Upload File

data security

19
SECURITY Definition Security is “The quality or state of being secure to be free from danger .” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is the objective. National security, for example, is a multilayered system that protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appropriate level of security for an organization also requires a multifaceted system. A successful organization has multiple layers of security in place to protect its operations:- Physical security, to protect physical items, objects, or areas from unauthorized access and misuse Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations Operations security, to protect the details of a particular operation or series of activities Communications security, to protect communications media, technology, and content Network security, to protect networking components, connections, and contents Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology. Eg. Ankita_Kashyap 1

Upload: ankitakashyap

Post on 30-Jul-2015

76 views

Category:

Education


2 download

Report

Tags:

TRANSCRIPT

Page 1: Data Security

SECURITY

Definition

Security is “The quality or state of being secure to be free from danger.” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is the objective. National security, for example, is a multilayered system that protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appropriate level of security for an organization also requires a multifaceted system.

A successful organization has multiple layers of security in place to protect its operations:-

Physical security, to protect physical items, objects, or areas from unauthorized access and misuse

Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations

Operations security, to protect the details of a particular operation or series of activities

Communications security, to protect communications media, technology, and content

Network security, to protect networking components, connections, and contents

Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.Eg.

Ankita_Kashyap 1

Page 2: Data Security

In a time when mobility is the present and future of IT, allowing employees to access a network from a remote location, like their home or a project site, can increase the value of the network and efficiency of the employee. Unfortunately, remote access to a network also opens a number of vulnerabilities and creates difficult security challenges for a network administrator.

As companies make an effort to adapt to new and mobile IT world, fundamental business operations increasingly rely on the Internet, leaving them exposed to the growing threats. Today we all need to know continually address spam and viruses, which plague email worldwide, and spyware that attaches itself to user PC's even through innocent Web surfing.

Ankita_Kashyap 2

Page 3: Data Security

Personal Data

Personal data are defined in the Data Protection Act, as follows: - "data which relate to a living individual who can be identified: - * from those data; or * from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual".

The DPA applies to all personal data relating to living individuals, including names, addresses, etc. The DPA also distinguishes between "ordinary"

Ankita_Kashyap 3

Page 4: Data Security

personal data and sensitive personal data, imposing more stringent conditions for processing the latter. Sensitive personal data consists of information as to:

racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; membership of a trade union; physical or mental health; the commission, or alleged commission of, any offence; and any proceedings for any offence committed or alleged to have been

committed and the outcome of such proceedings.

Sensitive personal data does not include financial records or other information that individuals may regard as private or confidential.

The DPA applies to data held on computers and to manual data, such as paper files, which is structured either by reference to individuals or to criteria relating to individuals where that personal data is readily accessible. Where personal data in manual folders or documents is not readily accessible (for example, a box of documents that are in no particular order), the DPA may not apply, meaning that the data subject is not entitled to inspect their personal data further to a subject access request. These are discussed further below.

Data Security

Definition

Data security is the process of protecting information systems and its data from unauthorized accidental or intentional modification, destruction or disclosure. The protection includes the confidentiality, integrity and availability of these systems and data.

Ankita_Kashyap 4

Page 5: Data Security

Risk assessment, mitigation and measurement are  key components of data security. To maintain a secure environment, data security protocols require that any changes to data systems have an audit trail, which identifies the individual, department, time and date of any system change. Companies utilize personnel, policies, protocols, standards, procedures, software, hardware and physical security measures to attain data security. Data security may include one or a combination of all of these.

Data security is not confined to the Information Services or Information Technology departments, but will involve various stakeholders including senior management, the board of directors, regulators, internal and external auditors, partners, suppliers and shareholders.

Data security encompasses the security of the Information System in its entirety.

The U.S. National Information Systems Security Glossary defines Information Systems Security (INFOSEC) as: “The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.“

Protecting data from unauthorized access is one component of data security that receives a great deal of attention. The concern for data protection extends beyond corporate concerns but is a high priority consumer interest as well. Data can be protected against unauthorized access through a variety of mechanisms. Passwords, digital certificates and biometric techniques all provide a more secure method to access data. Once the authorized user has been authorized or authenticated, sensitive information can be encrypted to prevent spying or theft. However, even the most sophisticated data security programs and measures cannot prevent human error. Security safeguards must be adhered to and protected to be effective.

Information is typically categorized as being in either a structured format or an unstructured format. The meaning of these terms is subject to different interpretations by divergent groups.

Unstructured Data

Structured data is data that conforms to some sort of strict data model and is confined by that model. The model might define a business process that

Ankita_Kashyap 5

Page 6: Data Security

controls the flow of information across a range of service-oriented architecture (SOA) systems.

Database Security Concepts

Architecturally, relational databases function in a client-server manner (although they can certainly be used as part of multitier applications). That is, a client computer, application, or user can only communicate directly with the database services that are running. They cannot directly access the database files, as can be done with “desktop” database systems, such as Microsoft Access. This is an important point, since it allows security configuration and management to occur at the database level, instead of leaving that responsibility to users and applications.

Databases can be used in various capacities, including:

• Application support:

Ranging from simple employee lists to enterprise-level tracking software, relational databases are the most commonly used method for storing data. Through the use of modern databases, users and developers can rely on security, scalability, and recoverability features.

• Secure storage of sensitive information:

Relational databases offer one of the most secure methods of centrally storing important data. As we’ll see throughout this chapter, there are many ways in which access to data can be defined and enforced. These methods can be used to meet legislative requirements in regulated industries (for example, the HIPAA standard for storing and transferring healthcare-related information) and generally for storing important data.

• Online transaction processing (OLTP):

OLTP services are often the most common functions of databases in many organizations. These systems are responsible for receiving and storing information that is accessed by client applications and other servers. OLTP databases are characterized by having a high level of data modification (inserting, updating, and deleting rows). Therefore, they are optimized to support dynamically changing data. Generally, they store large volumes of information that can balloon very quickly if not managed properly.

Ankita_Kashyap 6

Page 7: Data Security

• Data warehousing:

Many organizations go to great lengths to collect and store as much information as possible. But what good is this information if it can’t easily be analyzed? The primary business reason for storing many types of information is to use this data eventually to help make business decisions. Although reports can be generated against OLTP databases, there are several potential problems: Reports might take a long time to run, and thus tax system resources. If reports are run against a production OLTP server, overall system performance can be significantly decreased. OLTP servers are not optimized for the types of queries used in reporting. thus making the problem worse. Reporting requirements are very different. In reporting systems, the main type of activity is data analysis. OLTP systems get bogged down when the amount of data in the databases gets very large. Therefore, production OLTP data must be often archived to other media or stored in another data repository. Relational database platforms can serve as a repository for information collected from many different data sources within an organization. This database can then be used for centralized reporting and by “decision support” systems.

Database Security Layers

Server-Level SecurityA database application is only as secure as the server it is running on. Therefore, it’s important to start considering security settings at the level of the physical server or servers on which your databases will be hosted. In smaller, simple configurations, you might need to secure only a single machine. Larger organizations will likely have to make accommodations for many servers. These servers may be geographically distributed and even arranged in complex clustered configurations. One of the first steps you should take in order to secure a server is to determine which users and applications should have access to it. Modern database platforms are generally accessible over a network, and most database administration tasks can be performed remotely. Therefore, other than for purposes of physically maintaining database hardware, there’s little need for anyone to have direct physical access to a database. It’s also very important to physically protect databases in order to prevent unauthorized users from accessing database files and data backups. If an unauthorized user can get physical access to your servers, it’s much more difficult to protect against further breaches.

Ankita_Kashyap 7

Page 8: Data Security

Network-Level Security

Databases work with their respective operating system platforms to serve users with the data they need. Therefore, general operating system and network-level security also applies to databases. If the underlying platform is not secure, this can create significant vulnerabilities for the database. Since they are designed as network applications, you must take reasonable steps to ensure that only specific clients can access these machines. Some standard “best practices” for securing databases include limiting the networks and/or network addresses that have direct access to the computer. For example, you might implement routing rules and packet filtering to ensure that only specific users on your internal network will even be able to communicate with a server.

Of course, few real-world databases work alone. Generally, these systems are accessed directly by users, and often by mission-critical applications. Later in this chapter, we’ll look at some methods for mitigating risks related to Internet-accessible applications.

Data EncryptionAnother method for ensuring the safety of database information is to use encryption. Most modern databases support encrypted connections between the client and the server. Although these protocols can sometimes add significant processing and data transfer overhead (especially for large result sets or very busy servers), the added security may be required in some situations. Additionally, through the use of virtual private networks (VPNs), systems administrators can ensure that sensitive data remains protected during transit. Depending on the implementation, VPN solutions can provide the added benefit of allowing network administrators to implement security without requiring client or server reconfiguration.

Operating System SecurityOn most platforms, database security goes hand in hand with operating system security. Network configuration settings, file system permissions, authentication mechanisms, and operating system

Ankita_Kashyap 8

Page 9: Data Security

encryption features can all play a role in ensuring that databases remain secure. For example, on Windows-based operating systems, only the NTFS file system offers any level of file system security (FAT and FAT32 partitions do not provide any file system security at all). In environments that use a centralized directory services infrastructure, it’s important for systems administrators to keep permissions settings up to date and to ensure that unnecessary accounts are deactivated as soon as possible. Fortunately, many modern relational database platforms can leverage the strengths of the operating systems that they run on.

Database Backup and Recovery

An integral part of any overall database security strategy should be providing for database backup and recovery. Backups serve many different purposes. Most often, it seems that systems administrators perform backups to protect information in the case of server hardware failures. Although this is a very real danger in most environments, it’s often not the most likely. Data can be lost due to accidental human errors, flawed application logic, defects in the database or operating system platform, and, of course, malicious users who are able to circumvent security measures. In the event that data is incorrectly modified or destroyed altogether, the only real method to recover information is from backups.

Since all relational database systems provide some method for performing database backups while a server is still running, there isn’t much of an excuse for not implementing backups. The real challenge is in determining what backup strategies apply to your own environment. You’ll need to find out what your working limitations are. This won’t be an easy task, even in the best-managed organizations. It involves finding information from many different individuals and departments within your organization. You’ll have to work hard to find existing data, and make best guesses and estimates for areas in which data isn’t available.

To further complicate issues, there are many constraints in the real world that can affect the implementation of backup processes. First, resources such as storage space, network bandwidth, processing time, and local disk I/O bandwidth are almost always limited. Additionally, human resources—especially knowledgeable and experienced database administrators—may be difficult to find. And, performance requirements, user load, and other factors can prevent you from taking all the time you need to implement an ideal backup solution.

Ankita_Kashyap 9

Page 10: Data Security

Types of Database BackupsIn an ideal world, you would have all of the resources you need to back up all of your data almost instantly. However, in the real world, large databases and performance requirements can often constrain the operations that can be performed (and when they can be performed). Therefore, you’ll need to make some compromises. For example, instead of backing up all of your data hourly, you might have to resort to doing full backups once per week and smaller backups on other days. Although the terminology and features vary greatly between relational database platforms,

The following types of backups are possible on most systems:

• Full backups This type of backup consists of making a complete copy of all of the data in a database. Generally, the process can be performed while a database is up and running. On modern hardware, the performance impact of full backups may be almost negligible. Of course, it’s recommended that database administrators test the performance impact of backups before implementing an overall schedule. Full backups are the basis for all other types of backups. If disk space constraints allow it, it is recommended to perform full backups frequently.

• Differential backupsThis type of backup consists of copying all of the data that has changed since the last full backup. Since differential backups contain only changes, the recovery process involves first restoring the latest full backup and then restoring the latest differential backup. Although the recovery process involves more steps (and is more time-consuming), the use of differential backups can greatly reduce the amount of disk storage space and backup time required to protect large databases.

• Transaction log backups Relational database systems are designed to support multiple concurrent updates to data. In order to manage contention and to ensure that all users see data that is consistent to a specific point in time, data modifications are first written to a transaction log file.

Ankita_Kashyap 10

Page 11: Data Security

Periodically, the transactions that have been logged are then committed to the actual database. Database administrators can choose to perform transaction log backups fairly frequently, since they only contain information about transactions that have occurred since the last backup. The major drawback to implementing transaction log backups is that, in order to recover a database, the last full (or differential) backup must be restored. Then, the unbroken chain of sequential transaction log files must be applied. Depending on the frequency of full backups, this might take a significant amount of time. However, transaction log backups also provide one extremely important feature that other backup types do not: point-in-time recovery. What this means is that, provided that backups have been implemented properly, database administrators can roll a database back to a specific point in time. For example, if you learn that an incorrect or unauthorized database transaction was performed at 3:00 p.m. on Friday, you will be able to restore the database to a point in time just before that transaction occurred. The end result is minimal data loss.

Database Auditing and Monitoring

The idea of accountability is an important one when it comes to network and database security. The process of auditing involves keeping a log of data modifications and permissions usage. Often, users that are attempting to overstep their security permissions (or users that are unauthorized altogether) can be detected and dealt with before significant damage is done; or, once data has been tampered with, auditing can provide details about the extent of loss or data changes. There’s another benefit to implementing auditing: when users know that certain actions are being tracked, they might be less likely to attempt to snoop around your databases. Thus, this technique can serve as a deterrent. Unfortunately, in many environments, auditing is overlooked.

Though it won’t necessarily prevent users from modifying information, auditing can be a very powerful security tool. Most relational databases provide you with the ability to track specific actions based on user roles or to track actions on specific database objects.

Ankita_Kashyap 11

Page 12: Data Security

Although auditing can provide an excellent way to track detailed actions, sometimes you just want to get a quick snapshot of who’s using the server and for what purpose. Most databases provide easy methods for viewing this information (generally through graphical utilities). You may be able to get a quick snapshot of current database activity or view any long-running transactions that are currently in process.

The Data Protection Principles

Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met (set out in schedules 2 and 3 to the DPA).

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.

Personal data shall be accurate and, where necessary, kept up to date.

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Personal data shall be processed in accordance with the rights of data subjects under the DPA.

Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The Eight Data Protection Act Principles

The act contains eight “Data Protection Principles”. These specify that personal data must be:

Processed fairly and lawfully. Obtained for specified and lawful purposes. Adequate, relevant and not excessive. Accurate and up to date. Not kept any longer than necessary.

Ankita_Kashyap 12

Page 13: Data Security

Processed in accordance with the “data subject’s” (the individual’s) rights.

Securely kept. Not transferred to any other country without adequate protection in

situ.

Data Collection

When collecting personal data make sure that people know:

1. Who you are 2. What the data will be used for 3. To whom it will be disclosed.

This information can often be provided on an application form or similar. It is equally important NOT to collect more personal data than is actually needed.

Handling Data

When handling, collecting, processing or storing personal data, ensure that:

1. All personal data is both accurate and up to date 2. Errors are corrected effectively and promptly 3. The data is deleted/destroyed when it is no longer needed 4. The personal data is kept secure at all times (protecting from unauthorized disclosure or access) 5. The Data Protection Act is considered when setting up new systems or when considering use of the data for a new purpose. Note that this may affect the existing registration with the Data Protection Authority 6. Written contracts are used when external bodies process/handle the data explicitly specifying the above requirements with respect to the data

It is equally important NOT to:

1. Access personal data that you do not need for your work 2. Use the data for any purpose it was not explicitly obtained for 3. Keep data that would embarrass or damage YOUR-COMPANY if disclosed (eg: via a subject access request – see below) 4. Transfer personal data outside of the European Economic Area unless you are certain you are entitled to or consent from the individual concerned has been obtained 5. Store/process/handle sensitive personal data (see below) unless are certain you are entitled to or consent from the individual concerned has been obtained

Ankita_Kashyap 13

Page 14: Data Security

Subject Access

Individuals, who the data relates to, have various rights:

1. To receive on request details of the processing relating to themselves. This includes any information about themselves including information regarding the source of the data and about the logic of certain “fully automated decisions” 2. To have any inaccurate data corrected or removed in a timely fashion 3. In certain circumstances to stop processing likely to cause “substantial damage or substantial distress”.4. To prevent their data being used for advertising or marketing 5. Not to be subject to certain “fully automated decisions” if they significantly affect him/her.

When a subject access request is received, it is important to act promptly and effectively as certain time scales are imposed regarding response

('Sensitive Data' means data pertaining to: racial or ethnic origin; religious or similar beliefs; trade union membership; physical or mental health or sexual life; political opinions; criminal offences. This data may only be held in strictly defined situations or where explicit consent has been obtained.

'Data Controller' is a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed.

'Subject Access' is the right of individuals to have access to the data about them and other related information.

'Notification' is the process of notifying the Data Protection Authority of the purposes for which personal data is held/processed.)

Ankita_Kashyap 14

Page 15: Data Security

Ankita_Kashyap 15


Remote Filtering - Web Security, Email Security, Data Security

TRITON - Data Security Help v7.6 - Forcepoint Security Help 7.6...TRITON - Data Security Help 1 Overview Websense® Data Security protects organizations from information leaks and

NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY · NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY MID-SIZE ORGANIZATIONS BUSINESS CONTINUITY IN COMPLEX ARCHITECTURES

Computer Security: Data and Identity Management - ABMA · Theft Security 1 3/28/2017 Computer Security: Data and Identity Management Data Security - Identity Theft:

Tech Data 2011 Application and Data Security Sales … Data Application and Data Security Sales Playbook Tech Data 2011 Application and Data Security Sales Playbook: How to build security

Informatica for GDPR and Data Security · PDF fileInformatica for GDPR and Data Security ... •Enacting Consent Control with Informatica Data Security Solutions ... Data Integration

Vormetric Data Security Platform Data Sheetstatic.carahsoft.com/concrete/files/3515/8583/5129/tct_vormetric-data-security...your data security policies, compliance mandates and best

Data localisation and data security

STATE GOVERNMENT DATA PRIVACY€¦ · DATA SECURITY/DATA DISPOSAL LAWS Data Security Laws Reasonable security practices appropriate to the nature of data Specific practices –security

Data-Driven Security - Government Executivecdn.govexec.com › media › gbc › docs › data-drive-security... · Data-Driven Security With the federal government gathering more

Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data

HIPAA Data Security PCF Data Security Update May 1 st, 2015

The Only Data-First Security ExpertsCorporate+Data+Sheet+May...The Only Data-First Security Experts Our Story Why You Need Data-First Security Founded by a team of data security experts

Data security in data communication

Running head: DATA BACKUP SECURITY DATA BACKUP SECURITY: BEST

Vormetric Data Security Platform · 2_ VORMETRIC DATA SECURITY PLATFORM As devastating security breaches continue

Data Security Standard 10 - Data Security and Protection

uLawPractice Data security data-security

Getting Started - Web Security, Email Security, Data Security

Data Security Trends & Data Access

Data Security and Cryptology , I Introduction . Essence of Data Security

Vormetric Data Security Platform · 2018-01-11 · 2_ VORMETRIC DATA SECURITY PLATFORM As devastating security breaches

Cisco Data Security Deployment · PDF fileCisco Data Security Deployment Guide Revision: H1CY11. Using this Data Security Deployment Guide Using this Data Security ... data , using

Data security and Data Transfer

Data Privacy & Data Security

Vormetric Data Security Platform Vormetric Data Security ...The Vormetric Data Security Platform features these products: Vormetric Data Security Manager. Offers centralized management

DATA SECURITY - Prime Trust · DATA SECURITY POLICIES & CONTROLS Security Policy Overview Data Access and Transm1ss1on Pol1c1es Incident Response Customer Data . DATA ACCESS AND TRANSMISSION

User Guide - Web Security, Email Security, Data Security, Mobile

Data Security Breaches: The Growing Liability Threatmedia.straffordpub.com/products/data-security... · Data Security Breaches: The Growing Liability Threat presents Crafting and

Data Security The Best Data Security In The Industry

ORACLE DATA SHEET · ORACLE DATA SHEET . ORACLE DATA SHEET . Compliance Framework Summary Framework Corporate Security Framework Database Security Host Security Weblogic Security

Data Sheet Vormetric Data Security Platorm Vormetric Data ... · Vormetric Data Security Platorm Vormetric.com Vormetric Data Security Manager The Vormetric Data Security Manager

Software Development DATA SECURITY. Data Security What is data security? Procedures & equipment to protect data Consequences of not protecting

ICT Data Security - Advance Trustadvancetrust.org/pdf/policy/Advance Trust ICT Data Security Policy.pdf · ICT Data Security Date: ... 3.1 The ICT Security Policy is intended for

Data Security