The data that organizations hold is very important for their success. Unfortunately, your organization data may also hold importance to other organizations/ individuals. As a security professional you need to make sure that it is secure from unauthorized access.
Data Security can be defined as the protection of data from unauthorized (accidental or intentional or unintentional or malicious) modification, destruction, or disclosure. We can also define Data Security as the means protecting a database from destructive forces and the unwanted actions of unauthorized users.
The first thing an organization needs to do is figure out what sensitive data they possess, what is it's utility, and where it is located. Secondly, the organization needs to make sure that they segregate the important data. As a security professional, you need to minimize the storage of sensitive data to as few a devices as possible, and ensure that those devices are isolated from the network and the rest of the data. Maintainence of security information thus becomes easier.
Disk encryption refers to encryption technology that encrypts data on a hard disk drive. It is a process that ensures that files are always stored on a disk in an encrypted form. The files stored on the disk are available to the operating system and applications in readable form while the system is running and unlocked by a trusted user. Reading the encrypted sectors without permission will return garbled random-looking data instead of the actual files.
Data masking is the process of obscuring or masking specific data elements within data stores. We use data masking strategies and techniques to obscure or de-identify specific data within a database table or flat file ensuring the data security is maintained and sensitive customer information is not leaked outside the authorized environments. The data masking algorithms are applied across multiple tables, applications and environments, so, referential and business integrity will always be maintained. Other terms for "data masking" may include: data obfuscation, data scrambling, data anonymization and data cleansing.
Data Encryption VS Data Masking
As a data security professional there lies a common misconception that data encryption is a form of data masking.
As we know, encryption is a process for securing communications from unauthorized eavesdropping. On the other hand data masking is a process or method used to protect the content of data in environments other then production while ensuring the referential integrity of the original production data is maintained. Since the only purpose is to protect the data with no aim to re-construct the original data, we should see the process of data masking to be irreversible.
Data erasure, also known as, data clearing or data wiping is a software-based method of overwriting data that completely destroys all electronic data residing on a hard disk drive or other digital media. When media is erased it is also said to be sanitized. In the military or government terms, data erasure means to erase information from the media so that it is not retrievable using routine OS (operating system) commands or available recovery software products.
If you fail to erase data properly it could result in:
- Identity theft
- Government and/or civil liability
- Fines or lawsuits
- Damage to an organization’s reputation
- Loss in consumer confidence
Destroying data can be challenging. Even damaged hard drives still contain data which can be recovered by experts. In order to ensure that data is completely destroyed beyond recovery, it is imperative to use a secure method of data erasure.
Methods of Data Destruction
The following are most commonly used methods of data destruction:
- Physical destruction
- Software Overwrite
All Delete and Format commands (even with switches such as Format C: /D) affect only the File Allocation Table (FAT) and does not actually erase any data. Until the “deleted” data is overwritten with other data, it still exists and poses a significant danger to any organization. Deleting/formatting data is an extremely ineffective method of data destruction and should be avoided.
When we degauss, the process involves using a machine that produces a strong electromagnetic field to destroy all magnetically recorded data. This process of data destruction was effective in the past as a strong electromagnetic field was not needed to destroy data. However, with the use of modern hard drives, a much stronger electromagnetic field is required in order to ensure a complete erasure. There is no way to guarantee that a particular degassing machine will do a thorough job and therefore poses a security risk.
When we use the process of physical destruction, hard drives and other storage media are usually shredded into tiny pieces by large mechanical shredders/machines. This is considered an effective way of destroying data and preventing data. Drilling holes in a hard drive is another method of physical destruction. It is important to remember that mechanical shredding, drilling and hammering don’t actually destroy data but make the drive inoperable preventing data recovery.
A software based data destruction process involves using a special application or software program to write patterns of meaningless data onto each of the hard drive’s sectors. This process works by overwriting the data with a combination of 1’s and 0’s. The level of security depends on the number of times the entire hard drive is written over. This process is also known as zeroization.
We provide CISM training programs in the following cities: