Data security is an important concept that along with cyber security keeps confidential information safe and secure. Understanding these concepts is vitally important when considering a career in cyber security.
So, what’s the difference between data security and cyber security? Data security is involved in protecting information to retain it’s confidentiality whilst cyber security is about protecting against online threats and attacks typically cyber attacks and cyber threats.
Data security is an important part of the overall cyber security strategy, providing different mechanisms to secure data, ensuring it can only be used by those who are authorized to use it. A number of techniques can be used from hashing to encryption to protect data when it’s stored, transmitted or even when it’s used, that is processed.
The most important asset cyber security protects is information and this information is made from different pieces of data. By protecting the data, the goals of cyber security can be realized and even if there is a breach, where hackers and attackers managed to get hold of the data. Security measures in place, will make the data useless to the would hacker and attacker, keeping it’s information safe and away from prying eyes.
When I’m threat modeling as part of my cyber security job, one of the main things I do, during the threat modeling workshop is to determine all the data that’s present in the project, what is the values of the data, how the data is being used and how it is being kept safe and secure.
By knowing what data is being used, decisions can be made to safeguard the data, whilst data that remains unknown will end up being missed from any security planning decisions. This is why it’s vital to find out all instances of data and where it’s stored.
Once we know where the data is stored, we can analyze the data to determine it’s value, as some data will invariably be more valuable than other types of data. So, sensitive information like credit card numbers to organizational secrets will have a higher value than zip codes that are available in the public domain.
So, not all the types of data may not necessarily need protecting such as data available in the public domain like zip codes, but other sensitive type data will surely need protecting like credit card information, organizational secrets, customer information, medical information, confidential legal information and so much more. This is where data security will come in, to ensure the information that needs protecting is protected adequately.
What is data security?
Information is comprised of many different types of data from documents, passwords to information stored in databases and this data requires higher levels of security to protect it from unauthorized access.
Data security involves process and technologies that can protect this information to ensure it meets the needs of the confidentiality, integrity and availability, the CIA triad as it’s more commonly known. Where confidentiality is associated with ensuring only those who are authorized to use the data can use the data.
So, corporate executives are only authorized to access sensitive corporate information like strategies, plans, blueprints and so on. Likewise, medical information is only available to those who are authorized to use it, like doctors and other medical staff.
Integrity is ensuring the data hasn’t been tampered with and any changes have only been made by those who are authorized to do so. It’s important to maintain the integrity of data, as unauthorized changes could lead to disastrous effects, like medical data being tampered with could lead to incorrect diagnosis to financial data that’s been tampered with, affecting the livelihood of corporate workers, as their employer could end up with financial problems due to incorrect financial information.
Availability ensures data is available to those who need to use it, so computer systems are designed in such a way, that a component failure in a system or a complete system failure doesn’t stop the data being available.
How can you secure data?
There are a number of ways to secure data, from encryption, hashing to access controls designed to restrict only those who should have access, having access. When used in combination, many of the processes used to secure data, the outcome will make it extremely difficult for a hacker or attacker to get hold of the data.
Encryption is like putting your valuables inside a safe, locking the safe door with a code, so anyone who get’s access to the safe, can’t open it and see what’s inside without the correct code. The more complex the code the more difficult it becomes to unlock the safe.
Encryption protects the data from being revealed in it’s true form without knowing the code to change it into it’s real form. Instead encryption obscures the data into useless information that is difficult to decipher.
Decryption is like unlocking the safe with the code and getting access to the valuables inside, like credit cards and their numbers. Likewise with encrypted data, this can be decrypted back into it’s original form using the code used to encrypt the data in the first place.
Encryption is a two way process where data that has been encrypted can be decrypted back to it’s original format. This is important, as not being able to decrypt the information would make it difficult to use, for example encrypting credit card numbers 1111 2222 3333 4444 into the below encrypted string serves no value unless it’s decrypted first.
This encrypted information is no use to hackers if they got their hands on it, but it still needs to be of some use to the organization that has encrypted the information in the first place. Therefore the data not only needs to be encrypted but easily decrypted, as long as the correct unlocking information, that is the decrypting key is used.
Symmetric encryption is a type of encryption where the same key that is used to encrypt the data, can also be used to decrypt the data. This type of encryption and the resulting decryption can be quite quick depending on the cipher used for the encryption.
With this type of encryption sharing the key used to encrypt the data becomes more difficult, as anyone getting hold of the encryption key can decrypt the data.
With asymmetric encryption the key used to encrypt the key doesn’t necessarily need to be used to decrypt the key. This make asymmetric encryption keys easier to share, as the public key use to encrypt the data can easily be shared whilst the private key to decrypt the data, needs to be kept safe and secure.
Data at Rest encryption
Where the data is stored is known as data at rest, that is where it’s not being used and is just being stored. Encrypting the data where it’s stored is paramount in protecting the data, so if it’s stolen in a data breach, the data retains it’s encryption, making it useless to the hacker or attacker in most cases.
I say in most cases, as it’s possible to encrypt where the data is stored, so a disk or a logical volume within a disk and whilst the data remains here, it’s protected by the encryption of the disk or the logical volume. However, if a hacker or attacker manages to copy the data off the encrypted disk or logical volume, the data is copied without the protection of the encryption offered by where it’s stored.
This can happen when a hacker or attacker gets privileged access to storage by taking over accounts of high privileged users like administrators. This level of privileges access gives the hacker access to where the data is stored and with access, they only need to copy the data away.
By encrypting the data itself and not overly relying on where it’s stored to be encrypted, anyone copying the data away, will only be copying the data in it’s encrypted format. Therefore without the correct decryption keys, they will not be able to decrypt the data and see what’s inside.
Data in Transit encryption
Data in transit is concerned with protecting data as it moves from one place to another, like when you’re connected to your bank, the data in transit is the data you’re sending to the bank and vice-versa, the data the bank is sending back to you.
By encrypting the connection between yourself and the bank, the data sent to each other is protected from anyone sniffing the connection as they will only see encrypted information and will not be able to easily decrypt it.
This is part of a man-in-the-middle (MitM) attack, where a hacker or attacker actively sniffs out data being sent across networks looking for confidential and sensitive information.
Data in Use encryption
Data whilst it’s being used, that is processed can require encryption, not when it’s actually used but as it moves to being used, it’s decrypted, used and then re-encrypted when not being used any longer.
This isn’t a common use of encryption as the process of encrypting and decrypting information requires computer processing power and having to do this multiple times whilst using data can slow down the processing of the data.
Hashing is converting data into a format that can’t be easily deciphered back into it’s original form. It’s designed to be a one-way process unlike encryption which is a two-way process, where the encrypted data can be decrypted.
Hashing is used to protect data like passwords, so when a user enters their password, this is hashed, and this newly created hash is compared to a hashed value of the password stored in the database. If the two hashed values are identical then it’s fair to say, the password entered by the user is the same as the password in the database, so the user can be allowed to successfully authenticate.
One of the drawbacks of hashing is the proliferation of rainbow tables hat have been constructed from dictionaries and stolen passwords. The rainbow table contains hashed entries applied to stolen hashes and these are compared to stolen hashes to see which hashes can be matched. With powerful computing equipment, it’s quite easily possible to go through a large number of combinations.
By adding a salt value to the data and then hashing this new data, it becomes more difficult to use rainbow tables to break the hash. More so, if the salt is unique, as the permutations of available combinations increases substantially.
The salt value is stored in plain text, along with the computed hash value of the password and the salt combined. Even though the salt is stored in plain text and if the database was compromised a hacker or attacker would have access to the salt. Without knowing the password, it becomes virtually impossible to work this out.
So, if a password like P@55W0rd! can be hashed to xutAUVjfuh62SQOLhuXOluGklqCIGQqV0ipWfAKY, then comparing this hash xutAUVjfuh62SQOLhuXOluGklqCIGQqV0ipWfAKY in a rainbow table with the hash in the database, will result in any matches proving the password in the database is actually P@55W0rd!
But if you take the password P@55W0rd! and use a salt like %56534abc and then hash P@55W0rd!%56534abc, you’ll produce a different hash that is virtually impossible to decipher. When the user enters their password when login for example, the system takes their password P@55W0rd! and appends the salt %56534abc at the end, resulting in P@55W0rd!%56534abc and then it hashes this and compares this to the hash stored in the database.
Only if these two hashes match will the system allow the login to take place successfully and give the user access. The salt is generally unique per data item stored, as having the same salt for all the data hashed, will result in it becoming easier to use sophisticated rainbow tables to break the hashed code.
A pepper is like a salt, a value added to data which is then hashed however, unlike a salt which is stored in plain text, the pepper value is stored either with the data, as an obscured value using encryption, or securely on another system like a hardware security module (HSM).
Without knowing the real value of the pepper, the chances of breaking the down the hashed value is near impossible.
Data Security Careers
Information security roles tend to focus on the security of data and using a management system like the Information Security Management System (ISMS), which defines policies, methods to processes to protect information and it’s underlying data.
In my role in cyber security as a cyber security architect, I work out where data is and how it’s being protected, looking for any gaps in protection. I align the data security to the policies, methods to processes advocated by the Information Security people.
So, if the Information Security policy dictates sensitive data is encrypted to at least AES-256 then my mandate is to make sure this is enforced throughout the project I’m working on. Reporting any instances where this isn’t the case to the risk management side of the organization I’m working for.
Understanding data security for any security role, be it cyber related to information and generalized security roles, it paramount. As the protection of data through it’s security is an important function of these roles and protects the organizations data, more so it’s information.
Data security is an important part of the overall cyber security plans and strategies, as data is one of the most important assets that cyber security needs to protect. As data falling into the wrong hands, like those of hackers, attackers and other malicious parties can be catastrophic for organizations, leading to reputational damage, penalties and fines. It’s in an organizations best interest to protect it’s data, to avoid the financial costs that can result when data ends up being stolen.
Encryption can be used to protect data whilst it’s being stored at rest, whilst it travels in transit and in some cases whilst it’s being used. Hashing allows certain types of data like passwords to be protected using a one-way process that can’t easily reverse the hashing into it’s original format.