB drives for file transfer, as well.

5. Look into data leak prevention (DLP)

Invest in data leak prevention to make sure files are not leaving the enterprise network without authorization. DLP ensures that insiders aren’t sending out data without proper protection, but also any malicious file transfers that may be occurring.

If you take steps to protect the data within the network, you make it harder for attackers to walk off with sensitive data. Perpetrators will take any data they can find on the company servers, such as Social Security numbers, email addresses, invoices, or credit card numbers, and just sell them for quick cash. Using these steps, IT administrators can drive up the cost of attack by making the stolen data hard to use, making it likely attackers will just move onto a weaker and easier target.

Fahmida Y. Rashid
Fahmida Y. Rashid is an analyst for networking and security at PCMag.com. She focuses on ways businesses can keep their data and networks secure without going bankrupt chasing after the wrong kinds of protection. Prior to landing at PCMag, she was a senior writer covering security, core Internet infrastructure, and open source at eWEEK. She was also a senior technical editor at CRN Test Center reviewing open source, storage, and networking products from 2007 to 2008. Before setting out her journalism shingle, she was a technology consultant, first at PricewaterhouseCoopers, and later with the Business Consulting Services group in IBM Global Services. She has worked in the trenches as help-desk, QA tester, software and Web developer, and network administrator.
Fahmida Y. Rashid
Fahmida Y. Rashid
Fahmida Y. Rashid
Tags: IT Security,Technology