Keep Your Data Secure with a Layered Approach
You need to understand the advantages to a multilayered approach in order to deploy an effective data security program.
- By Troy Hiltbrand
- May 29, 2018
Data security is a hot topic these days. Between the constant threat of data hacks exposing sensitive data and the vast resources expended preparing companies for new laws such as the European Union's General Data Protection Regulation (GDPR), businesses are keenly aware of the impact and importance of data security. With all this occurring around us, the question is often: How do we implement an effective data security program that still allows us to successfully leverage our data to move our business forward?
One of the most popular answers is to apply a layered data security program, often referred to as defense in depth. What does this mean for the data professionals that are structuring, storing, and utilizing their company's data assets? Let's look at the six layers that are part of this approach to data security.
The Human Layer
The first layer is human beings. This is the hardest layer of security to control because average humans do not always behave as security experts would. Risky behavior could include leaving a list of passwords taped to the underside of their keyboard (or even sitting out in plain view) -- or emailing sensitive information such as credit card numbers through a public email system.
An effective security program addresses the challenge of humans with a combination of policy, setting norms for acceptable behavior, education, and engineered controls that mandate specific behavior. The best approach is to build policy and education into people's daily processes. You should continually test and re-emphasize security policies and then use engineered controls as a fail-safe for this education and testing. Teach employees, test them, and then have controls in place for when they fail.
The Physical Layer
The next layer includes the protections on the physical premises where your data is housed. From keys to codes to biometric controls, these prevent unauthorized people from entering and physically accessing the hardware storing your data. Protection can also include continuous surveillance monitoring to prevent nefarious individuals from compromising your security.
Under new European privacy laws, you must understand and control where your data centers are located around the world and what data is being stored in each location. This data inventory will help you prove that you are managing your data in accordance with customers' desires and government regulations.
The third layer is about protecting devices from running unauthorized programs that could jeopardize your data assets. This could include malicious software logging keystrokes, stealing data, causing a machine to crash, or encrypting data so that it becomes unusable to the organization.
This layer of defense includes disk encryption, management of locally installed applications, anti-virus and anti-malware software, and patch management to ensure that machines are up-to-date to prevent zero-day attacks.
The Network Layer
The network layer controls who has access to the data and from where. You should use firewalls that check network packets and deny those that do not meet defined requirements as well as intrusion detection and protection systems to ensure that unauthorized individuals cannot connect to the data. Another tactic is using Virtual Private Networks (VPNs), which let authorized remote users connect to the network through a secure tunnel that provides an added level of data protection.
Just as the physical security layer prevents people from physically accessing the computing resources where your data lives, the network layer ensures that people are not accessing your data systems virtually.
The Application Layer
We often expose our data through applications. For the next layer of data security, you need to ensure that each application is properly managing access to the data and cannot be compromised. This security layer includes active penetration testing and vulnerability scanning. Source code analysis can assess whether best practices are being employed in the application development process itself, thus limiting the potential for vulnerabilities.
The Data Layer
Finally, we have the protections around the data itself. Protecting the data can include identity and access management to control who accesses the data and what they can access. First, you must know what data you have and what components of that data need a higher level of protection. Second, you need rights management to establish who can view, update, create, and delete data of certain levels of security and sensitivity. Finally, you need a way to authorize and verify who a person is so they can receive the appropriate level of access rights. These fundamentals of identity and access management become a protective layer around your data.
Data backups also play a critical role at this layer. Your data security program should ensure that you can recover your data in the event of catastrophic system failure or data corruption.
In addition, the data within the system can be secured at multiple layers. The data can be stored on encrypted storage media or the data itself can have an additional layer of encryption or hashing to ensure that even if people access the data directly, they cannot do anything with it without encryption keys.
A Solid Security System
The goal of a multilayered approach to security is to ensure that the breach or failure of one level does not compromise the entire system of data protection. As your company secures its data assets, you need to take stock of these six levels of security and assess your next step for each layer. With this knowledge, you can create a more solid and effective data ecosystem that ensures that you data is both used in a way that delivers value to your business and properly and vigorously protected.
About the Author
Troy Hiltbrand is the chief digital officer at Kyäni where he is responsible for digital strategy and transformation. You can reach the author via email.