5 steps to stronger data security

Nearly everything we do in computer security is meant to protect data. After all, we don’t deploy antimalware software, tighten security configurations, or implement firewalls to protect users, per se. Job No. 1 is to protect the organization’s data — including employee and (especially) customer data.

But guess what? People need to work with that data or you wouldn’t store it in the first place — which is why most data security measures focus on ensuring only trusted, authorized parties get access to it. Follow these five recommendations and your mission-critical data will be well protected.

1. Identify the crown jewels

First, you need to identify your most precious data. The hard part is finding it. As one CIO told me years ago, “If you think you know where all your data is, you’re kidding yourself.”

Precious data is stored in databases, application data repositories, and now the cloud, as well as on backup media and removable media. Precious data also includes critical subsystems that support delivering and securing actual data, including Active Directory domain controllers, credential databases, DNS, DHCP, network routers, and other services, all of which have their own security defenses.

All data should be categorized for its business value and sensitivity, so keep your crown jewels to the smallest size possible. The least amount of data that needs to be stored should be stored, because nothing is as secure as data you didn’t store in the first place.

All data should have an owner, to which all questions about its condition, treatment, and validity can be addressed. All data should be marked with a useful life, and at the end of that useful life, it should be disposed of.

2. Clean up credentials

Practice good credential hygiene — that is, clean up your privileged account memberships, with the goal of minimizing permanent membership to zero or near zero. Administrative duties should be performed with the least amount of permissions and privileges necessary (sometimes called “just enough” permissions). Any permissions or privileges should be given only when needed, only for the time actually needed (called “just in time” permissions).

Every organization should start by reviewing permanent memberships in each privileged group and removing members who do not need permanent, full-time access. If done with the appropriate rigor and analysis, this usually results in less than a handful of permanent members. In the best cases, only one or zero permanent members remain.

The majority of admins should be assigned elevated permissions or privileges on a limited basis. Often this is done by having the admin “check out” the elevated credentials, with a preset expiration period.

Credential hygiene is essential to strong database security, because attackers often, if not nearly always, seek to compromise privileged accounts to gain access to confidential data. Minimizing permanent privileged accounts reduces the risk that one of those accounts will be compromised and used maliciously.

3. Set strict internal security boundaries

Long gone are the days when a network boundary firewall could be seen as sufficient security. The inside, chewy center of most corporate networks must be separate, isolated security boundaries, which only predefined accounts can access. Strict internal security boundaries can be created by host-based firewalls, internal routers, VLANs, logical networks, VPNs, IPSec, and a myriad of other access control methodologies.

For example, although a large majority of users may be able to access the Web front end of a multitier application, very few people should be able to directly access the back-end database. Perhaps only assigned database admins and a few supporting servers and users should be able to access the database server, along with the front-end Web database and any middle-tier services. That way, if attackers try to access the database directly without having the necessary credentials, they can be prevented from doing so, or at least an auditing alert can be initiated.

4. Ensure encryption moves with the data

Traditional security defense touts two types of encryption: encryption for data during transport and encryption for data at rest. But this assumes the bad guys haven’t already stolen legitimate credentials to access the data in question, which is often the case.

If you want solid data protection, make sure your encrypted data remains encrypted no matter where it is — and especially if it is moved to illegitimate locations. Nothing is more frustrating to the data thief.

Many solutions encrypt individual data components and keep them encrypted no matter where they moves. Some are application services, like Microsoft’s Active Directory Rights Management Service, while others encrypt the data right within the database, such as Microsoft’s SQL Transparent Data Encryption.

What’s the smart way to encrypt data? If someone steals it, it remains encrypted and useless.

5. Protect the client

Hackers rarely break into servers directly. It still happens — SQL injection attacks and remote buffer overflows, for example — but client-side attacks are far more common.

If you want to protect your data, make sure you protect the people who access the data. This means that all critical patches are applied within a week or two, users are educated on social engineering, and workstations are securely configured.