Understanding Data and the Imperative of Data Security

Introduction

AData can be referred as the raw form of information that is stored as columns and rows in a database, a network server or in personal computers. This may include a wide range of information all the way from personal files and intellectual property to market analytics and top secret details that if in the wrong hands may be quite harmful, (Michael, 2015). As well, data can also be said to be anything of interest that can in one way or another be read or otherwise interpreted in human form. Nevertheless, despite data being anything that can be read, not every data should be read by just anyone, some of this information isn't intended to leave the system due to privacy purposes. The unauthorized access of data could lead to numerous problems such as loss of data value, data corruption among others for either the large or small corporations or even the personal home user. For instance, having your bank account details stolen can be just as damaging as the system administrator who was just robbed for the client information in their database. Thereby, to keep data safe, data security is deemed quite an essential task, (Michael, 2015)

Who I am

(Ronald L. Krutz, 2013) Describes data Security as the process that mainly involves taking all possible physical and software preventative measures as a way of protecting and keeping information secure from underlying threats such as unauthorized access, misuse, modification, destruction, or any form of improper disclosure of information to non-legal parties. Data security is seen to more or less referring to protective the various digital privacy measures that can and that are often applied as a means to prevent unauthorized access and corruption to computers, databases, and websites that hold data. This hence implies the creation of a secure platform for computers, users as well as programs to run their permitted critical functions within a safe environment, (Sushil Jajodia, 2016). Data security is viewed as an essential aspect of IT for organizations of every size and type as it mainly protects the value of data which is said to be the most important aspect of any data/information.

The value of any information is said to be obtained from the characteristics that information possesses. Thereby, in a case where these characteristics of that particular data tend to change, the value of that information may either increase or, more commonly, likely to decrease, (Gartner, 2014). This might hence as commonly observed, likely to change the intended meaning of data, and hence leading to failure in the data passing the intended message or falsify that information. This occurs due to the presence of vulnerabilities in a network, or data storage. In data security, there exist quite a number of threats, some of which are said to be just basic and some quite technical.

Key threats to data security

Some of the most common data security threats include situations where data tends to get lost or maybe damaged in incidences such as a system crash, especially one in which the hard disk is affected by the crash. In this case, the data stored in the hard disk will be lost and in some cases, it becomes quite difficult to recover some of this data which might have been vital to someone, an organization or key to business success, (Luhn, 2013). Another threat is data corruption. Data can be corrupted due to a number of reasons. It can be corrupted manually by an ill intended person, maybe a personnel paid to do so, a hacker or in other cases, data/information can be corrupted as a result of factors such as faulty disks, disk drives, or power failures which may hence lead to a change in the value of data. Yet another common threat is data loss by accidentally deleting or overwriting files in storage or in transmission. Another is data corruption or loss through computer viruses. This are software’s that are embedded in other application or data that once the host application is run, they access the computer system bit by bit and corrupt, or in some instances delete data in the system without the owner’s consent which hence lead to data loss or change in data value, (Sushil Jajodia, 2016).

Hackers as well have over the years been one of the biggest threat there have been when it comes to data security. This are people who tend to utilize their computer prowess and with the help of the ever growing technology are able to crack their way into a computer system, a database or a computer network without authority to either steal, delete or alter information. In some cases, this access is usually tipped off by an employee who may be wishing to make money or take revenge on their employer or another employee hence feeding information to other organizations which may hence bring an organization to its knees, (Joel, 2012). Some other technical threats that affect data security according to (Mubarak S. Al-Mutairi, 2013) tend to vary from organization to organization, especially depending on the type of information as well as the amount of importance it holds for the organization at large. While credit card and social security numbers can be deemed certainly dangerous, so are an organization's plans, finances, sensitive employee info among other information

Some of the most technical threats that tend to expose such vital data in organizations include; the SQL Injections, (John W. Rittinghouse, 2014). This is one of the biggest threats especially to the databases, much like web apps. This is essential because they can be launched from either a database or a web application that acts as a front-end to the database. SQL injection is said to mainly occur when input data is un-sanitized before it's executed in the database, or in the web app that is usually hosting the database, and in this case, attackers who might be crafting a malicious input would hence allow them access to all the sensitive data, giving them escalated privileges, and in especially dangerous exploits, granting them access to the databases operating system commands and hence the database itself where they can steal, delete or alter information belonging to an organization which would be quite catastrophic for the organization, (Gartner, 2014)

This is a data security threat that has caused quite a lot of havoc in exposing organizational data over the years, (Michael, 2015). For instance, in a survey by Ponemon that was referred to as the Ponemon’s SQL Injection Threat Survey, it showed that approximately 65% of the organizations they surveyed in 2014 had experienced a successful SQL injection attack at a point during the course of that year alone. In a tragic case, in the year 2008, the Oklahoma Sexual & Violent Offender Registry was said to have been shut down. This was after discovering that over 10,000 sex offenders' had had their social security numbers downloaded from the organization's database through the use of SQL injection. Another was the most infamous database attacks of all time that saw 170 million card and ATM numbers stolen from corporations including; TJ Maxx, Heartland Payment Systems, and J.C. Penney, that was carried out using a sniffer program and SQL injection techniques, (John W. Rittinghouse, 2014).

Another data security threat is buffer overflow vulnerabilities. This is a threat that arises essentially when a program tries to copy one too much data in a computer memory buffer hence causing the buffer to ‘overflow’ and hence resulting to data currently in memory being overwritten. Buffer overflow vulnerabilities pose an especially dangerous threat to data in a system and especially in the databases holding particularly sensitive information as it could allow an attacker/hacker to exploit these different vulnerabilities to alter and set unknown values to known values or mess with the program's logic which hence changes data meaning which is vital to the normal operation of an organization, (Ronald L. Krutz, 2013). Another technical threat is the denial of service, or the so known as the DoS, attacks. DoS attacks are said to often happen through buffer overflows, data corruption or any other kinds of consumption of the server’s resources. These attacks are often seen to crash the server, hence making the data in a system unreachable even for the authorized user for however as long as the attack can be sustained, (John W. Rittinghouse, 2014).

Another is the privilege escalation. This is a data security threat that can lead to malicious addition, alteration or deletion of data in a computer system or a database that, depending on its’ sensitivity, can hence wreak havoc on an organization. It can lead to change in value of data, or loss of data. The final threat to data security is weak authentication. This is quite a common threat to data security and integrity. This happen especially when the underlying system’s authentication measures are so weak that they can allow a malicious user to steal the identity of a legitimate user, and hence use it to gain access to confidential data, (Luhn, 2013).

Issues in data security

In ascertaining data security, (Sushil Jajodia, 2016) suggests that a number of factors or rather issues need to be put into consideration. This are the issues that help dictate the extent to which data security is maintained. Among this issues include; confidentiality (privacy), integrity, authenticity and authorization, availability, accuracy, utility and possession among others. In facilitating data security, this issues need to be highly put under consideration. (Gartner, 2014) Explains that the triad of confidentiality, integrity and availability is essentially the foundation of information security, as well as database security.

Confidentiality

Confidentiality is regarded as one of the most important aspect of data security. This might be necessarily because it is an aspect that highly observes privacy. Information is hence said to be confidential if it is well protected from disclosure or exposure to people or systems who are not authorized to have or view that information.in most cases, confidentiality is enforced through encryption. This can be done both for data-in-transit and data-at-rest by making sure that only those with the rights and privileges to have access to that information can do so, (Joel, 2012). When unauthorized individuals or systems view the information they shouldn't, then confidentiality is said to be breached. Some measures and strategies that can be used to enhance data confidentiality include: Information classification, secure document storage, application of general security policies, and Education of information custodians and end users.

Integrity

Integrity is yet another crucial aspect of data security. This is because it ensures that only authorized personnel are able to see privileged information, (Mubarak S. Al-Mutairi, 2013). Information is said to have integrity when it is whole; it is complete, and uncorrupted. The integrity of any data is often vulnerable and threatened in any case where that information is exposed to corruption, destruction, damage, or any other disruption of its authentic state. Nevertheless, the integrity of data can be enforced through a User Access Control system that helps define permissions for who can access which data. This aspect of data security extends beyond simply permissions, to Security implementations like authentication protocols, strong password policies, and ensuring unused accounts are locked or deleted, hence further strengthening the integrity of data, (John W. Rittinghouse, 2014)

Availability

(Ronald L. Krutz, 2013) States that availability in data security relates highly to the need for data to be up and available for use whenever it is needed. For data to be secure, the underlying system such as databases thereby need to be dependable and well functional, which implies they be up and running whenever the organization is. This hence enables authorized users, persons or computer systems to be able to have full access to any information within their jurisdiction without any form of interference or obstruction and that these people receive this information in the required format. In simpler terms, this means that downtimes should be planned on weekends and servers kept up-to-date.

1.2.4 Accuracy

Data accuracy is yet another essential issue to be highly considered in maintaining data security. Information is deemed to have accuracy when it is free from mistakes and the value presented to the end user is not false, (John W. Rittinghouse, 2014). Thereby, for data to be secure, be it in a database, in a web app, or a computer system, it has to maintain its original value and be free of errors.

1.2.5 Authenticity

Information authenticity is one of the core concepts in data security. Data is said to be authentic if its quality is high and is in its original form, rather than a fabrication, (Gartner, 2014). This implies that this Information is in the same state in which it was created, placed, stored, or transferred into. To ensure information is authentic, it is only made available to those

who need it and those who can be trusted with it. Thereby, authentication and authorization are the two concepts used in this case to prove that a user requesting access to information is the person they claim to be and that they have the necessary authority to gain access to that data. This can be done by use of authentic measures such as what a user know (usernames and password), something the user has (smart card), or detail about that user that proves their identity (fingerprint), (Joel, 2012).

1.2.6 Utility

Another issue to be considered in data security is data utility. This is more to do with the quality of data and the state the data is in. Information has value if and only if it can serve a meaningful purpose. As earlier stated, information security ensures that information is available, but if that information is not in a format that is meaningful to the end user, then it is deemed as not useful and hence loses its utility, (Luhn, 2013).

Data security technologies

As a means to enhance data security, there are quite a number of technologies for locking down data from software solutions to hardware mechanisms. Some of this mechanisms include; 1.3.1 Encryption

This is a data security mechanism that has over the years become quite a critical security feature for thriving networks, databases and active home users alike, (Mubarak S. Al-Mutairi, 2013). This security technology is said to make use of mathematical schemes and algorithms to scramble data into unreadable text that cannot be read by outsiders. This scrambled data can only by decoded or decrypted by the party that possesses the associated key referred to as the decryption key. One of the most famous form of encryption is the (FDE) Full-disk encryption. This is a form of encryption that offers some of the best protection available. This technology enables an organization to encrypt every piece of data on a disk or in a hard disk drive. It is even more powerful when other hardware solutions are used in conjunction with this software components, in a combination often referred to as end-based or endpoint full disk encryption, (Michael, 2015).

1.3.2 Backup Solutions

Another data security technology is backup. Data security wouldn't be complete without a solution to backing up critical information. Though data may appear quite secure while it is confined away in a machine, there is always a chance that this data confined in a machine can be compromised. Such a machine can be compromised with malware infections such as viruses or Trojans which can destroy all of the files in the confined machine, (Gartner, 2014). With such malware, someone for instance a hacker could enter into a computer system or a database and steal, delete or alter data by sliding through a security hole in the operating system. This can be an inside job that can be carried out by an ill-motivated employee that may cause an organization or business to lose sensitive information which if may fall into the hands of competitors may cause havoc. Nevertheless, this data that may be lost can be recovered fully by use of a reliable backup solution instead of starting completely from scratch. This backup systems allows an organization to get back lost data hence reducing loss of sensitive and useful information, (Luhn, 2013).

1.3.3 Strong user authentication

One of the most commonly encountered methods of practicing data security is the use of authentication, (Joel, 2012). This is a critical part of data security that is encountered by a system user every day. Authentication mainly deals with the provision of passwords, code, biometric data, fingerprints or some other form of data that can verify the identity before they can be granted access to a system or data is granted. One of the most common example is when one logs into their email or blog account, (Ronald L. Krutz, 2013). That single sign-on process is a form of authentication that allows one to log into applications, gain access to files, folders and even an entire computer system or database.

1.3.4 Data masking

Data masking is essentially regarded as a technique of enhancing data security by obscuring (masking) specific data within a database table or cell so as to ensure that data security is maintained and that sensitive information is not exposed to unauthorized personnel, (Kamara, 2016). This may hence include masking the data from users, developers, outsourcing vendors, among others.

1.3.5 Data erasure

The final mechanism that facilitates data security is data erasure. This is a method of software-based overwriting that necessarily destroys all electronic data that resides on a hard drive or any other digital media so as to ensure that no sensitive data can be leaked when an asset is retired or reused, (Huffman, 2015).

1.4 Conclusion

In conclusion, data security is quite crucial to any organization. In the modern world, electronic systems have become vastly used in both the business world as well as in our private everyday lives. There exist various electronic systems and they are used for all kinds of purposes but the one thing these systems happen to have in common is the fact that they are used to operate with data. Most of this data is quite sensitive and should not be exposed to the outside world apart from the intended parties as some contain personal information and other organizational and business based which would cause havoc and lead to failure in business among other consequences. Thereby, it is essential that for a system to be termed reliable, it should consider the six issue of data security (Confidentiality, integrity, availability, accuracy, authenticity and utility) and hence apply to meet this measures make use of either of encryption, authentication, back-up, data masking or data erasure techniques of maintain data security to ensure data is safe from deletion, alteration or unauthorized access.

References

Gartner, P., 2014. What you need to know about data security and compliance. [Online] Available at: https://www.gartner.com/doc/1071415/need-knowcloud-cloud- computing- Security [Accessed 7 February 2017].

Huffman, H. M., 2015. Effective skills in Data Security Management. Journal of Information Security Management, 36(24), pp. 12-17.

Joel, F., 2012. Study on Application security. Journal of Software, 22(57), pp. 63-78. John W. Rittinghouse, J. F. R., 2014. Implementation and Management data security. 2nd ed. London: CRC Press.

Kamara, L., 2016. Cryptographic cloud storage. Financial Cryptography and Data Security, 14(25), pp. 136-148.

Luhn, W., 2013. Network Security: Computer Network Security Techniques and Tactics. 4th ed. New York: Elsaviour Inc.

Michael, A., 2015. Essence of Data Security in Business organizations. [Online] Available at: http://eecs.berkeley.edu/Pubs/TechRpts/2009 /EECS2009-28.pdf:2009.2 [Accessed 7 Fenruary 2017].

Mubarak S. Al-Mutairi, L. A. M. K. M., 2013. Handbook of Research on Security Considerations in Computing Environments. 3rd ed. Chicago: IGI Global.

Ronald L. Krutz, K. M., 2013. Data Security: A Comprehensive Guide to Secure Data Security. 3rd ed. New York: Wiley.

Sushil Jajodia, K. K. P. S., 2016. The fundamentals of Data Security. 3rd ed. New York: Springer Publishers.