What is Data Security?

Data security encompasses every effort a company makes to keep the data it possess free from risk and compromise. As digital data has exploded in both volume and importance in the 21st century, becoming arguably the most valuable asset a company has, protecting it becomes mandatory. Whatever tools, techniques, policies, and training methods are used to preserve that protection fall under the broad umbrella of data security.

How data security works

Data security involves both an upfront effort to establish baseline data security standards followed by an ongoing effort to maintain and evolve those standards in response to new data, emerging threats, or changes in the IT environment.

Securing data begins by identifying all the data a company has stored across the enterprise. Rarely if ever does this data live all in one location; it’s spread widely throughout databases, applications, and endpoints, and it includes physical data (documents, notes etc.) along with digital data. Some data sources are obvious. Others, however, are easy to overlook or ignore, leaving certain data unsecured and more vulnerable as a result. Applying minimum data security standards to everything depends on finding all of it first.

Next comes the ranking of risks. Though all data needs security, some requires extra precautions. Sensitive data like financial records, personally identifiable information (PII), and intellectual property must be closely guarded since it is the prime target of attacks and the most expensive when involved in a data security breach. Those in charge of data security need to identify which assets are most at risk, whether because they are highly vulnerable or highly sensitive. Then, they need to thoroughly catalog those assets and, as necessary, surround them with additional data security.

Once a clear map of the data architecture has been established, data security becomes about putting various data security solutions in place. The specific solutions will vary by organization, but in most cases will include cybersecurity tools for detecting, blocking, and remediating the full spectrum of cyber attacks. Also important will be tools for verifying and validating anyone attempting to access data while managing access privileges over time. Cybersecurity standards like antivirus and user behavior analytics can help guard against a data security breach, but in other cases, dedicated data security software will be necessary to ward off attacks.

Developing a data security policy matters just as much as installing the right data security solutions. Policies dictate how users at all levels interact with data, from how they pick their passwords to what they keep in their email inbox. Policies also prescribe how current and future technologies will handle enterprise data, from where and how it gets stored to what cybersecurity measures get applied.

Data security management is the final component. Data security starts but doesn’t stop, which is to say it takes constant review and revision. As companies store more data in more places inside elastic IT environments, the tools, policies, and methods of data security must change in order to stay effective.

Data privacy vs data security

Though related and to a certain extent overlapping, data security and privacy are two distinct concepts that each require a concerted effort. Data privacy is about restricting access to specific types of data. It strives to give individuals control over their private information, letting them decide what can be collected and stored, who has access, and under what conditions. As such, policies that govern how companies manage data play a central role in data privacy.

If data privacy is about how companies collect, store, and utilize data, data security deals with how they defend it. And while data privacy focuses primarily on sensitive information (PII, IP etc), data security addresses all the information kept by a company and defends against any form of loss whether privacy is at risk or not. To secure data means to protect everything from anything. Cybersecurity tools and techniques will be used to stop attacks, but user training and data security policies help prevent those attacks in the first place.

Two brief examples illustrate the difference between data security and privacy. Encrypted data may be private, but it’s not necessarily secure unless there are additional protections in place. Likewise, there may be robust protections surrounding data that was collected in ways that violate the privacy policy, making it secure but not private.

Data protection vs data security

If data security is about preventing anything that could have a negative effect on data, the concept of data protection is about mitigating those negative impacts. Should a lapse in security ever put data at risk, data protection keeps the consequences to a minimum.

To that end, data protection concentrates on secure data recovery: systems that backup and restore data so that companies can recover anything that was lost or corrupted in an attack. The goal of data protection is to backup everything, seamlessly and systematically, and ensure that the recovery and restoration process runs efficiently. Many companies rely on secure data recovery services that are bound by service level agreements for backup thoroughness and recovery speed. Operating without data isn’t possible and losing it is even worse, so data protection and data security work in close coordination, the former serving as a failsafe to the latter.

Who are data security threats?

Threats to data come in many forms, all of which data security has the duty to guard against. Some of the leading concerns include:

Cyber Attacks

From ransomware to phishing schemes, cyber attacks have become more sophisticated at bypassing security measures and more successful at breaking into enterprise data. The frequency of attacks, the number of hackers behind them, and the amount of resources flowing into cyber crime are all increasing. Cybersecurity and data security are closely aligned since most attacks have the malicious intent to steal or destroy data.

Compliance

Many companies need to comply with regulations mandating data security and privacy. Examples include HIPAA for health information, and GDPR, which applies to all PII collected in the European Union. Failure to collect, secure, and protect data as required can result in massive financial penalties while raising the risk of a data security breach.

Insider Threats

Whether intentionally or unintentionally, the actions of employees may result in data exposure, loss, or compromise. Many cyber attacks depend on unsuspecting users to allow them inside. And since employees have elevated access to data, there’s always a chance they will misuse it, in some cases with the express intent to harm a company.

Clouds

Data security in cloud computing poses a threat because of attacks that target data in transit (to or from the cloud) or sitting at rest inside insecure cloud environments controlled by third parties. The rapid shift to cloud computing further compromises data security by transforming IT environments in ways that undermine existing defenses, sometimes without notice. Cloud data security will be a major challenge – and a continuing threat – as more data migrates outside of a company’s strict control.

Who is responsible for data security?

Everyone inside an organization or with privileges to access that organization’s data (like third-party partners) has some responsibility for data security. It only takes one person, even a person with minimal access rights, to cause a data security breach and all the hazards that follow. The role that each individual plays in data security should be a large part of training efforts and policy making.

Data security is a big enough issue – and big enough workload – that many companies have one or more employees working specifically on securing data. Many security teams include a data security analyst to hunt for threats, search for vulnerabilities, and lead data security improvement efforts. When necessary, companies will employ specialists to handle the unique requirements of things like data center security or big data security. When there’s a Chief Information Security Officer (CISO) in the C-suite, companies will look to that person to lead data security efforts and account for any failures. In other cases, the IT director or security head will be in charge of data security.

How API security supports data security

As the doorway into applications and all the data, privileges, and functionality they contain, APIs (application program interface) are a significant factor in data security. Modern enterprises can’t operate without APIs and the efficient exchange of information those APIs make possible. But they also can’t underestimate the threat to data this represents.

Incorrectly configured APIs could be a hidden weak spot in an otherwise sound data security strategy. Just as problematic, sophisticated attacks can seize on any weakness in an API to launch a full scale data security breach. A breach at Facebook that exposed the data of 50 million users was just one of many major attacks blamed on insecure APIs.

Upholding data and network security, preventing (rather than mitigating) attacks, and ensuring business continuity all depend on API security. Data security is at risk without it, and, more broadly, no cybersecurity strategy will succeed until APIs become ironclad against attacks.