Penny Garbus – President, Soaring Eagle Data Solutions
I spoke at a conference a few weeks ago. My topic was Disaster Recovery and what steps you need to take to prevent data loss. I spoke about ensuring you are taking all the right steps for peace of mind regarding data layer protection. If you protect the data layer, you are providing extra guards at the gate for if the firewall fails, and if the firewall fails, it is likely that rest of your network level protections have as well. Although giants like Google and Amazon may seem impenetrable, data breaches happen all the time. Just look at Equifax if you need proof.
Do you have an AWS environment? Did you know that your team can create public folders and keep any data they choose in them? Did you also know nothing prevents them from putting PCI data in those folders? Until recently the folders were part of the AWS set up and configured to allow public access as a default. This has since changed, but is a testament to why we need to be mindful of our own data security, even if we trust our environment.
You have also not passed the legal data security responsibility onto Microsoft, Google, Amazon, etc. You need to talk to your team. You need to lock things down, and if your clients PCI or HIPPA data is stolen you can be sued, fined, and made to pay for the clean up afterwards. This is not the cloud providers responsibility.
The beginning of data layer protection is information. To begin with, you need to determine who has access to what and when they use that privilege. Who has the system administrator role? It should be a short list. Tracking this is both necessary and mutually exclusive with the use of shared accounts, since shared accounts guarantee ambiguity regarding who has performed an action. Additionally, VPNs and MFA should be used to ensure that the person to whom the account is assigned is the person utilizing the credentials.
The next tool of data protection is being a reliable gatekeeper – prevent bad actors from entering while allowing good actors to access what they need. There are several tasks that this could entail; use solid coding for security prevention, close all public ports, use “whitelists” to allow the server to distinguish between the good and the bad, block bad IP addresses and track the location of the IP addresses from where the connection is coming from. This list could continue indefinitely, going as far as black listing bad email senders and farther. Determining which specific actions are necessary is a decision for you to make for your company.
Encryption is the next step to a fortified data layer. Is your data encrypted in the columns, or on the disk? The answer should be both. Although stealing a physical disk from Microsoft or Amazon would be nearly impossible, bad actors can reach that data if ports are open. If proper connectivity rules and processes are not applied, they can creep right in and steal the data.
Some final parting tips: look or have your team look at the security reports that are provided by the vendor. They give you clues as to how you should start locking things down in your environment. Some security changes affect your users and your business activity requirements. Test everything and make changes in small increments. Data security can be intimidating, but taken in small parts, one step at a time, is a reachable (and necessary) goal for a business of any size, so long as you have mutual trust and reliability with your IT team.