3 Steps to Protecting Sensitive Data
Cyber criminals, compromised insiders, malicious users, hacktivists. It seems like everyone is getting in on the threat game. In fact, despite efforts to prevent them, last year the U.S. experienced a 40% increase in data breaches according to a report by the Identity Theft Resource Center and CyberScout.
Given this sobering fact, is there a way to more effectively protect your sensitive data against breaches? Are there things you may not yet be doing when it comes to data protection? Check out the following steps to make sure you’re doing everything possible to protect your data:
Step 1: Discover and assess sensitive data
Data protection starts with the basics, which means knowing the following:
- Where sensitive data resides
- Which applications, systems, and users have access to it
- Who should and should not have access
- Whether it is at risk
Discovery and assessment of sensitive data is the foundation of data security. As new databases come on line, and others are modified, you must routinely and consistently discover and assess instances containing previously unknown sensitive data.
Once systems are identified, you need to track the versions, and assess the risk profile of each system based on known vulnerabilities (see Figure 1). Any identified vulnerability will need to be addressed, via patching or other methods.
Figure 1: Imperva SecureSphere vulnerability information dialog
Then define policies to granularly monitor and control how users access data objects. This might include whitelisting those regularly accessed by individual accounts, so you can detect when a data object is accessed that is not in the whitelist.
Finally, clean up user rights issues. Eliminate excessive user rights, identify and remove dormant user accounts, and aggregate user rights across heterogeneous data stores (see Figure 2). Establish an automated access rights review process to eliminate excessive user rights and dormant user accounts.
Figure 2: Imperva SecureSphere effective user rights analysis
Step 2: Monitor access to sensitive data
In this step (which is actually an ongoing process), you need to analyze all database activity in real time. Monitor all users who access the database, whether through a browser, a mobile app or a desktop application. Naturally, privileged users warrant special attention, with the tightest focus on those privileged users who access database servers directly. This process ideally results in the creation of baselines for normal user behavior, so that abnormal variances can easily be spotted.
Keep in mind that it’s not just the databases that need to be monitored, it’s also big data stores such as MongoDB, Cloudera, Hortonworks and the like. Don’t forget files stored on SharePoint, file servers and NAS devices. Obviously, for all of the above, you need to implement real-time monitoring, auditing and security and rights management. There is no way to effectively do this without automation.
Step 3: Protect data from undesired access or exfiltration
Monitoring access to sensitive data will provide ample information on impending threats and potential breaches. Armed with this information, you should take action to avoid compromise and data loss. There are four typical actions, depending on the nature of the information and the type of threat:
- Block access to sensitive data, based on security policies: This prevents specific users or groups from accessing the data in question. There are a number of ways to do this, the most common being the use of a database firewall. See Figure 3 for an example of a security policy set up to block access to data across borders.
Figure 3: Imperva SecureSphere policy blocking international data transfer
- Mask the data, replacing sensitive data with fictional data. To do so, you must ensure that the fictional data is realistic, maintains referential integrity, and is statistically accurate. Otherwise, this approach will not withstand testing or analysis, and may prevent business processes from continuing to operate normally (see Figure 4).
Figure 4: Imperva Camouflage data masking target configuration
- Stop the activities of risky users: This can be done by temporarily quarantining a user who accesses an object outside the norm, or by blocking unauthorized activities in order to protect data without disabling the account in question.
- Remediate: This includes a series of activities such as sending additional alerts and triggering activities that may include taking preemptive action to prevent data loss.
Web application firewall + data-centric audit and protection = strong data security
Today’s complex IT environment requires a holistic approach to data security that protects both your web applications and your data. That approach includes a web application firewall to protect web applications and services that are easy targets and conduits to sensitive data.
In addition to robust protection of applications that access data, a data-centric audit and protection (DCAP) solution helps you protect data in databases, file stores, and big data repositories. With the right solution, you can address the three steps above while also complying with relevant regulations.
For more insight into how to combine application and data security to stop data breaches, check out our white paper, “Combat Today’s Threats with a Single Platform for App and Data Security.”