Beating The Data Heist
— Securing Data Access at tiket.com
Prologo
Have you seen La Casa de Papel, the most anticipated series on Netflix for a couple years? They arrange the greatest money and gold heist in Spain with sophisticated methods and technologies.
I bet you are also familiar with the quote below.
Data is the new gold that can be easily sold for a certain price and you can control anything. Can you see the correlation between them, La Casa de Papel and data? Data becomes their next heist, doesn’t it?
Data is a vulnerable asset today that needs to be stored and kept securely. As a technology company, tiket.com also produces and stores data for many purposes. We have a huge volume and variety of data that is produced from various sources both internally and externally. This is our gold that needs to be protected! Our data is stored in a safety vault and monitored well to prevent illegal access and data heist.
Data heist means your data is being exposed by someone to the public. It gives a bad impact to organizations. As we know, ‘data heists’ have become a trend for several months, some organizations are reported being heisted and their data were sold on the dark web. Organizations that can’t manage and secure the data well won’t be trusted by their user again and they won’t use the products. No one uses the products means no revenue to the organizations. No revenue means organizations will struggle to manage their daily operations cost and so on. This is a domino effect of data heist.
La Condition
In tiket.com, Data and IT Security team work together to set up preventions of data heists. We set up layers of access and policies to ensure the data is protected well inside our system. Before setting up the security layers, we should understand well about the data and its users.
You must be curious about our data and its security mechanism, mustn’t you? Well, we categorize the data into several categories such as where they come from and how sensitive they are. From those categories, we can easily define the access policies and how to treat them.
1. Source
Our data is coming from various sources both internally and externally. Internal data is any kind of data that is internally produced inside our systems such as any data from databases, system logs, or analytic results.
Meanwhile, external data is any kind of data that is externally produced outside our system such as tracking system, ads, email, etc.
Mostly, internal data contains transaction data from user purchasing activity meanwhile external data contains user activities while accessing tiket.com
2.Sensitivity
Sensitivity is related to how the data can distinguish a person as a unique individual. Sensitive data is also related with Personally Identifiable Information (PII) which contains our confidential personal information such as name, gender, email, phone, birth date, address, etc
Non-sensitive data doesn’t mean we can share it publicly or freely. We still have to protect the data as well as protect sensitive data.
La Metodo
Heists usually find small gaps, unsecured lines, or malfunction of the systems as their entry. They may do brute force methods or have a blueprint of our architecture to find those possibilities. Therefore, data architecture should be well designed and reviewed from a security perspective. Beside that, we also need security policies that complement and strengthen the architecture itself.
1. Limited Access and Access Level
Never give anyone excess permission, give them the lowest permission. This is our guideline while granting permission to T-Fam regarding what their position is. Giving excessive permissions will lead to power abuse and creating a small security breach.
In tiket.com, we have few kinds of access identifiers such as individual email, group email, and service account email. Each email has different permissions and specific owners (no sharing). For example, accessing a database is only limited to a specific user in a specific network with read only access. By this, we can monitor database access easily, and if there is a security breach, we can easily do tracking and tracing.
Talking about access metrics, we also do mapping the permission to certain roles in tiket.com. This method can reduce over grant permission and standardize the access to all members in the same role. This is the example of access metrics that we have implemented in tiket.com
To make it more secure and ensure the lowest access, you can divide again the roles into specific levels such as: lead and engineer, whereas engineer only has limited write permissions only.
Our data is not only being accessed by internal users but also external parties such as product vendors, ads vendors, and others. Since those access metrics are only applicable for internal usage, we also create custom policies based on agreement and assessment from both sides. For instance, vendor X needs to read and write data to our Google Storage, then we will create an isolated folder with limited access and permissions. Therefore we can minimize the impact if there is a security breach in the future.
2. Audit Log
All access metrics and policies are made, but we also need to control and audit the granting and revoking process. Granting and revoking processes are done by humans based on requests from users. This process, sometimes, being abused by doing `backdoor` requests. To prevent this, we need to build a ticketing service to record any request and changes happening in access permissions. Currently, we are using JIRA as a ticketing tool to record and log requests.
Not only ticketing services, we also turn on data access logs in every data service. This log will record any activities that users have done in the system such as querying data, downloading data, or updating data. Therefore, if a data heist happened, we can track and trace who, when, and what they access.
Epilogo
Data heists are something inevitable, but you can prevent them. Prevention not only comes from policies or systems that have been made, but it also comes from yourself. Always protect your assets and information, and do self-review about your data and credentials.
Sharing is caring, but never share your personal data to anyone
