On May 25th, 2018, the European Union implemented the GDPR. While most people did not understand the aim or role of this policy at first, it has resulted in numerous discussions and interest in data privacy and data security. Lately, every country is rushing towards implementing a data privacy act. But what is this all about? What does it mean to have a data privacy act or law? What does it mean to have data security? The terms have been used interchangeably over time by different people. I bet you have too. So, what does each of this jargon mean? Let’s start with data security.
It is the process of protecting the said information or data from being accessed or reached by people who are not allowed to.
When talking about data security, the main concern or topic is about the safeguarding of information from unauthorized access. We can say it is the process of protecting the said information or data from being accessed or reached by people who are not allowed to. Take an example of your private files on bank records or that text from a friend or a special friend that you don’t want to be read by anyone else except you. How do you safeguard that from being reached or read by others? One option would be to enable password protection on your device to restrict access. Another method would be to use secure apps, and the other would be to use secure texting or ghost texting (telegram has this feature).
All of these are examples of data security concepts. While the example given describes one of the most common activities one does, it is a simple concept of how we use data security features on a day to day life.
Data security on a large scale entails the concepts of maintaining confidentiality, integrity, and the availability of data — this is the CIA triad. There are different methods used in ensuring that data security is enhanced in a workspace or a given environment.
Confidentiality relates to the measures that are taken to ensure that the wrong people do not breach the privacy of the data or do not reach the sensitive data. Who are the wrong people? You ask. Anyone who is not authorized to access certain information is the wrong person, and therefore confidentiality aims at ensuring that this person does not access the information.
Privacy in data is measured based on how much loss or damages that unauthorized access would result in.
There are some everyday activities carried out to ensure data confidentiality such as the use of an account number instead of the customer details in handling transactions, the use of a routing number in online banking activities, etc. Confidentiality is also ensured by the use of encryption while storing or transmitting data to prevent unauthorized access. On your PC, you have a password that allows only users your trust to access the contents, and this is another form of confidentiality features people implement.
With an increase in the value of data or information, the more the features of data confidentiality that people enforce. Two-factor authentication is taking over from the simple use of passwords and user IDs. Others include the use of biometric verification, such as fingerprint scans, to gain access to certain information or systems. Reducing the number of times; a certain piece of information is transmitted or also appears is a feature of data security. Big companies also enhance security by having air-gapped storages that are only accessed by particular workstations or are inaccessible from all systems except one. These are all features of ensuring confidentiality in the information.
What about information integrity? This is ensuring the consistency, trustworthiness, and accuracy of the information during its lifetime. This is all about not changing the data in either transit or storage. However, sometimes we need to change the data, so only the authorized people are allowed to change the information or the data during the storage or transit process. In storage, data is protected by only granting a defined group of authorized people access while denying others. Permissions as used to protect the data from different groups of users. I bet you have tried to access or write on a given file and received an error that you cannot edit the file or the folder. This is all to retain the integrity of the data in the file or the fiddler. User access controls are implementations that are set to control who can access what data and how they can interact with the data. Other methods of ensuring data integrity include backup redundancies and verification checksums.
Availability entails ensuring that the data can be reached or accessed when needed. However, this only falls on the authorized persons. In some instances, there are challenges in obtaining information from the systems, and this pose a considerable concern about data security. While it is essential to deny acess to unauthorized persons, it would be a huge failure if the access is also unavailable to the authorized persons.
Data availability is all about ensuring that the hardware, the operating systems, the network connections, and the users are working efficiently to allow access to the authorized information in the organization. Disaster recovery procedures come in handy in this case — in the event of a disaster, there are high chances that the access to the information would be lost. This, therefore, calls for a fast reconnection to the data storage-. Ensuring data availability is all about ensuring the availability of redundancies, failover, high availability clusters, and RAID implementations in the systems. Backups also work to ensure that the data copies exist to be used whenever the previous storages have been compromised or lost in disasters. Security features such as proxy servers and firewalls are all installed to protect the data availability against such actions, such as the denial of service or attacks on the network or the systems.
Data security is about safeguarding the data from unauthorized access. It is also about ensuring that the data remains in the correct form and is unchanged if unauthorized people access it and that it is available when needed. There are different ways of enduring that all these are achieved, as seen above. Data security is also very different in definition from data privacy. We will discuss this in the next post titled data privacy and data privacy policies.