In AppSealing Blog, AppSealing News

As businesses continue to work from home or even adopt hybrid working models in the near future, we understand what is more important for business continuity – definitely data. Data protection encompasses a wider scope in the form of policies, practices, and rules that companies have to formulate and abide by to ensure that they take extra care of their customers as well as employees’ data. A good data protection strategy is especially important for companies that collect, store and use customer data. Financial institutions, retail companies, insurance providers, and just about any company that deals with customers spread across the globe or those that cater to customers through the internet should be concerned about data protection. It is one of the most efficient ways to prevent cyber attacks and ensure continued business.

Data Protection

Data protection has a dual purpose in the modern world – safeguarding/managing data and preventing it from getting lost, stolen, compromised, or corrupt; it also stands for making data available when required in the correct form and shape. Data management helps with compliance, archiving, and backing up data while protecting against malware and possible attacks. Data availability ensures that different team members have access to data even if it is lost or corrupt. 

There are some good practices that will help companies move to the other side of the data protection fence where attacks are minimal. Using tape or disk backup is a good option especially when it comes to warding off cyber attacks. Mirroring is also a smart way to ensure that a backup of files, data, website, etc. is taken well in advance to avoid data loss. Storage snapshots can help create important pointers which can be followed to retrieve data.

Data Protection v/s Data Privacy

Coming close on the heels of ‘except’ and ‘accept’ words which everybody gets confused about, are the two close friends ‘data protection’ and ‘data privacy’. But there are clear differences. Data privacy defines the access levels whereas data protection helps apply specific policies/rules/restrictions to protect assets from unauthorized access. A good data privacy policy can define access rules, but a hacker can still get unauthorized access, which can become a tad bit difficult if a robust data protection strategy is in place. 

A simple example to understand the importance of both would be an online transaction. Imagine that you go online and purchase that latest gadget that you have been eyeing for a long time. You enter your card details and select the ‘store it for future purchases’ option. Here data privacy would define who has access to the details that you just shared. But data protection will ensure that your data is protected from attackers and hackers. It is important to understand that both are needed for data to be completely secure. 

     Data Protection Technologies and Practices

Companies can choose some best practices and adopt technologies like the below to secure their data:

Data Loss Prevention (DLP) Tools:

This is a set of strategies and tools that provide a big relief to security professionals who are looking to protect personally identifiable information or trying to protect their IP. DLP has a 3-pronged approach – classifying confidential, business-critical data, identifying policy violations driven by regulatory compliance such as GDPR, HIPAA, etc. and then ultimately enforcing remediation steps laced with alerts and encryption to prevent accidental or intentional unauthorized access or sharing of data – at rest, in motion or in use.

Storage that comes with in-built data protection in the form of clustering and redundancy:

Redundancy stands for the replication of data to another system/location whereby data is compressed and encrypted. Disk clustering is also one method by which files can be organized for easier management and security settings 

Firewalls:

     A firewall forms a barrier between networks so that insecure traffic is blocked. Firewalls undertake a detailed inspection of traffic to look for possible threats through pre-set commands which help filter suspicious sources. It can protect your data from unauthorized access or hacks.

Encryption:

This method converts readable data into an unreadable format. The data can be decrypted only through a pre-decided encryption key. This especially helps when data is stolen or lost. Ensuring that only trusted parties with the secret key can access it. The encrypted content, known as ciphertext, appears scrambled to other people who are not supposed to access it. 

Authentication and Authorization:

Again we encounter two words that are often misinterpreted by many, but these words mean a lot in the world of data protection. Companies should have strong authentication (to confirm the identity of users) and authorization (to decide what rights they have) policies. Privileged access management tools and role-based access controls ensure that only authorized users are given access to data. 

Endpoint Security:

This ensures protection for end-user devices like desktops, laptops and mobile devices. They have evolved from providing security against traditional viruses to now cover sophisticated malware and zero-day threats. They can detect, analyze and block suspicious traffic.

Data erasure:

It aims to erase all traces of data that is no longer required. Companies can set specific timelines for this as a good practice. This is relevant in the current GDPR times when companies have to maintain rules to limit the usage of data beyond the required time. Unlike data deletion where data can be recovered, data erasure is a permanent procedure 

Tokenization:

It focuses on converting sensitive data into small tokens made up of unrelated values of a similar length and format, while the data itself is stored in a different location. This comes in handy to protect financial data. It is different from encryption as it is undecipherable and irreversible. So, if we have to talk about the banking industry, during a transaction, the system swaps the corresponding pin and sends it to the payment gateway for authorization. The system thus only saves the token and not the original pin.

Data Protection Guidelines

Everybody knows about GDPR and how it has put a special emphasis on data privacy and data protection guidelines. Customers in Europe now have more control over their personal data. For companies, it means being a lot more careful about what data they collect from customers and, secondly, how they use the data. Companies do have their privacy policies on their websites that are updated regularly. But what is important to note here is that companies are now obliged to protect the data from being misused or exploited in any way, while abiding by customer preferences. Customer name, address, biometrics, ip address, cookies, RFID, genetic data, sexual orientation, political views, racial data – all come under the purview of GDPR. Companies need to build data protection safeguards in their products directly. Which means that data protection has to be an ingrained culture in the organization. Data needs to be protected through the following tenets:

  1. Data usage should be fair and lawful
  2. Data should be processed transparently only for the specific purpose for which it was collected
  3. Data should be collected only as much as absolutely required
  4. Data should be stored in an accurate, up-to-date fashion
  5. Data (especially PII) should be stored only for a limited period (only till the time it is absolutely needed)
  6. Data stored should be secure and confidential
  7. Data storage should come with accountability for the organization

Close on the heels of GDPR, we have India’s Personal Data Protection Bill (PDPB), which covers personal (name, contact details, fingerprint, browsing history) and sensitive personal data (credentials, financial data, political views, religious opinions, health data) among others. It applies to all companies – both within and outside India – and expects companies to protect customer data in the areas of fair, purposeful, limited, lawful, time-bound and accountable usage. 

     Enterprise data protection strategies

Many companies rely on specific techniques to ensure backup and access of important data. Some companies go for synchronous mirroring to handle media failure issues. Here, data is written to the local disk and a remote site to ensure that both the locations always have identical data. This requires a confirmation from the remote site that the data in both locations is always identical. Mirroring incurs additional capacity overhead. In such cases, RAID protection is a good option. It goes one step ahead where data is written or stored in multiple places, leading to better performance and enhanced protection. Since we are talking about data replication from one place to another, RAID also has the additional responsibility of checking the possibility of lost or stolen data across multiple locations. This leads to additional downtime if a media failure incident occurs. Hence, Some companies go further to leverage erasure coding technology which focuses on storing data and parity across different storage nodes. When a node failure occurs, all the nodes in a specific storage cluster can help with a replacement which makes the recovery process quicker. It helps limit single points of failure. 

Sometimes, data gets corrupted and this is when companies depend on snapshots which are mounted and data is copied back to the production volume in case of failures. Sometimes snapshots replace the original corrupt data, thereby saving a lot of time in data recovery since it all happens instantaneously. 

Replication technology helps during storage system failure in the case of multiple drive failures where only blocks of data which have changed are copied from the primary location to an off-site location. This makes the process of recovery far quicker owing to the fact that only deviations are looked at. When a data center fails, a solid Data Recovery plan is the best way out. Snapshot replication helps create copies of data to a secondary site but running this site comes with an additional cost overhead. But professional cloud services are the best option here since the most recent copies of data can be stored to initiate data recovery procedures if needed. Also, companies have to pay for how much ever they use.  

RASP for Data Protection

Since mobile devices are increasingly used for both personal and professional activities, keeping the data for both purposes separate is difficult. Backup and recovery of mobile data is also slightly more complicated owing to inconsistent connectivity. Three strategies that come to the fore here are encryption, strong passwords and selective file sync / share. When it comes to Android devices, it is important to regularly encrypt your data through the Settings option. For iOS devices, Touch ID and longer, complicated Passcodes are crucial. Selective file sync/share is a good option to replicate users’ files in the public cloud to have a backup in case an attack does happen. However, you need a robust mobile application security solution to ensure complete protection against basic as well as advanced levels of attacks. AppSealing’s Runtime Application Self Protection (RASP) solution scans for threats and attacks in real time to provide relevant alerts for quick, proactive actions, and that too with zero lines of coding and no AMC. Contact us to get complete in-app protection now.

 

Govindraj Basatwar, Global Business Head
Govindraj Basatwar, Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.