Data Security 101: Data Security Terms and Concepts
You know you should keep your data secure, but do you know how? Do you know the meaning of terms like compliance, multi-factor authentication and data tokenization?
If not, this post is for you. Keep reading for an overview of core concepts and methods for securing data.
Before we get started, we should note that we can’t tell you everything you need to know about data security in a single blog post. That’s just not realistic.
Instead, we’ll focus here on defining key terms and concepts that you should understand in order to start taking a deliberate approach to securing your data.
Encryption is a critical tool for helping to protect sensitive data from being accessed by unauthorized parties.
Data encryption is achieved by using an algorithm to translate data into an unreadable form. Using a key, the data can be decrypted back into its original form.
There are a number of data encryption algorithms that are widely used today, such as AES and RSA. There are also a wide variety of tools for implementing these algorithms.
Data tokenization is another useful method for helping to secure sensitive data. However, instead of encrypting the data, tokenization replaces sensitive information, such as credit card numbers or social security numbers, with a non-sensitive replacement value. The original value may be stored locally in a protected data warehouse, stored at a remote service provider, or not stored at all.
For example, imagine that you are a vendor who wants to accept credit card payments, but you don’t want to store credit card numbers on your servers because doing so would make you responsible for securing that data. Instead of collecting credit card numbers and saving them on your servers, you could instead use a substitute token that stands for each credit card number. If the record of credit card numbers and replacement tokens is maintained by your credit card processor, the processor will be able to match the data tokens with the actual credit card numbers in order to process payments. Meanwhile, you can keep a record of payments on your servers using the tokens, without having to store the credit card numbers themselves.
Multi-factor authentication, or MFA for short, is a foundational part of many data security strategies.
MFA involves requiring users to authenticate using more than one authentication factor in order to access data or another resource. Those factors can include something they know (e.g. a password or PIN), something they have (e.g. cell phone or an authentication fob), or something they are (e.g. finger print or iris scan).
A common example of MFA is an application that requires you to log in by providing a password as well as a temporary access code that is sent to you via email.
Most MFA scenarios involve just two authentication methods, as in the example noted above. That is why it is common to hear people talk about two-factor authentication. However, there’s no rule that says you can’t have more than two authentication methods.
Nor is there a rule saying that passwords and access codes are the only way to do MFA. More advanced MFA tools might require users to authenticate by entering a password, as well as scanning their fingers, for example. It’s easy to see how a biometric authentication requirement like that would increase data security, especially when coupled with password authentication.
See also Two Factor Authentication (2FA)
Access control refers to frameworks and tools that control who can access which resources. Perhaps the most basic example of access control is a computer that requires you to enter a username and password before you can log in, but access control can be much more sophisticated than this.
You can use access control tools to grant certain users access to certain files, but restrict access for others. Access control frameworks like AWS IAM have also become key tools for securing cloud-based infrastructure.
Compliance and Security Audits
Compliance and security audits are another important concept to understand in order to start creating a data security policy.
Compliance refers to standards set by a regulatory body, such as a government agency or an industry group, which you must meet in order to avoid unhappy consequences — such as fines in the case of government-backed compliance frameworks, or being banned from working with other companies in your industry in the case of compliance frameworks created by industry organizations.
GDPR and PCI DSS are two of the most widely applicable data security compliance frameworks today, but there are plenty of others that apply to specific industries.
A compliance audit is a process that ensures that you are meeting regulatory requirements as they relate to IT security. An audit could be conducted internally (or by an organization that your company hires to do an internal review) for your own review purposes prior to a formal compliance audit. An official compliance audit is generally conducted by an outside organization with the ability to enforce penalties if you are found not to be compliant.
Security audits may also be required by corporate auditors in order to ensure that your systems meet established criteria. Regular security assessments should be standard best practice for IT organizations. At the corporate level, audits may be required to assure management or investors that systems and data are protected from security breaches.
Download our whitepaper on the importance of multi-layered data security.