Data security is probably the CIO’s biggest headache, especially when it comes to locking down sensitive data such as Social Security numbers, credit card information, or patient data. Any time you have to store sensitive business data, either within the enterprise or in the cloud, you have to take the right security measures. Even the most obvious security protocols are easy to overlook.
It’s estimated that the number of data breach incidents since 2005 reached 5,029 last year, which represents 675 million compromised records. According to the Identity Theft Resource Center, there were 783 data breaches in 2014, up 27.5 percent from the previous year.
Some of the more prominent data breaches in 2014 included:
Neiman Marcus – Malicious software in the store’s system stole payment card data from more than 350,000 customers.
White Lodging – The hotel management company, which manages payments for Hilton, Marriott, Westin, and Sheraton in 21 states, suffered a data breach that exposed hundreds of guest credit cards.
The State of New York – The New York Attorney General reported that 22.8 million private records of New Yorkers were exposed over an eight-year period. Data breaches were reported by more than 3,000 businesses, most of them from intentional hacking.
Community Health Systems – Community Health reported that 4.5 million patient records were stolen in a cyberattack that was believed to have originated from China.
JPMorgan Chase – One of the nation’s largest banks reported a hacker data breach that could affect 76 million households and 7 million small businesses.
These are just a few of the incidents that took place last year alone. What IT professionals are learning is that as new security measures are added, hackers find new ways to attack data centers. It’s an ongoing battle, and it has to start with basic security requirements.
1. Authentication – Ask “Who are you, and why are you here?” Identify who has access to sensitive data and assess how you are handling their credentials and authentication. Your first defense needs to be identifying everyone who has access to sensitive data in order to make sure they are authorized and authenticated. Whether you use password protection, smart cards, or biometrics, you need to keep close track of who has access credentials, and you need to log network activity in order to see when and where someone accesses something they shouldn’t.
2. Managing physical security – Along with monitoring access to network resources, you also need to monitor access to the physical facility. Be sure the data center itself is secure and that only authorized personnel can enter using a keycard, combination lock, or some other locking device. Also, be sure that workstations and network devices are secure. This means not only implementing password protocols but also managing disk drives, USB ports, and other means to remove data from the system.
3. Stopping external hackers – Most threats are going to come from outside the network. Maintaining a secure firewall with upgraded protection is one defense. Also, be sure to monitor data traffic and set alarms in order to identify anomalies that could indicate an attack. Securing potential entry points in the data center can be like trying to stick your fingers in a leaking dike, so consider using data encryption and other tools in order to secure the data, as well as the data repositories.
4. Managing cloud security – As more companies store cold data and sensitive information in the cloud, hackers are getting smarter and targeting cloud data repositories. Accounts can be compromised and cloud traffic intercepted. Even shared cloud resources can be a risk if, say, a hypervisor is compromised; it would expose the entire shared infrastructure. Adopting a hybrid cloud strategy where sensitive data are stored in a private cloud repository is one way to secure cloud storage. And if you can’t build a firewall around the cloud, your best security strategy may be data encryption.
5. Mitigating internal risk – Employees are a greater risk than hackers. Employees have access to internal data, including sensitive information such as employee, customer, or patient records; they have to have access as part of their jobs. Sometimes you will have a security breach due to a disgruntled employee, but most of the time, employees cause security problems by not following the proper protocols (such as leaving a password pasted to their monitor). Make sure all employees are properly trained in security procedures and that they follow them.
6. Proper training – Training the IT staff and employees in security best practices is essential when protecting sensitive data. Be sure that you have well-documented protocols and procedures in place and that everyone follows them. Be sure to audit security practices and revise them as needed.
7. Create a compliance checklist – A security checklist is always a good idea, especially if you are in a highly regulated industry such as financial services or healthcare. Maintain a compliance checklist in order to make sure that you have all the appropriate protocols in place and up to date and that your security procedures meet the standards set down by HIPAA, Sarbanes–Oxley, FINRA, or other regulations.
These are just some of the more obvious steps that you can take in order to secure sensitive data. As you develop your data center security strategy, remember to never place all of your trust in the technology. The best firewall and antivirus software can’t overcome carelessness, and they aren’t a substitute for common sense. Keep a close watch on all aspects of the data center and question anything that seems out of the ordinary. Consider bringing in an outside expert in order to help you with your security strategy—someone who can see the potential weak spots that you may overlook.