DATA SECURITY

Data Security is a process of protecting files,

databases, and accounts on a network by adopting a set of
controls, applications, and techniques that identify the
relative importance of different datasets, their sensitivity,
regulatory compliance requirements and then applying
appropriate protections to secure those resources.

Similar to other approaches like perimeter security, file

security or user behavioral security, data security is not the
be all, end all for a security practice. It’s one method of
evaluating and reducing the risk that comes with storing any kind of data.

What are the Main Elements of Data Security?

The core elements of data security are confidentiality, integrity, and availability. Also known as the CIA
triad, this is a security model and guide for organizations to keep their sensitive data protected from
unauthorized access and data exfiltration.
 Confidentiality ensures that data is accessed only by authorized individuals;
 Integrity ensures that information is reliable as well as accurate; and
 Availability ensures that data is both available and accessible to satisfy business needs.

What are Data Security Considerations?

There are a few data security considerations you should have on your radar:

 Where is your sensitive data located? You won’t know how to protect your data if you don’t
know where your sensitive data is stored.
 Who has access to your data? When users have unchecked access or infrequent permission
reviews, it leaves organizations at risk of data abuse, theft or misuse. Knowing who has access to
your company’s data at all times is one of the most vital data security considerations to have.
 Have you implemented continuous monitoring and real-time alerting on your
data? Continuous monitoring and real-time alerting are important not just to meet compliance
regulations, but can detect unusual file activity, suspicious accounts, and computer behavior before
it’s too late.

What are Data Security Technologies?

The following are data security technologies used to prevent breaches, reduce risk and sustain protections.
Data Auditing

The question isn’t if a security breach occurs, but when a security breach will occur. When forensics gets
involved in investigating the root cause of a breach, having a data auditing solution in place to capture
and report on access control changes to data, who had access to sensitive data, when it was accessed, file
path, etc. are vital to the investigation process.
Alternatively, with proper data auditing solutions, IT administrators can gain the visibility necessary
to prevent unauthorized changes and potential breaches.

Data Real-Time Alerts

Typically it takes companies several months (or 206 days) to discover a breach. Companies often find out
about breaches through their customers or third parties instead of their own IT departments.
By monitoring data activity and suspicious behavior in real-time, you can discover more quickly security
breaches that lead to accidental destruction, loss, alteration, unauthorized disclosure of, or access to
personal data.

Data Risk Assessment

Data risk assessments help companies identify their most overexposed sensitive data and offer reliable
and repeatable steps to prioritize and fix serious security risks. The process starts with identifying
sensitive data accessed via global groups, stale data, and/or inconsistent permissions. Risk assessments
summarize important findings, expose data vulnerabilities, provide a detailed explanation of each
vulnerability, and include prioritized remediation recommendations.

Data Minimization

The last decade of IT management has seen a shift in the perception of data. Previously, having more data
was almost always better than less. You could never be sure ahead of time what you might want to do
with it.

Today, data is a liability. The threat of a reputation-destroying data breach, loss in the millions or stiff
regulatory fines all reinforce the thought that collecting anything beyond the minimum amount of
sensitive data is extremely dangerous.

To that end: follow data minimization best practices and review all data collection needs and procedures
from a business standpoint.

Purge Stale Data

Data that is not on your network is data that can’t be compromised. Put in systems that can track file
access and automatically archive unused files. In the modern age of yearly acquisitions, reorganizations
and “synergistic relocations,” it’s quite likely that networks of any significant size have multiple forgotten
servers that are kept around for no good reason.
How Do You Ensure Data Security?
While data security isn’t a panacea, you can take several steps to ensure data security. Here are a few that
we recommend.

Quarantine Sensitive Files

A rookie data management error is placing a sensitive file on a share open to the entire company. Quickly
get control of your data with data security software that continually classifies sensitive data and moves
data to a secure location.
Track User Behavior against Data Groups

The general term plaguing rights management within an organization is “overpermissioning’. That
temporary project or rights granted on the network rapidly becomes a convoluted web of
interdependencies that result in users collectively having access to far more data on the network than they
need for their role. Limit a user’s damage with data security software that profiles  user behavior and
automatically puts in place permissions to match that behavior.

Respect Data Privacy

Data Privacy is a distinct aspect of cybersecurity dealing with the rights of individuals and the proper
handling of data under your control.

Data Security Regulations

Regulations such as HIPAA (healthcare), SOX (public companies) and GDPR (anyone who knows that
the EU exists) are best considered from a data security perspective. From a data security perspective,
regulations such as HIPAA, SOX, and GDPR require that organizations:

 Track what kinds of sensitive data they possess

 Be able to produce that data on demand

 Prove to auditors that they are taking appropriate steps to safeguard the data

These regulations are all in different domains but require a strong data security mindset. Let’s take a
closer look to see how data security applies under these compliance requirements:

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act was legislation passed to regulate health
insurance. Section 1173d—calls for the Department of Health and Human Services “to adopt security
standards that take into account the technical capabilities of record systems used to maintain health
information, the costs of security measures, and the value of audit trails in computerized record system.”
From a data security point of view, here are a few areas you can focus on to meet HIPAA compliance:

 Continually Monitor File and Perimeter Activity – Continually monitor activity and access to

sensitive data – not only to achieve HIPAA compliance, but as a general best practice.
  Access Control – Re-compute and revoke permissions to file share data by automatically
permissioning access to individuals who only have a need-to-know business right.
 Maintain a Written Record – Ensure you keep detailed activity records for all user objects
including administrators within active directory and all data objects within file systems. Generate
changes automatically and send to relevant parties who need to receive the reports.

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act of 2002, commonly called “SOX” or “Sarbox,” is a United States federal law
requiring publicly traded companies to submit an annual assessment of the effectiveness of their internal
financial auditing controls.
From a data security point of view, here are your focus points to meet SOX compliance:

 Auditing and Continuous Monitoring – SOX’s Section 404 is the starting point for
connecting auditing controls with data protection: it asks public companies to include in their
annual reports an assessment of their internal controls for reliable financial reporting, and an
auditor’s attestation.

 Access Control –Controlling access, especially administrative access, to critical computer

systems is one of the most vital aspects of SOX compliance. You’ll need to know which
administrators changed security settings and access permissions to file servers and their contents.
The same level of detail is prudent for users of data, displaying access history and any changes
made to access controls of files and folders.
 Reporting – To provide evidence of compliance, you’ll need detailed reports including:
 data use, and every user’s every file-touch

 user activity on sensitive data

 changes including permissions changes which affect the access privileges to a given file
or folder

 revoked permissions for data sets, including the names of users

General Data Protection Regulation (GDPR)

The EU’s General Data Protection Regulation covers the protection of EU citizen personal data, such as
social security numbers, date of birth, emails, IP addresses, phone numbers, and account numbers. From a
data security point of view, here’s what you should focus on to meet GDPR compliance:
 Data Classification – Know where sensitive personal data is stored. It’s critical to both
protecting the data and also fulfilling requests to correct and erase personal data, a requirement
known as the right to be forgotten.
 Continuous Monitoring –The breach notification requirement enlists data controllers to report
the discovery of a breach within 72 hours. You’ll need to spot unusual access patterns against files
containing personal data. Expect hefty fines if you fail to do so.
 Metadata – With the GDPR requirement to set a limit on data retention, you’ll need to know the
purpose of your data collection. Personal data residing on company systems should be regularly
 reviewed to see whether it needs to be archived and moved to cheaper storage or saved for the
future.
 Data Governance – Organizations need a plan for data governance. With data security by design
as the law, organizations need to understand who is accessing personal data in the corporate file
system, who should be authorized to access it and limit file permission based on employees’ actual
roles and business need.

How Varonis Helps with Data Security

For companies that have a hold on data and have security obligations due to GDPR or other regulatory
requirements, understanding our mission at Varonis will help you manage and meet data protection and
privacy regulations requirements.

The mission at Varonis is simple: your data is our primary focus, and our data security platform protects
your file and email systems from cyberattacks and insider threats. We’re fighting a different battle – so
your data is protected first. Not last.
We continuously collect and analyze activity on your enterprise data, both on-premises and in the cloud.
We then leverage five metadata streams to ensure that your organization’s data has confidentiality,
integrity, and availability:

 Users and Groups – Varonis collects user and group information and maps their relationships
for a complete picture of user account organization.
 Permissions – We add the file system structure and permissions from the platforms that we
monitor, and combine everything into a single framework for analysis, automation, and access
visualization.
 Access Activity – Varonis continually audits all access activity, and records & analyzes every
touch by every user. Varonis automatically identifies administrators, service accounts and
executives and creates a baseline of all activity. Now you can detect suspicious behavior: whether
it’s an insider accessing sensitive content, an administrator abusing their privileges, or ransomware
like CryptoLocker.
 Perimeter Telemetry – Varonis Edge analyzes data from perimeter devices such as VPN, proxy
servers, and DNS – and combines this information with data access activity to detect and stop
malware apt intrusions and data exfiltration.
 Content Classification – Varonis scans for sensitive and critical data, and can absorb
classification from other tools like DLP or e-Discovery. Now we know where sensitive data lives
and where it’s overexposed.
These five metadata streams are critical to achieving data security nirvana. When you combine them, you
can get reports on sensitive data open to global group access, stale data, data ownership, permissions
changes and more. Then, prioritize your custom reports and act to remediate your risk. Meanwhile, you’ll
know that your data is continuously monitored and that you’ll receive real-time alerts when suspicious
behavior is taking place
Most search engines, regardless of if they track you, encrypt your search data. This is how search engines,
including Google, Yahoo and Search Encrypt, all protect their users’ information. Google, which
collects tons of user data, is obligated to protect that information. SSL encryption is a standard for
protecting sensitive information, for search engines and other websites.

What is Encryption?

Encryption is a process that encodes a message or file so that it can be only be read by certain

people. Encryption uses an algorithm to scramble, or encrypt, data and then uses a key for the receiving

party to unscramble, or decrypt, the information. The message contained in an encrypted message is

referred to as plaintext. In its encrypted, unreadable form it is referred to as cipher text.

Basic forms of encryption may be as simple as switching letters. As cryptography advanced,

cryptographers added more steps, and decryption became more difficult. Wheels and gears would be

combined to create complex encryption systems. Computer algorithms have now replaced mechanical

encryption.
How Encryption Works

Encryption uses algorithms to scramble your information. It is then transmitted to the receiving

party, who is able to decode the message with a key. There are many types of algorithms, which all involve

different ways of scrambling and then decrypting information.

How are Encryption Keys Generated?

Keys are usually generated with random number generators, or computer algorithms that mimic random

number generators. A more complex way that computers can create keys is by using user mouse movement

to create unique seeds. Modern systems that have forward secrecy involve generating a fresh key for every

session, to add another layer of security.

Search Encrypt Terms

Key: Random string of bits created specifically for scrambling and unscrambling data. These are used to

encrypt and/or decrypt data. Each key is unique and created via algorithm to make sure it is unpredictable.

Longer keys are harder to crack. Common key lengths are 128 bits for symmetric key algorithms and 2048

bits for public-key algorithms.

 Private Key (or Symmetric Key): This means that the encryption and decryption keys are the

same. The two parties must have the same key before they can achieve secure communication.

 Public Key: This means that the encryption key is published and available for anyone to use. Only

the receiving party has access to the decryption key that enables them to read the message.

Cipher: An algorithm used for encryption or decryption. It is a set of steps that are followed as a

procedure to encrypt information. There are two main types of ciphers, block ciphers and stream ciphers.

Algorithm: An algorithm is the procedure that the encryption process follows. The specific algorithm is

called the cipher, or code. There are many types of encryption algorithms. The encryption’s goal and level

of security determines the most effective solution. Triple DES, RSA and Blowfish are some examples of

encryption algorithms, or ciphers.

Decryption: The process of switching unreadable cipher text to readable information.

Cryptanalysis: The study of ciphers and cryptosystems to find weaknesses in them that would allow

access to the information without knowing the key or algorithm.

Frequency Analysis: A technique used to crack a cipher. Those trying to decrypt a message will study the

frequency of letters or groups of letters in a cipher text. Because some letters occurred more often than
others, the frequency of letters can reveals parts of the encrypted message. While this method was effective

in cracking old encryption methods, it is ineffective against modern encryption.

How Does Search Encrypt Use Data Encryption?

Search Encrypt uses multiple methods of encryption to ensure maximum security. All requests to Search
Encrypt are made over SSL (secure socket layer), which is the preferred method for websites that deal
with sensitive information like financial information, social security numbers or passwords.

Unlike basic encryption which would use one key, SSL uses a public and a private key together to create a
secure connection. Sites like Google, that track user data, use this method to encrypt information about its
users.

To protect our users’ information even more, we use a short lived key for client side encryption of search
history. This means that even if someone accesses your computer, your searches are gone. The short lived
key has expired, and then information can’t be decrypted. Search Encrypt uses this expiring key to
ensure perfect forward secrecy.