All your assets are digital data. Just a set of ones and zeros storing on hard drives of personal computers, companies endpoints or in clouds. Unfortunately, they can be destroyed and lost forever at any moment if you have not taken care of the appropriate security measures. The mastery of keeping data safe is not a walk in the park, but it’s not a rocket science also. It’s a combination of strategic thinking, deep knowledge and rich hands-on experience.
First, to keep your data safe and secure you have to answer two main questions: “How they can be potentially destroyed and what threatens them?” and “What approaches, strategies and methods should we apply to their protection?”
How CIA Helps to Protect Your Data
All kinds of threats to digital data can be divided into three parts: Confidentiality, Integrity, and Availability. This creates the so-called CIA triad – the base model of Information Security. (Perhaps, it worth mentioning it has nothing in common with the Central Intelligence Agency except the abbreviation).
The attacks against Confidentiality are aimed at getting illegal access to your data. Cybercriminals conduct them in a diversity of ways. A vivid example of such an attack on the network is the Man-in-the-Middle attack when perpetrators intercept the traffic and steal valuable information. An example of such an attack on web-application is an SQL-injection attack purposed to steal information from databases. The same kind of attack can be deployed against staff to elicit information with social engineering tricks.
But there are also less obvious ways to break Confidentiality that should be taken into consideration. For example, an email sent to a wrong person or losing an unencrypted device with valuable information.
Integrity relates to prevention from unauthorized changing your data. If you hold some gold bars and someone covertly replaces them with wooden items, your net worth will go down. The same is true for digital assets. More of that, if your data is changed in the interest of an attacker, the implications can be devastating. Imagine, for example, a black-hat hacker who penetrates a hospital network and change patient’s prescription for a medicine that will kill him. Or a cybercriminal who alters data in a victim’s bank account… In fact, the list of catastrophic implications is never-ending.
A clear example of such an attack is a kind of a Man-in-the-Middle attack when perpetrators not only intercept information but also change it during transmission. Thus, the attackers can alter files you send and receive as well as requests and cookies. We’ll leave for you to guess about the implications.
Availability means the ability to get access to your data. Imagine you have encrypted your laptop and forgotten the password. In this case, your data are still confidential – none of the unauthorized persons has access to it. Integrity is also preserved – the data is not altered. But what use in that, if you can’t access the data?
The most obvious example of an attack against Availability is DDoS attacks. Sending a whopping amount of requests to a company website makes it unavailable for the company’s clients – and, as a result, causes financial and reputation damage.
Thus, to protect your data you should take into attention all these aspects.
But that’s not all.
States of Data: Why You Need to Know About Them
You should also take into consideration different types of data. Information security models include three of them: Data-in-rest, Data-in-motion and Data-in-use.
The first one, Data-in-rest, means stored data. For example, information about clients in a database. Data-in-motion means data that moving (an example is when your browser exchanges valuable information with a server). Data-in-use is the data that is currently processed. An instance of it is data processing by operative memory or CPU.
It’s important to correctly define the state of data because they require different protection approaches.
To name a few, Data-in-rest is usually protected by encryption of a hard drive or database. Data-in-motion also uses encryption, but of another kind – of network traffic. Data-in-use, in the first turn, is protected by access controls and authentication of users, throughout encryption also can be the part of the protection.
Thus, to provide the best protection of your data you need to apply these models to your company’s specificities and circumstances. That’ll be a starting point on the way to securing your digital assets. Then you need to set up a strategy and choose the corresponding means to implement it. There are plenty of organizational, managerial, and technical tools to build really effective protection, but you need to choose only those ideally matching your company needs.