Storage and Transfer
When was the last time you thought about data or information security? I used to think about it a little, on a weekly basis, but over the last 3-4 weeks I’ve been thinking about it on a daily basis. And it’s a bit of a pity that I can not share with you the exact reason why for the same old reason: there are not many businesses or people who are into sharing the truth on truly problematic topics and potentially embarrassing occurrences.
However, the 1st few things I hope will help you to reason about data security in a more structured way are:
-
It’s not obvious at all how to measure the current level of security in any particular system. The question “how do we measure the level of information security” is better to be on your agenda as a separate series of questions.
-
There are 2 aspects of where to put your data-security efforts – 2 areas where to apply your data-security practices, protection and monitoring software or hardware:
- where (and how) the data is stored
- how it is transferred
When talking about storage, we don’t mean just one thing, we rather mean a collection of our system’s endpoints like databases, caches, clients’ and developers file systems.
And when thinking about data-transfer, we essentially think about all that applies between the endpoints – protocols, data format conversions, serializing/deserializing.
Different mechanisms, tools, and approaches are applied for securing those 2 spaces where data exists.
Encryption
Let’s talk a bit about encryption – a thing that you might have heard from… a number of people including those who have less of an idea what they were talking about. Encryption is a lower-level method of securing data. Practically “lower-level” means that it can be applied for any piece of data, at any point in time, whether it’s data that resides in our storage, or data that we’re right now sending over wires.
Another practical aspect of encryption is that having encryption somewhere in your system is not enough to claim that the system has become significantly more secure. It really depends.
Consider this simple example. Imagine every new secret document in your organization (let’s say, it’s just a physical paper document… remember those?… like literally letters put down on a paper sheet). So, imagine it is authored by an authorized person while this person is sitting inside your corporate vault. And that vault has a certified protection system enabled that requires digital codes, fingerprints and retina scans to get access to. So far so good: all is protected since no one can see through the massive door of the vault unless they have the required credentials. We can think of it as data protected at rest – where it is stored.
But imagine that month or few later, after more in-detail analysis of your org processes was done, you found out that every Monday and Thursday, just right after the lunch time, due to some 100% valid business reason, some other worker (who is also authorized to access that vault) enters the vault, makes few copies of certain secret documents and take them out to deliver to another protected vault (let’s say, that belongs to a trusted business partner).
And the worker is carrying those documents in their hands openly without covering the docs even with some cheap plastic folder. And btw, it is always nice to stop somewhere not far from a cooler to have a friendly chat with a completely new member of your amazing team… Of course, an amazing new member. Why is that? Well, probably because being friendly and supportive is “the key to the DNA of your corporate culture”. And, as it turns out in practice, this DNA works much more reliably than any NDA ever signed. And sometimes this is what “cultural fit” means. And it feels great!:)
It is great, however, it is also quite incompatible with establishing a secure data-transfer tunnel. And here we are: all-in with encryption, however, still not quite there in terms of securing the system.