Protecting Data at All Stages During the Life Cycle

Dr. Vamsi Mohan Vandrangi, Chief Technology Officer, Huber

Abstract — Now a days, we are evidencing data breaches regularly. Due to an unsecured data management, Chinese social media management company leaked personally identifiable information (PII) of some 214 million social media users. According to the IBM, Data breach costs rose from USD 3.86 million to USD 4.24 million, the highest average total cost in the 17-years. Data protection is the process of safeguarding personal and sensitive personal data while in rest, transit and in use from corruption, compromise, loss and thefts.

“Data protection assures that data is secure, not corrupted, and is not accessible for unauthorized accesses, and is in compliance with regulatory requirements ”

When it comes to protecting sensitive information, enterprises require different approaches or apply different methods to protect the data. Some users wants to protect or store the information on their mobility devices for their frequent use or regular accessibility. Others want to keep their documentation protected on file servers to be protected from improper access.

Sometimes users need to protect documentation or mail data from their mail servers and some users want to protect the data copying from the third party unauthorized access.

Primarily, there are three states of data:

• Data at rest: By this term it mean data that is not being accessed and is stored in a stable state on a physical or logical medium. Examples may be files stored on file servers, records in databases, documents on flash drives, hard disks etc.
• Data in transit: Data that moves through emails, web interface, collaborative work applications such as Skype, Slack, Zoom, Microsoft Teams, instant messaging, or any type of private or public communication channels. The information that travels from one point to another.
• Data in use: A right data to the right audience. Data should be accessed by the right users and it should be prohibited from the unauthorized access.

Protection of Data at Rest

Data is considered secure at rest when it is cyphered or encrypted. So that it takes an unworkable amount of time in a brute-force attack to be decrypted, the encryption key is not present on the same storage medium, and the key is of sufficient length and level of randomness to make it immune to a dictionary attack.

There are various tools and technologies for the protecting the data at rest:

• Full disk encryption or device: It is one of the safest way of protecting data. Many enterprises and corporates follow full disk encryption of their employee machines from the unauthorized access in case of the devices lost. It helps to protect the data and it cannot be accessed by simply mounting the hard disk or device to another machine. User flexibility is utmost matters while accessing the data. However, if the computer or the file server is accessible by a bad administrator in your organization, nothing prevents accessing the data, copying it, or circulating it publicly, etc. The data is protected while residing on the device or hard disk, but is no longer protected once it is extracted from the device (copied to another device, resent, etc.). There are several tools available in the market like Check Point Full Disk Encryption, Dell Data Protection Encryption, McAfee Complete Data Protection, Sophos SafeGuard, Symantec Endpoint Encryption, DiskCryptor (open source),.. etc.,
• File-level encryption: Individual files can be encrypted, not partitions or hard discs. Users can encrypt files using public-key or symmetric encryption, for example. Files are encrypted not just when they are saved on the disc, but they can also be safeguarded while in transit, such as when they are transmitted as attachments in an email. In this instance, a user’s transparent access is violated. That means, while using PGP (Pretty Good Privacy), for example, user should have the public key of the receiver to share the protected file, and he or she must have my public key in order to decrypt it. On the other hand, once the document has been decrypted by the recipient, the data will be stored unprotected, resent unprotected, etc. VeraCrypt (Windows/OS X/Linux), AxCrypt (Windows), BitLocker (Windows) are the widely used file encryptors.
• Database Encryption: Database systems such as SQL Server or Oracle use TDE — Transparent Data Encryption to protect the user data stored in databases. TDE technologies perform encryption and decryption operations on data and log files in real time. This allows application developers to work with encrypted data using AES or DES for example without needing to modify existing applications. This sort of encryption secures data in the database while it is being stored, but it does not protect data that has already been accessed by another unauthorized access or application.
• MDM (Mobile Device Management): One way to control data in mobile devices is through MDM tools like AIRWATCH, Microsoft Enterprise Mobility, BlackBerry Unified Endpoint Management, Citrix Endpoint Management, Cisco Meraki, IBM MaaS360. They allow limiting access to certain corporate applications, blocking access to the device or encrypting data on the mobile or tablet. As with standard encryption, they are useful if the device is lost and some of the OEM capabilities to use block the device or scrap the data inside it.
• DLPs (Data Leak Prevention): A DLP, among other functions, enables a search or location of sensitive data on an endpoint or network repository. In the case of data in repository, they can delete the data or block access to certain users in case it violates any security policy. It can be controlled while the data is inside the organization however, it is a great difficult once it goes outside the organization. Some of the best recommended DLP tools are SolarWinds Data Loss Prevention with ARM, CoSoSys Endpoint Protector, CrowdStrike Falcon Device Control, ManageEngine Device Control Plug,. Etc.
• CASB (Cloud Access Security Brokers): These are systems that allow us to apply security policies to the documentation with such as Office 365, Box, Salesforce, etc. Users could say for simplicity that it is a DLP system applied to a cloud application instead of the organization’s perimeter. With regard to data at rest, CASBs are capable of detecting sensitive data in certain cloud data repositories and applying protection policies to the documentation, for example, restricting public URLs from the document and restricting it to a group of users if the data is determined to be sensitive. McAfee MVISION Cloud, Microsoft Defender for Cloud Apps, and Symantec CloudSOC Cloud Access Security Broker are the top 3 widely used tools.

Protection of Data in Transit

Generally, it’s normal to communicate data through numerous digital means, whether intentionally or unintentionally. Email, message services, and infrared media will be used to communicate. According to Statista, the number of people using email is predicted to increase to 4.3 billion by 2023, from the current 3.9 billion. Data will also be transferred via other communication or collaboration platforms, such as Skype, Slack, or Microsoft Teams, as well as cloud storage applications like Box, OneDrive, Dropbox, and others.

There different technologies to protect data in transit:

· Email encryption: Encryption protects message bodies and attachments from beginning to conclusion. Encrypting email can be done with a variety of tools. One of them is based on PKI (Public Key Infrastructure), which combines a private key (personal key) with a public key (public key) (public information). The recipient’s public key is used to encrypt the email and attachments, and upon reception, the recipient uses his or her private key to decrypt the content. Control over the email or attachment is lost once it has been encrypted, and it can be sent, copied, or misused. According to the G2 Grid scoring, Proofpoint Email Security and Protection, Virtru Email and Data Encryption, Paubox Email Suite are leaders.

· Managed File Transfer (MFT): An alternative to transmitting files using FTP, for example, is Managed File Transfer (MFT). Managed File Movement Software is an application that centralises the controlled and secure transfer of data within and outside of a business, as well as between systems and/or users. It sends and receives files swiftly and securely. The file is submitted to a platform, and a download link is generated. This link is delivered to the receiver via email or other means, and the recipient uses HTTPS to download the file. It is possible to specify the link’s expiration date or a password to access it. Once the file has been downloaded, it is no longer protected, as it is with e-mail encryption

· DLP (Data Leak Prevention): DLP systems provide in-transit or in-motion protection by detecting attempts to communicate confidential data outside the organisation (e.g., SPIs) and blocking the transmission of such data. They also allow you to block data copies to a pen drive, send to network drives, and upload to online or cloud apps, among other things. The issue they raise is that once data has been delivered, it is no longer under their control. Furthermore, they are prone to false positives and may block legitimate contributions that should be allowed to through.

· CASB (Cloud Access Security Brokers): They can identify whether a user tries to download sensitive data in transit and stop the download if he does not comply with particular company security requirements (e.g., is not a dependable user for this type of data). If the data has been downloaded, control over it has been lost, just like with DLP.

· Digital rights in-transit protection: For instance, SealPath can be used in an email to not only encrypt the body and attachments, but also to impose use rights that allow only the content to be viewed, or to view and edit but not print, and so on. They also allow you to set restrictions on how the email is forwarded to the recipients, for example. Protection in transit is provided via any medium because a file protected with digital rights travels with the protection. They’re also coupled with security tools like DLP and CASB, so that if a sensitive document is detected as leaving the network or a confidential document is downloaded from a cloud service, they may immediately protect it based on the security policy.

Protection of Data in Use

As mentioned above, we are talking about data in use when it is accessed by an application for treatment. Normally, in some particular cases suspicious users tries to access the data to read it and change or destroy it. In this state, the data is more vulnerable, when the user successfully decrypts the data which is encrypted.

To protect the data in use, controls should normally be put in place “before” accessing the content. For example, through:

• Identity and Access management (IAM) tools: To check that the user trying to access the data is who he says he is and there has been no identity theft. In these cases it is increasingly important to protect access to the data through a two-factor authentication. Microsoft and Oracle are the first in the race.
• Role Based Access Control (RBAC) tools: Allow access to data based on the user’s role or other parameters such as IP, location, etc. However, in these cases, protecting the data by limiting more precisely according to their permissions, but once the database or a document has been accessed it is difficult to prevent the person from destroying (changing or make it vulnerable) the data.
• Through digital rights protection or Integrated Risk Management (IRM): Enterprises can achieve effective data protection by limiting the actions that the user can perform once they have accessed the data. We may, restrict from editing, publishing, or other activities. There are many online tools that allow you to create digital rights limits like merely viewing, preventing, and downloading, among other things. If we can download the document, it is entirely unprotected. We can apply an IRM protection that travels with the papers and limits the opening rights everywhere it goes by applying an IRM protection directly on the file (not on the document manager or collaboration platform itself). We can use a protection that travels with the papers and restricts the opening permissions. We can get a user to see data, whether it’s on the cloud or downloaded, but entirely cannot be protected. ServiceNow Governance Risk and Compliance (GRC), LogicManager, Archer Suite are some of the good IRM solutions

Conclusion — Protecting data is utmost priority and critical for enterprises to overcome the security drawbacks. Taking a right strategy during the entire data cycle help to control the vulnerabilities and unauthorized access. CISO from different enterprises already started the proactive measures to control the data leakages and vulnerabilities. However, considering the events in the last decade every enterprise should act proactively and adhere to the security principles.