With the breaches in data security ranging from large retailers such as Target and Neiman Marcus to Universities including, most recently, the University of MD College Park it is critical that every IT department take an aggressive approach to securing their data from external and internal threats and attacks. Having to publicize the exposure of data to your customers and the public can be extremely damaging to your reputation and become a stigma that prevents those customers and future customers from wanting to share information with you which may prevent them from doing further business with you entirely.
Liability insurance can take care of the costs associated with notifying those who were affected and providing credit monitoring, but it will never cover the losses in future revenue because of the damage to your reputation and customers unwilling to do business with you. While successfully implementing data security isn’t free it can be done cost effectively when using the right tools and architecture.
Data security is best accomplished in layers because if an attack is able to penetrate one of the layers it will likely be prevented by the next layer. When it comes to data security some of the most common protection methods include:
- Data encryption at the disk, file, or block device level
- Access controls to restrict access to data shares and files to minimize who has access to the data
- Protecting data in flight with IP security (IPsec)
- Digital Rights Management to prevent access to data without continued authorization validation
- Access logging and auditing
- Two factor authentication
One of the critical factors to success in implementing a sound data security model is one that also is easy to maintain and doesn’t create such a burden or obstacle to use that people go around the process. The best architectures and tools become seamless and easy to manage. For encryption solutions that usually means a well-structured key management and public key infrastructure (PKI). For access control it means a way of creating groups and providing and removing access to users quickly and without having users to create remember a new or additional password.
Good security requires planning and forethought but is certainly a lot less work than cleaning up the mess after a data breach.