Sunday, 11 September 2022

Knowing and Protecting Your Data

Computer circuitry has crept into nearly everything we use nowadays, and almost all of which gather information from us and about us. As a result, the present is immersed in copious amounts of data, which is stored somewhere and, most of the time, not securely protected. 

Today we are almost entirely reliant on IT departments at work; practically all organisations depend on enterprise-wide applications to support numerous key business processes which create a mountain of information. Needless to say, IT infrastructure and business applications are increasingly — and usually, unnecessarily — more complex; complexity is the worst enemy of security — and sometimes, of performance too. As a consequence, we are losing more control of storage and, therefore, security. The more data we share, the bigger the security risk is. 

Companies always strive to successfully harness the power of data, but unfortunately, this is not the case when it comes to securely accessing data. There are laws about protecting information, but most people are either blissfully unaware of them or careless about them. Many of us know what could happen when our data end up in the wrong hands.

What’s more, people blame companies for security data breaches, but why do we still expect companies to do all the work for us? is it always someone else's responsibility? What do we do, as individuals, to protect our private data? why do people carelessly keep sharing more and more personal data on the internet? 

Organisations and individuals have something in common: they do not value their data enough to protect it properly, even though they know that leaving their data unprotected puts them under threat from data loss which in turn can tremendously impact their lives and businesses - in terms of reputation, revenue, share value, market share, customer loyalty, etc. 

Gone are the days when data lived peaceably in the data center to be accessed by people working in the same building; today data can be found over the internet resulting in potential data loss, data leaks, and data breaches. Almost everyone is aware of this, but only very few have robust security measures in place. Why?  because security is intangible until a disaster happens; for example, this is what exactly has recently happened at Uber: https://www.schneier.com/blog/archives/2022/09/massive-data-breach-at-uber.html. After that attack, Uber are massively recruiting security professionals. 

With more people going online all the time, security-threat reports show that attackers are now more professional for commercial reasons. This is the business of cyber-crime, which has successfully implemented the same processes used to develop commercial products; for example, criminal gangs use logistics for malware deployment, manufacturing for malware production, investment for money laundering, sales for criminal actions, and business development using the internet for criminal mobility. However, note that many attacks are so easy to carried out because no basic security is in place, which is even more worrying. 

The toughest part of protecting data is finding it. If we do not know where it is, how can we protect it?, for example, it is happening at Facebook: https://www.schneier.com/blog/archives/2022/09/facebook-has-no-idea-what-data-it-has.html. When an organisation knows what it has and where it is, it can monitor how the data is accessed and used. So, knowing and controlling what we have is key; a wide approach to achieve this is by taking into account the following data-management activities:

  • Creation and application of data-protection policies consistently.
  • Discovery, classification and encryption of confidential data.
  • Organisation of data storage into tiers.
  • Digital right management.

Of course, it is vital to harness the power of technology to protect data, but this is difficult to achieve because of people's carelessness. People are weakest link in the security chain and responsible for the failure of security systems. Much of what we know as user errors is because we do not know what we are doing wrong, or even worse, people know the possible consequences of not fixing security issues but they have "no time" to take preventive measures; for example, business applications should not run under privileged rights, but they continue implementing that bad practice. Also, unsurprisingly, week passwords are still being used in so many systems and encryption key management is still really poor. Why? It's evident that many people are careless about security risks and threats. This attitude toward security is the most worrying aspect to be changed, since security is everybody's responsibility, not someone else's responsibility. 

While working as a senior SQL database administrator for many years, I have usually come across lots of database servers that had hundreds of sysadmin logins used for different purposes including running read-only processes such reports. Why? the common answer that I got is "just in case" or "it's the way we ensure applications work" or, even worse, "it's the way how it is". 

So, in order for us to better protect our data we must change our attitude toward security in all aspects. 

No comments:

Post a Comment

Let me know any remarks or questions you may have. Please write down your name.

HELLO, I'M PERCY REYES! — a book lover, healthy lifestyle lover... I've been working as a senior SQL Server Database Administrator (DBA) for over 20 years; I'm a three-time awarded Microsoft Data Platform MVP. I'm currently doing a PhD in Computer Science (cryptography) at Loughborough University, England — working on cryptographic Boolean functions, algorithmic cryptanalysis, number theory, and other algebraic aspects of cryptography. READ MORE