Data security: Why it's important and how to implement it

Data security is the practice of protecting data from unauthorized access, use, disclosure, disruption, modification, or destruction. It's important for enterprise data architects because good data security protects the organization's sensitive data, such as customer data, financial data, and intellectual property. This helps to prevent fraud, inappropriate 

Understand Your Data

Not everything has to be locked down tight, you need to understand what data you have and where it is. This is where your conceptual data models (from the data structure pillar) are helpful. Identify the key business concept that you want to keep control of, or need to have secure because they have sensitive data, personal data, trade secrets, deal information or other data that needs to be controlled and managed.

You need to be able to classify the data so having a standard classification scheme is important. It's important that  it is simple, well documented and socialised widely. Everyone needs to be onboard with the need for the classifications, what they are and how they should be applied.

The classifications vary from organisation to organisation, the data that they hold, their business model and their level of maturity in information management.

4 levels is usually a decent starting point. The names don't actually matter that much, there are other ways to describe similar concepts.

 

• Confidential (only senior management have access)
• Restricted (most employees have access)
• Internal (all employees have access)
• Public information (everyone has access)

 

Starting with the most restrictive, apply these categories to the conceptual data models and the information on where the data resides to start to build processes and systems around the data to ensure that it is protected.

 

Personal Information (Personal Identifying Information)

 Personally Identifying Information (any data that helps in tracking back an individual or contact an individual directly. Names, email addresses, phone numbers, SSNs, credit card information are a few examples of PII) is a particular category that needs to be managed. It's not exactly security but the techniques are pretty similar and the consequences of not managing it well  (especially in Europe) can be severe. 

 

In Europe - and the UK - legislation, the General Data Protection Regulation or (GDPR) sets out requirements for how companies must handle personal data, including how it can only be used for the legitimate business purposes for which the person gave up the  data, requirements for disclosing personal data to the person in question when requested and how it needs to be processed.

Penalties for not complying are severe; up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher

 

The process for managing it is the same as for the security levels but it's better to not mix the two data categorisations. They are different, they overlap but not completely and they are trying to identify different things. Having more than one layer of metadata attached to your data is not a bad idea. You need to understand it from more than one angle.

 

With PII it's simpler than for security, it's pretty much in or out.

 

When you've got it identified you have to understand the processes and the systems that relate to that data (conceptual model once again) and ensure you have the right aging processes, security, ability to query etc around it.

 

You can't do this only once ( I've seen it many times), things change, it needs to be revisited once a year, this is an exercise that gets easier the more mature your organisation becomes at managing data.

 

The penalties are so severe you need to take it seriously.

 

Techniques

 

• Roles and permissions: Roles and permissions can be used to control who has access to what data. For example, you might create a role for sales users that allows them to access customer data, but not financial data.
• Data encryption: Data encryption can be used to protect data from unauthorized access, even if it is stolen or lost. For example, you might encrypt customer credit card numbers so that they cannot be used if they are stolen.
• Firewalls and intrusion detection systems: Firewalls and intrusion detection systems can be used to protect your network from unauthorized access and malicious attacks.
• Security awareness training: Security awareness training can help your employees to identify and avoid security risks.