Hello, my name is Lewis

Fuca and I am here to talk to you about data

security and protection. During this module, we will discuss what data security
and protection is, what we are protecting data from, and why we are protecting
data. So what is data
protection and security? What is its goal? Data security is the process of
protecting your most
critical business assets, that is your data, against
unauthorized or unwanted use. This not only involves deploying the right data
security products, but also combining people
and processes with the technology you choose to protect data throughout
its life-cycle. Enterprise data protection
is a team sport. Let's talk about
data security and protection in context
of the confidentiality, integrity, availability
or CIA triad. You must protect the
confidentiality, integrity, and availability of data
at rest and in transit from intentional and
unintentional attacks. What does all this mean? Let's start with the
difference between data at rest and data in transit. Data in transit is data that
is being transmitted from
one point to another. The transmission may take
place over a network, between people, from here to the next building or
halfway around the globe. Data at rest is data that
resides on endpoints. Such endpoints include database
servers, file servers, laptops or mobile
devices like tablets, where data is being stored
for intended later use. It also includes back-up
devices like tape storage. How about data confidentiality? Confidentiality means
maintaining data secrecy. This means that data access is restricted to those actors
who have a right
to know the data. Confidentiality includes
the concept of privacy, but it also means providing
the right level of access to the right set of users at the right times using
the right methods. As an example, consider
a university dealing with the data related to a
college age adult student. That student may have
authorized the parents to view financial records in order
to pay tuition bills, but that does not mean
the parents are legally authorized to view grades
and academic progress. The student may themselves
be authorized to view their grades and
academic progress, but certainly not
delete or edit them. The students instructor who may be authorized to view, edit,
and delete information
corresponding to grades and academic progress, but only when that
student is enrolled in an instructor's
class, and even then, the instructor will
probably not be legally allowed to view the students
financial information. Additionally, the instructor
may be restricted to viewing the students academic progress
from authorized endpoints, such as a registered laptop connected through a
virtual private network. Not a smartphone connecting over on untrusted cellular
network. Now let's turn to
integrity of data. Ensuring the integrity
of the data means making sure that the data is
trustworthy and accurate, and that it has not
been tampered with. Integrity overlaps
with confidentiality, and that only those allowed to change data are
permitted to do so. In the case of our
college student, a small number of actors should be allowed
to change a grade. Much smaller than even
the limited audience that is allowed to view
academic progress. Perhaps only a single instructor or perhaps a teaching
assistant or two. Indeed, defining who
is allowed to change, insert or delete data is a significant challenge
in ensuring integrity. Another challenge is working with parties outside of
your organization. When our students, parents pay tuition using electronic banking,
they want to be assured that the process is secure
from tampering. A breach of security
will be seen as at least partially the
fault of the university, even if it takes
place on a network or an endpoint that the
university cannot control, then there is availability. Data must be accessible by
the appropriate users
during the correct times. This does not always
mean right away, nor does it mean that the data has to be available continuously.
However, the data must be available within a
reasonable amount of time. This will vary according
to application. Take one example. The student must have academic progress
information available when registering for a course. The information need not be
available 24 hours a day, seven days a week, but it must be available
when the student is registered with a
response time that provides the student ample time to complete registration
actions. The same information
must be available to the student when looking for a job or applying to
a graduate school. However, the time frame
may be different. In this case, being
able to respond in days rather than seconds
will be acceptable. However, it is expected
that the data be accessed years or even
decades after it is created. Availability to a greater
degree than confidentiality and integrity is affected by unintentional actors
and third parties. Remember, data may need to be available for years
or even decades. As an example, a natural
disaster may jeopardize data availability
either temporarily by cutting network connections, longer-term by damaging
application in database servers, or long-term by
destroying archive data. A plan network outage may inadvertently cut
ties to access data. Carelessness can cause loss of backup tapes or drop a
table from a database. There's also a
different time frame in which breaches are discovered. Without careful data
protection measures, violations of confidentiality or integrity may escape
detection for weeks, months or years. Availability violations tend
to be discovered quicker, but not always as in the case
of losing a backup tape. So what are we
protecting data against? Data must be protected against deliberate and inadvertent
or accidental attacks. When we think of data
security and protection our first inclination may be to think of only
deliberate attacks, attacks by bad actors
who wish to purposely compromise our system and
damage or steal our data. Deliberate attacks are
certainly worth our concern. Deliberate attacks can come
in a variety of forms, such as a denial of service, socially engineered
attacks, attacks from internal sources such as privileged
administrators or users, as well as attacks
from external sources. Attackers can have a widely
varying level of skill, from inexperienced
script kiddies who use tools or methods that they
don't really understand, to motivated
discipline criminals, to agencies of nation states with a higher level of skill
and many resources. Returning to our example, the university
system may be preyed upon by disgruntled employees, bored students trying
to crack the system, more motivated students trying to facilitate cheating
or change grades, outside criminals
attempting to gain and exploit personal credit
card information, or even foreign national
agencies making a coordinated effort to
steal valuable research. However, inadvertent
breaches can be just as bad. These includes such
events such as failure of hardware of whether or
other natural disaster or even innocent mistakes by
well-intentioned personnel or poorly implemented or
insufficient procedures. Threat profiles are used
to predict what threats, intentional and unintentional
might pose a threat to data and what measures should be reasonably considered
to protect the data. This ties into the next point. Why do all of this?
Understanding the costs of
the attacks is important. This is challenging
because some of these costs are
difficult to quantify. You want to protect
revenue and profits. Compromise of data can cut
into revenue and cleaning up after an attack adds
cost, cutting profits. Also important is the reputation
of your organization. Additionally, data
protection and security solutions may be part of a
digital transformation effort. Your organization may
be moving services online or even creating
new service offerings. Data protection is part of
the foundation on which these transformative
efforts can build. You must also consider
regulatory mandates. Laws may impose stiff
penalties on data breaches above and beyond
the intrinsic costs of repairing the damage. Industry standards may be
less directly punitive, but maybe a de facto
requirement for your customers to do
business with you. Data protection and
security are expected. Security breaches can be devastating to a
company's reputation. One tenant of security is not to spend more on security
than an asset is worth, but in the case of
brand or reputation, this worth can be very
difficult to assess. We see data security and
protection are necessary, but they are also challenging. In the next segment,
we'll talk about the top challenges and common
pitfalls of data security.