According to IBM's 2021 report, the average data breach cost more than $4 million worldwide in 2021. In the United States, that number rises to $8 million. That's an over 10% increase over the previous year. So, data breaches are a significant business risk. But costs aren't the only reason to tighten your security. Breaches hurt your clients and your company's reputation.
You've seen data breaches in the news. Every day brings news of a fresh attack. So, it often seems that you can't protect your data. But you can protect your company's data if you understand data security controls.
In this post, we're going to talk about data security controls. First, we'll discuss what data security controls are and how they work. Next. we'll look at CIA and how to use it to evaluate controls. Then we'll cover how to protect your clients and your company from breaches.
Data Security Controls
Data security controls are policies, procedures, and mechanisms organizations use to protect themselves. They limit the of risk of data being lost, stolen, or misused. That covers a lot, which is why it's helpful to break them down into categories.
So, let's go over the goals of data security and the CIA triad first. They'll help us understand how the controls work. If you're not familiar with the triad, it's not related to the Central Intelligence Agency. It's a set of security concepts. You can apply them to any data security problem: Confidentiality, Integrity, Availability.
Confidentiality
If a piece of data is confidential, only some people should see it. Therefore, confidentiality controls enforce who can see information. This goal comes first so the acronym is easy to remember. Managing access is the primary role of data security.
A control can't manage who has access to data if it doesn't know who they are. As a result, the control needs to identify users. Then it needs tools to control who sees the data. So, with just the first letter in CIA, we need both authorization and access control lists.
Confidentiality activities include:
- Access Control Lists (ACLS) to enforce entitlements.
- Encryption to control who can decode and view information.
- OAuth systems that identify users.
- Two-factor systems that add an extra layer of protection to authentication.
Integrity
Data integrity ensures data is whole and accurate. You can't do that without controlling who can access it. You also need to track who does access it and how.
How complete an access log you need varies. It depends on legal requirements and regulatory rules. But you can't maintain integrity without knowing when someone altered data.
Data can change because of actions taken by users. So, many of the integrity and security controls overlap those for confidentiality. ACLs and authorization systems prevent unauthorized users from changing data. But, it can change because of faulty copies or transfers, too. Integrity requires more controls.
Here are two examples:
- Hashing that verifies data payloads.
- Signatures that verify message or file ownership.
Availability
Availability means users can get their data when they need it. It works hand-in-hand with integrity. If the contents of your data aren't correct, it's not available. Creating archives is an example of a data security control. So is storing data on high availability file systems and in reliable databases.
Six Types of Data Security Controls
CIA defines goals for your data security efforts. It's how you evaluate how effective each of your data security controls are. With it in mind, we can sort data security activities into six categories.
- Operational - the rules and processes to protect data.
- Administrative - the actions and policies to enforce standards.
- Architectural - how you connect systems.
- Technical - security controls and software.
- Response - how you respond to incidents.
- Visibility - controls to spot active threats.
Next, let's go over each of the data control types.
Operational Data Security Controls
Operational controls secure systems and applications. They comprise the policies and procedures for who can use IT assets. Access lists for computers, virtual machines, and networking gear are some examples. Another is a set of allowed operations for users. The difference between the policies and the tools is important. For example, the principle of least privilege is a common IT policy that all organizations should use. The policy is the operation security control. The software to put it in place is a technical control, as we'll see below.
Administrative Data Security Controls
Operational data security controls focus on systems and applications. Administrative controls work on data. They're the procedures and policies you define for data security standards. They define data handling processes and the penalties for violations. These policies protect you and your clients from data breaches. But, they ensure you stay in compliance with regulations like GDPR, too. Data security controls are a critical part of legal compliance.
Technical Data Security Controls
Operational controls define what to do to keep your systems and apps secure. Administrative controls do the same for data. The technical controls are the how. They're the software and hardware tools that put data security in place. An admin control says that only allowed engineers can access certain systems. A technical data security control makes enforces the policy.
For example, we mentioned the principal of least privilege. ACLs are one of the most effective ways to install that policy. So, the software you build or buy to do this is a technical data security control.
Architectural Data Security Controls
Architectural controls work on how you connect systems. Even the smallest companies use networks. They use systems like VPNS and cloud applications. If these systems aren't secure, they are vulnerable. These controls look for weak points so you can add new policies and procedures to close the gaps.
Activities like penetration testing, vulnerability assessments, and design reviews help are good examples.
Response Data Security Controls
You need response data security controls to react to incidents. Breaches are the obvious target of these controls, but disasters threaten data, too. Remember, availability is part of CIA. If a disaster means customers can't access their data, it doesn't matter if the root cause is a DoS attack or a fire.
Many disaster recovery and data breach controls overlap. As a result, applying software patches that close security holes is a response control. So is backing up data and using high availability systems.
Visibility Data Security Controls
While you need to have response controls in place, but your goal is to never need them. So, that's where visibility controls come in; they help detect active threats. They include monitoring networks and systems and running intrusion detection systems.
Use Your Data Security Controls
We've covered what data security controls are. We started with CIA and saw how to apply it to data security controls. Then, we covered six different types. Each of these types are a critical part of your data security activities. Understanding each one and how they fit together is important. So, as we covered each data security control, we looked at examples and also how they overlap and complement each other.
Now that you're familiar with the six types of data security control, you have a framework for evaluating your security activities. Getting started on your data security controls today!
This post was written by Eric Goebelbecker. Eric has worked in the financial markets in New York City for 25 years, developing infrastructure for market data and financial information exchange (FIX) protocol networks. He loves to talk about what makes teams effective (or not so effective!).
