Data security or data protection means protecting
digital data
Digital data, in information theory and information systems, is information represented as a string of Discrete mathematics, discrete symbols, each of which can take on one of only a finite number of values from some alphabet (formal languages ...
, such as those in a
database
In computing, a database is an organized collection of data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, applications, and the database itself to capture and a ...
, from destructive forces and from the unwanted actions of unauthorized users, such as a
cyberattack
A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.
The rising dependence on increasingly complex and inte ...
or a
data breach
A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".
Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage. There ...
.
Technologies
Disk encryption
Disk encryption
Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or disk encryption hardware, hardware to encry ...
refers to
encryption
In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
technology that encrypts data on a
hard disk drive
A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating hard disk drive platter, pla ...
. Disk encryption typically takes form in either
software
Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications.
The history of software is closely tied to the development of digital comput ...
(see
disk encryption software
Disk encryption software is a computer security software that protects the confidentiality of data stored on computer media (e.g., a Hard disk drive, hard disk, floppy disk, or USB flash drive, USB device) by using disk encryption.
Compared to ac ...
) or
hardware (see
disk encryption hardware
Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/Solid-state drive, SSD) vendors, including: Hitachi, Integral Memory, iStorage Limited, Micron Technology, Micron, Seagate Technology, Samsung, Toshiba, ViaSa ...
). Disk encryption is often referred to as
on-the-fly encryption
Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data tha ...
(OTFE) or transparent encryption.
Software versus hardware-based mechanisms for protecting data
Software-based security solutions encrypt the data to protect it from theft. However, a
malicious program or a
hacker
A hacker is a person skilled in information technology who achieves goals and solves problems by non-standard means. The term has become associated in popular culture with a security hackersomeone with knowledge of bug (computing), bugs or exp ...
could
corrupt the data to make it unrecoverable, making the system unusable. Hardware-based security solutions prevent read and write access to data, which provides very strong protection against tampering and unauthorized access.
Hardware-based security or assisted
computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
offers an alternative to software-only computer security.
Security token
A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked door ...
s such as those using
PKCS#11 or a mobile phone may be more secure due to the physical access required in order to be compromised. Access is enabled only when the token is connected and the correct
PIN is entered (see
two-factor authentication
Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or Application software, application only after successfully presenting two or more distin ...
). However, dongles can be used by anyone who can gain physical access to it. Newer technologies in hardware-based security solve this problem by offering full proof of security for data.
Working off hardware-based security: A hardware device allows a user to log in, log out and set different levels through manual actions. Many devices use
biometric technology
Biometrics are body measurements and calculations related to human characteristics and features. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used t ...
to prevent malicious users from logging in, logging out, and changing privilege levels. The current state of a user of the device is read by controllers in
peripheral devices
A peripheral device, or simply peripheral, is an auxiliary hardware device that a computer uses to transfer information externally. A peripheral is a hardware component that is accessible to and controlled by a computer but is not a core compo ...
such as hard disks. Illegal access by a malicious user or a malicious program is interrupted based on the current state of a user by hard disk and DVD controllers making illegal access to data impossible. Hardware-based access control is more secure than the protection provided by the operating systems as operating systems are vulnerable to malicious attacks by
viruses
A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Viruses are found in almo ...
and hackers. The data on hard disks can be corrupted after malicious access is obtained. With hardware-based protection, the software cannot manipulate the user privilege levels. A
hacker
A hacker is a person skilled in information technology who achieves goals and solves problems by non-standard means. The term has become associated in popular culture with a security hackersomeone with knowledge of bug (computing), bugs or exp ...
or a malicious program cannot gain access to secure data protected by hardware or perform unauthorized privileged operations. This assumption is broken only if the hardware itself is malicious or contains a backdoor. The hardware protects the operating system image and file system privileges from being tampered with. Therefore, a completely secure system can be created using a combination of hardware-based security and secure system administration policies.
Backups
Backup
In information technology, a backup, or data backup is a copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss event. The verb form, referring to the process of doing so, is "wikt:back ...
s are used to ensure data that is lost can be recovered from another source. It is considered essential to keep a backup of any data in most industries and the process is recommended for any files of importance to a user.
Data masking
Data masking
Data masking or data obfuscation is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel. Data masking can also be referred ...
of structured data is the process of obscuring (masking) specific data within a database table or cell to ensure that data security is maintained and sensitive information is not exposed to unauthorized personnel. This may include masking the data from users (for example so banking customer representatives can only see the last four digits of a customer's national identity number), developers (who need real production data to test new software releases but should not be able to see sensitive financial data), outsourcing vendors, etc.
Data erasure
Data erasure
Data erasure (sometimes referred to as data clearing, data wiping, or data destruction) is a software-based method of data sanitization that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by ...
is a method of software-based overwriting that completely wipes all electronic data residing on a hard drive or other digital media to ensure that no sensitive data is lost when an asset is retired or reused.
International laws and standards
International laws
In the
UK, the
Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies. This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared.
Data Privacy Day
Data Privacy Day (known in Europe as Data Protection Day) is an international event that occurs every year on 28 January. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is cur ...
is an international
holiday
A holiday is a day or other period of time set aside for festivals or recreation. ''Public holidays'' are set by public authorities and vary by state or region. Religious holidays are set by religious organisations for their members and are often ...
started by the
Council of Europe
The Council of Europe (CoE; , CdE) is an international organisation with the goal of upholding human rights, democracy and the Law in Europe, rule of law in Europe. Founded in 1949, it is Europe's oldest intergovernmental organisation, represe ...
that occurs every January 28.
Since the
General Data Protection Regulation
The General Data Protection Regulation (Regulation (EU) 2016/679), abbreviated GDPR, is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of ...
(GDPR) of the
European Union
The European Union (EU) is a supranational union, supranational political union, political and economic union of Member state of the European Union, member states that are Geography of the European Union, located primarily in Europe. The u ...
(EU) became law on May 25, 2018, organizations may face significant penalties of up to €20 million or 4% of their annual revenue if they do not comply with the regulation. It is intended that GDPR will force organizations to understand their
data privacy
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data ...
risks and take the appropriate measures to reduce the risk of unauthorized disclosure of consumers’ private information.
International standards
The international standards
ISO/IEC 27001
ISO/IEC 27001 is an information security standard. It specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Organizations with an ISMS that meet the st ...
:2013 and
ISO/IEC 27002:2013 cover data security under the topic of
information security
Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
, and one of its cardinal principles is that all stored information, i.e. data, should be owned so that it is clear whose responsibility it is to protect and control access to that data. The following are examples of organizations that help strengthen and standardize computing security:
The
Trusted Computing Group
The Trusted Computing Group is a group formed in 2003 as the successor to the Trusted Computing Platform Alliance which was previously formed in 1999 to implement Trusted Computing concepts across personal computers. Members include Intel, AMD, IB ...
is an organization that helps standardize computing security technologies.
The
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its us ...
(PCI DSS) is a proprietary international information security standard for organizations that handle cardholder information for the major
debit
Debits and credits in double-entry bookkeeping are entries made in account ledgers to record changes in value resulting from business transactions. A debit entry in an account represents a transfer of value ''to'' that account, and a cred ...
,
credit
Credit (from Latin verb ''credit'', meaning "one believes") is the trust which allows one party to provide money or resources to another party wherein the second party does not reimburse the first party immediately (thereby generating a debt) ...
, prepaid,
e-purse
Digital currency (digital money, electronic money or electronic currency) is any currency, money, or money-like asset that is primarily managed, stored or exchanged on digital computer systems, especially over the internet. Types of digital cu ...
,
automated teller machines
Automation describes a wide range of technologies that reduce human intervention in processes, mainly by predetermining decision criteria, subprocess relationships, and related actions, as well as embodying those predeterminations in machine ...
, and point of sale cards.
The
General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the EU, whilst addressing the export of personal data outside the EU.
Safeguards
The four types of technical safeguards are access controls, flow controls, inference controls, and
data encryption
In cryptography, encryption (more specifically, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plai ...
. Access controls manage user entry and data manipulation, while flow controls regulate data dissemination. Inference controls prevent deduction of confidential information from statistical databases and data encryption prevents unauthorized access to confidential information.
[Denning, Dorothy E., and Peter J. Denning. "Data security." ''ACM computing surveys (CSUR)'' 11.3 (1979): 227-249.]
See also
*
Copy protection
Copy protection, also known as content protection, copy prevention and copy restriction, is any measure to enforce copyright by preventing the reproduction of software, films, music, and other media.
Copy protection is most commonly found on vid ...
*
Cyber-security regulation
A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Tr ...
*
Data-centric security
Data-centric security is an approach to security that emphasizes the dependability of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on di ...
*
Data erasure
Data erasure (sometimes referred to as data clearing, data wiping, or data destruction) is a software-based method of data sanitization that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by ...
*
Data masking
Data masking or data obfuscation is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel. Data masking can also be referred ...
*
Data recovery
In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, overwritten or formatted data from computer data storage#Secondary storage, secondary storage, removable media or Computer file, files, when ...
*
Digital inheritance
Digital inheritance is the passing down of digital assets to designated (or undesignated) beneficiaries after a person’s death as part of the estate of the deceased. The process includes understanding what digital assets exist and navigating the ...
*
Disk encryption
Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or disk encryption hardware, hardware to encry ...
**
Comparison of disk encryption software
*
Identity-based security
*
Information security
Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
*
IT network assurance
*
Pre-boot authentication
Pre-boot authentication (PBA) or power-on authentication (POA) serves as an extension of the BIOS, Unified Extensible Firmware Interface, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as ...
*
Privacy engineering Privacy engineering is an emerging field of engineering which aims to provide methodologies, tools, and techniques to ensure systems provide acceptable levels of privacy. Its focus lies in organizing and assessing methods to identify and tackle priv ...
*
Privacy law
Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.
Privacy laws are examined in relation to an ind ...
*
Raz-Lee
*
Security breach notification laws
Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take ...
*
Single sign-on
*
Smart card
A smart card (SC), chip card, or integrated circuit card (ICC or IC card), is a card used to control access to a resource. It is typically a plastic credit card-sized card with an Embedded system, embedded integrated circuit (IC) chip. Many smart ...
*
Tokenization
*
Transparent data encryption
*
USB flash drive security
Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As businesses have increased demand for these driv ...
*
Gordon–Loeb model
The Gordon–Loeb model is an economic model that analyzes the optimal level of investment in information security.
The benefits of investing in cybersecurity stem from reducing the costs associated with cyber breaches. The Gordon-Loeb model pro ...
for cyber security investments
References
External links
Getting Ready for New Data Laws- Local Gov Magazine
EU General Data Protection Regulation (GDPR)Countering ransomware attacks
{{Authority control
Data management