SlideShare une entreprise Scribd logo

Data Security

Télécharger en tant que DOCX, PDF
ankita_kashyap
ankita_kashyap

An overview of Data Security.

Formation
1  sur  13
Ankita_Kashyap 1 SECURITY Definition Security is “The quality or state of being secure to be free from danger.” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is the objective. National security, for example, is a multilayered system that protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appropriate level of security for an organization also requires a multifaceted system. A successful organization has multiple layers of security in place to protect its operations:-  Physical security, to protect physical items, objects, or areas from unauthorized access and misuse  Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations  Operations security, toprotect the details of a particular operation or series of activities  Communications security, to protect communications media, technology, and content  Network security, to protect networking components, connections, and contents  Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology. Eg.
Ankita_Kashyap 2 In a time when mobility is the present and future of IT, allowing employees to access a network from a remote location, like their home or a project site, can increase the value of the network and efficiency of the employee. Unfortunately, remote access to a network also opens a number of vulnerabilities and creates difficult security challenges for a network administrator. As companies make an effort to adapt to new and mobile IT world, fundamental business operations increasingly rely on the Internet, leaving them exposed to the growing threats. Today we all need to know continually address spam and viruses, which plague email worldwide, and spyware that attaches itself to user PC's even through innocent Web surfing.
Ankita_Kashyap 3 Personal Data Personal data are defined in the Data Protection Act, as follows: - "data which relate to a living individual who can be identified: - * from those data; or * from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual". The DPA applies to all personal data relating to living individuals, including names, addresses, etc. The DPA also distinguishes between "ordinary" personal data and sensitive personal data, imposing more stringent conditions for processing the latter. Sensitive personal data consists of information as to:  racial or ethnic origin;  political opinions;  religious beliefs or other beliefs of a similar nature;  membership of a trade union;  physical or mental health;  the commission, or alleged commission of, any offence; and  any proceedings for any offence committed or alleged to have been committed and the outcome of such proceedings. Sensitive personal data does not include financial records or other information that individuals may regard as private or confidential. The DPA applies to data held on computers and to manual data, such as paper files, which is structured either by reference toindividuals or to criteria relating to individuals where that personal data is readily accessible. Where personal data in manual folders or documents is not readily accessible (for example, a box of documents that are in no particular order), the DPA may not apply, meaning that the data subject is not entitled to inspect their personal data further to a subject access request. These are discussed further below.
Ankita_Kashyap 4 Data Security Definition Data security is the process of protecting information systems and its data from unauthorized accidental or intentional modification, destruction or disclosure. The protection includes the confidentiality, integrity and availability of these systems and data. Risk assessment, mitigation and measurement are key components of data security. To maintain a secure environment, data security protocols require that any changes to data systems have an audit trail, which identifies the individual, department, time and date of any system change. Companies utilize personnel, policies, protocols, standards, procedures, software, hardware and physical security measures to attain data security. Data security may include one or a combination of all of these. Data security is not confined to the Information Services or Information Technology departments, but will involve various stakeholders including senior management, the board of directors, regulators, internal and external auditors, partners, suppliers and shareholders. Data security encompasses the security of the Information System in its entirety. The U.S. National Information Systems Security Glossary defines Information Systems Security (INFOSEC) as: “The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.“ Protecting data from unauthorized access is one component of data security that receives a great deal of attention. The concern for data protection extends beyond corporate concerns but is a high priority consumer interest as well. Data can be protected against unauthorized access through a variety of mechanisms. Passwords, digital certificates and biometric techniques all provide a more secure method to access data. Once the authorized user has been authorized or authenticated, sensitive information can be encrypted toprevent spying or theft. However, even the most sophisticated data security programs and measures cannot prevent human error. Security safeguards must be adhered to and protected to be effective. Information is typically categorized as being in either a structured format or an unstructured format. The meaning of these terms is subject to different interpretations by divergent groups.
Ankita_Kashyap 5 Unstructured Data Structured data is data that conforms to some sort of strict data model and is confined by that model. The model might define a business process that controls the flow of information across a range of service-oriented architecture (SOA) systems. Database Security Concepts Architecturally, relational databases function in a client-server manner (although they can certainly be used as part of multitier applications). That is, a client computer, application, or user can only communicate directly with the database services that are running. They cannot directly access the database files, as can be done with “desktop” database systems, such as Microsoft Access. This is an important point, since it allows security configuration and management to occur at the database level, instead of leaving that responsibility to users and applications. Databases can be used in various capacities, including: • Application support: Ranging from simple employee lists to enterprise-level tracking software, relational databases are the most commonly used method for storing data. Through the use of modern databases, users and developers can rely on security, scalability, and recoverability features. • Secure storage of sensitive information: Relational databases offer one of the most secure methods of centrally storing important data. As we’ll see throughout this chapter, there are many ways in which access to data can be defined and enforced. These methods can be used to meet legislative requirements in regulated industries (for example, the HIPAA standard for storing and transferring healthcare-related information) and generally for storing important data. • Online transaction processing (OLTP): OLTP services are often the most common functions of databases in many organizations. These systems are responsible for receiving and storing information that is accessed by client applications and other servers. OLTPdatabases are characterized by having a high level of data modification (inserting, updating, and deleting rows). Therefore, they are optimized to support dynamically changing data. Generally, they store large volumes of information that can balloon very quickly if not managed properly.
Ankita_Kashyap 6 • Data warehousing: Many organizations go to great lengths to collect and store as much information as possible. But what good is this information if it can’t easily be analyzed? The primary business reason for storing many types of information is to use this data eventually to help make business decisions. Although reports can be generated against OLTP databases, there are several potential problems: Reports might take a long time to run, and thus tax system resources. If reports are run against a production OLTP server, overall system performance can be significantly decreased. OLTP servers are not optimized for the types of queries used in reporting. thus making the problem worse. Reporting requirements are very different. In reporting systems, the main type of activity is data analysis. OLTP systems get bogged down when the amount of data in the databases gets very large. Therefore, production OLTP data must be often archived to other media or stored in another data repository. Relational database platforms can serve as a repository for information collected from many different data sources within an organization. This database can then be used for centralized reporting and by “decision support” systems. Database Security Layers Server-Level Security A database application is only as secure as the server it is running on. Therefore, it’s important to start considering security settings at the level of the physical server or servers on which your databases will be hosted. In smaller, simple configurations, you might need to secure only a single machine. Larger organizations will likely have to make accommodations for many servers. These servers may be geographically distributed and even arranged in complex clustered configurations. One of the first steps you should take in order to secure a server is to determine which users and applications should have access to it. Modern database platforms are generally accessible over a network, and most database administration tasks can be performed remotely. Therefore, other than for purposes of physically maintaining database hardware, there’s little need for anyone to have direct physical access to a database. It’s also very important to physically protect databases in order to prevent unauthorized users from accessing database files and data backups. If an unauthorized user can get physical access to your servers, it’s much more difficult to protect against further breaches.
Ankita_Kashyap 7 Network-Level Security Databases work with their respective operating system platforms to serve users with the data they need. Therefore, general operating system and network-level security also applies to databases. If the underlying platform is not secure, this can create significant vulnerabilities for the database. Since they are designed as network applications, you must take reasonable steps to ensure that only specific clients can access these machines. Some standard “best practices” for securing databases include limiting the networks and/or network addresses that have direct access to the computer. For example, you might implement routing rules and packet filtering to ensure that only specific users on your internal network will even be able to communicate with a server. Of course, few real-world databases work alone. Generally, these systems are accessed directly by users, and often by mission-critical applications. Later in this chapter, we’ll look at some methods for mitigating risks related to Internet- accessible applications. Data Encryption Another method for ensuring the safety of database information is to use encryption. Most modern databases support encrypted connections between the client and the server. Although these protocols can sometimes add significant processing and data transfer overhead (especially for large result sets or very busy servers), the added security may be required in some situations. Additionally, through the use of virtual private networks (VPNs), systems administrators can ensure that sensitive data remains protected during transit. Depending on the implementation, VPN solutions can provide the added benefit of allowing network administrators to implement security without requiring client or server reconfiguration. Operating System Security On most platforms, database security goes hand in hand with operating system security. Network configuration settings, file system permissions, authentication mechanisms, and operating system encryption features can all play a role in ensuring that databases remain secure. For example, on Windows-based operating systems, only the NTFS file system offers any level of file system security (FAT and FAT32 partitions do not provide any file system security at all). In environments that use a centralized directory services infrastructure, it’s important for systems administrators to keep permissions settings up to date and to ensure that unnecessary accounts are deactivated as soon as possible. Fortunately, many modern relational database platforms can leverage the strengths of the operating systems that they run on.
Ankita_Kashyap 8 Database Backup and Recovery An integral part of any overall database security strategy should be providing for database backup and recovery. Backups serve many different purposes. Most often, it seems that systems administrators perform backups to protect information in the case of server hardware failures. Although this is a very real danger in most environments, it’s often not the most likely. Data can be lost due to accidental human errors, flawed application logic, defects in the database or operating system platform, and, of course, malicious users who are able to circumvent security measures. In the event that data is incorrectly modified or destroyed altogether, the only real method to recover information is from backups. Since all relational database systems provide some method for performing database backups while a server is still running, there isn’t much of an excuse for not implementing backups. The real challenge is in determining what backup strategies apply to your own environment. You’ll need to find out what your working limitations are. This won’t be an easy task, even in the best-managed organizations. It involves finding information from many different individuals and departments within your organization. You’ll have to work hard to find existing data, and make best guesses and estimates for areas in which data isn’t available. Tofurther complicate issues, there are many constraints in the real world that can affect the implementation of backup processes. First, resources such as storage space, network bandwidth, processing time, and local disk I/O bandwidth are almost always limited. Additionally, human resources—especially knowledgeable and experienced database administrators—may be difficult to find. And, performance requirements, user load, and other factors can prevent you from taking all the time you need to implement an ideal backup solution. Typesof DatabaseBackups In an ideal world, you would have all of the resources you need to back up all of your data almost instantly. However, in the real world, large databases and performance requirements can often constrain the operations that can be performed (and when they can be performed). Therefore, you’ll need to make some compromises. For example, instead of backing up all of your data hourly, you might have to resort to doing full backups once per week and smaller backups on other days. Although the terminology and features vary greatly between relational database platforms,
Ankita_Kashyap 9 The following types of backups are possible on most systems: • Full backups This type of backup consists of making a complete copy of all of the data in a database. Generally, the process can be performed while a database is up and running. On modern hardware, the performance impact of full backups may be almost negligible. Of course, it’s recommended that database administrators test the performance impact of backups before implementing an overall schedule. Full backups are the basis for all other types of backups. If disk space constraints allow it, it is recommended to perform full backups frequently. • Differential backups This type of backup consists of copying all of the data that has changed since the last full backup. Since differential backups contain only changes, the recovery process involves first restoring the latest full backup and then restoring the latest differential backup. Although the recovery process involves more steps (and is more time-consuming), the use of differential backups can greatly reduce the amount of disk storage space and backup time required to protect large databases. • Transaction log backups Relational database systems are designed to support multiple concurrent updates to data. In order to manage contention and to ensure that all users see data that is consistent to a specific point in time, data modifications are first written to a transaction log file. Periodically, the transactions that have been logged are then committed to the actual database. Database administrators can choose to perform transaction log backups fairly frequently, since they only contain information about transactions that have occurred since the last backup. The major drawback to implementing transaction log backups is that, in order to recover a database, the last full (or differential) backup must be restored. Then, the unbroken chain of sequential transaction log files must be applied. Depending on the frequency of full backups, this might take a significant amount of time. However, transaction log backups also provide one extremely important feature that other backup types do not: point-in-time recovery. What this means is that, provided that backups have been implemented properly, database administrators can roll a database back to a specific point in time. For example, if you learn that an incorrect or unauthorized database transaction was performed at 3:00 p.m. on Friday, you will be able to restore the database to a point in time just before that transaction occurred. The end result is minimal data loss.
Ankita_Kashyap 10 Database Auditing and Monitoring The idea of accountability is an important one when it comes to network and database security. The process of auditing involves keeping a log of data modifications and permissions usage. Often, users that are attempting to overstep their security permissions (or users that are unauthorized altogether) can be detected and dealt with before significant damage is done; or, once data has been tampered with, auditing can provide details about the extent of loss or data changes. There’s another benefit to implementing auditing: when users know that certain actions are being tracked, they might be less likely to attempt to snoop around your databases. Thus, this technique can serve as a deterrent. Unfortunately, in many environments, auditing is overlooked. Though it won’t necessarily prevent users from modifying information, auditing can be a very powerful security tool. Most relational databases provide you with the ability to track specific actions based on user roles or to track actions on specific database objects. Although auditing can provide an excellent way totrack detailed actions, sometimes you just want to get a quick snapshot of who’s using the server and for what purpose. Most databases provide easy methods for viewing this information (generally through graphical utilities). You may be able to get a quick snapshot of current database activity or view any long-running transactions that are currently in process. The Data Protection Principles  Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met (set out in schedules 2 and 3 to the DPA).  Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.  Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.  Personal data shall be accurate and, where necessary, kept up to date.  Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.  Personal data shall be processed in accordance with the rights of data subjects under the DPA.  Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.  Personal data shall not be transferred toa country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Ankita_Kashyap 11 The Eight Data Protection Act Principles The act contains eight “Data Protection Principles”. These specify that personal data must be:  Processed fairly and lawfully.  Obtained for specified and lawful purposes.  Adequate, relevant and not excessive.  Accurate and up to date.  Not kept any longer than necessary.  Processed in accordance with the “data subject’s” (the individual’s) rights.  Securely kept.  Not transferred to any other country without adequate protection in situ. Data Collection When collecting personal data make sure that people know: 1. Who you are 2. What the data will be used for 3. Towhom it will be disclosed. This information can often be provided on an application form or similar. It is equally important NOT to collect more personal data than is actually needed. Handling Data When handling, collecting, processing or storing personal data, ensure that: 1. All personal data is both accurate and up to date 2. Errors are corrected effectively and promptly 3. The data is deleted/destroyed when it is no longer needed 4. The personal data is kept secure at all times (protecting from unauthorized disclosure or access) 5. The Data Protection Act is considered when setting up new systems or when considering use of the data for a new purpose. Note that this may affect the existing registration with the Data Protection Authority 6. Written contracts are used when external bodies process/handle the data explicitly specifying the above requirements with respect to the data It is equally important NOT to:
Ankita_Kashyap 12 1. Access personal data that you do not need for your work 2. Use the data for any purpose it was not explicitly obtained for 3. Keep data that would embarrass or damage YOUR-COMPANY if disclosed (eg: via a subject access request – see below) 4. Transfer personal data outside of the European Economic Area unless you are certain you are entitled to or consent from the individual concerned has been obtained 5. Store/process/handle sensitive personal data (see below) unless are certain you are entitled to or consent from the individual concerned has been obtained Subject Access Individuals, who the data relates to, have various rights: 1. To receive on request details of the processing relating to themselves. This includes any information about themselves including information regarding the source of the data and about the logic of certain “fully automated decisions” 2. To have any inaccurate data corrected or removed in a timely fashion 3. In certain circumstances to stop processing likely to cause “substantial damage or substantial distress”. 4. To prevent their data being used for advertising or marketing 5. Not to be subject to certain “fully automated decisions” if they significantly affect him/her. When a subject access request is received, it is important to act promptly and effectively as certain time scales are imposed regarding response ('Sensitive Data' means data pertaining to: racial or ethnic origin; religious or similar beliefs; trade union membership; physical or mental health or sexual life; political opinions; criminal offences. This data may only be held in strictly defined situations or where explicit consent has been obtained. 'Data Controller' is a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed. 'Subject Access' is the right of individuals to have access to the data about them and other related information. 'Notification' is the process of notifying the Data Protection Authority of the purposes for which personal data is held/processed.)
Ankita_Kashyap 13

Recommandé

Data Security
Data SecurityData Security
Data SecurityqmsWrapper
 
Data security
Data securityData security
Data securityAbdulBasit938
 
Data security
Data securityData security
Data securityForeSolutions
 
Data security
Data securityData security
Data securityTapan Khilar
 
Data Security
Data SecurityData Security
Data SecurityMark Waltzer
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security ExplainedHappiest Minds Technologies
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacySolix Technologies, Inc
 
In data security
In data securityIn data security
In data securityadithdev
 

Recommandé

Data Security
Data SecurityData Security
Data SecurityqmsWrapper
 
Data security
Data securityData security
Data securityAbdulBasit938
 
Data security
Data securityData security
Data securityForeSolutions
 
Data security
Data securityData security
Data securityTapan Khilar
 
Data Security
Data SecurityData Security
Data SecurityMark Waltzer
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security ExplainedHappiest Minds Technologies
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacySolix Technologies, Inc
 
In data security
In data securityIn data security
In data securityadithdev
 
what is data security full ppt
what is data security full pptwhat is data security full ppt
what is data security full pptShahbaz Khan
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data securitySaranSwathi1
 
Data security strategies and drivers
Data security strategies and driversData security strategies and drivers
Data security strategies and driversFreeform Dynamics
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentationJamesDempsey1
 
Information security group presentation ppt
Information security group presentation pptInformation security group presentation ppt
Information security group presentation pptvaishalshah01
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentParshant Tyagi
 
Brochure Imperva Vormetric
Brochure Imperva VormetricBrochure Imperva Vormetric
Brochure Imperva VormetricMichelle Guerrero Montalvo
 
Seclore: Information Rights Management
Seclore: Information Rights ManagementSeclore: Information Rights Management
Seclore: Information Rights ManagementRahul Neel Mani
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
03 cia
03 cia03 cia
03 ciaJadavsejal
 
Compliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | SecloreCompliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | SecloreSeclore
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Brochure Imperva Securesphere Vormetric Encryption
Brochure Imperva Securesphere Vormetric EncryptionBrochure Imperva Securesphere Vormetric Encryption
Brochure Imperva Securesphere Vormetric EncryptionMichelle Guerrero Montalvo
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection PresentationIBM Business Insight
 
Data Security For Insurance Solutions
Data Security For Insurance SolutionsData Security For Insurance Solutions
Data Security For Insurance SolutionsSeclore
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 

Contenu connexe

Tendances

what is data security full ppt
what is data security full pptwhat is data security full ppt
what is data security full pptShahbaz Khan
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data securitySaranSwathi1
 
Data security strategies and drivers
Data security strategies and driversData security strategies and drivers
Data security strategies and driversFreeform Dynamics
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentationJamesDempsey1
 
Information security group presentation ppt
Information security group presentation pptInformation security group presentation ppt
Information security group presentation pptvaishalshah01
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentParshant Tyagi
 
Seclore: Information Rights Management
Seclore: Information Rights ManagementSeclore: Information Rights Management
Seclore: Information Rights ManagementRahul Neel Mani
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
Compliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | SecloreCompliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | SecloreSeclore
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Brochure Imperva Securesphere Vormetric Encryption
Brochure Imperva Securesphere Vormetric EncryptionBrochure Imperva Securesphere Vormetric Encryption
Brochure Imperva Securesphere Vormetric EncryptionMichelle Guerrero Montalvo
 
Data Security For Insurance Solutions
Data Security For Insurance SolutionsData Security For Insurance Solutions
Data Security For Insurance SolutionsSeclore
 

Tendances (19)

what is data security full ppt
what is data security full pptwhat is data security full ppt
what is data security full ppt
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data security
 
Data security strategies and drivers
Data security strategies and driversData security strategies and drivers
Data security strategies and drivers
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposure
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentation
 
Information security group presentation ppt
Information security group presentation pptInformation security group presentation ppt
Information security group presentation ppt
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviroment
 
Brochure Imperva Vormetric
Brochure Imperva VormetricBrochure Imperva Vormetric
Brochure Imperva Vormetric
 
Seclore: Information Rights Management
Seclore: Information Rights ManagementSeclore: Information Rights Management
Seclore: Information Rights Management
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
03 cia
03 cia03 cia
03 cia
 
Compliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | SecloreCompliance regulations with Data Centric Security | Seclore
Compliance regulations with Data Centric Security | Seclore
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Brochure Imperva Securesphere Vormetric Encryption
Brochure Imperva Securesphere Vormetric EncryptionBrochure Imperva Securesphere Vormetric Encryption
Brochure Imperva Securesphere Vormetric Encryption
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection Presentation
 
Data Security For Insurance Solutions
Data Security For Insurance SolutionsData Security For Insurance Solutions
Data Security For Insurance Solutions
 
Information security
Information securityInformation security
Information security
 

Similaire à Data Security

Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMukesh Chinta
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
It seminar isr
It seminar isrIt seminar isr
It seminar isrASNA p.a
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docxRunning head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docxtodd271
 
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docxRunning head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docxhealdkathaleen
 

Similaire à Data Security (20)

Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
Information security
Information securityInformation security
Information security
 
Unit 5 v2
Unit 5 v2Unit 5 v2
Unit 5 v2
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptx
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
DG for Fed
DG for FedDG for Fed
DG for Fed
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
Encrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdfEncrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdf
 
It seminar isr
It seminar isrIt seminar isr
It seminar isr
 
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATION
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATIONHOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATION
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATION
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
 
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docxRunning head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
 
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docxRunning head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
Running head DATA INTEGRITY THREATS TO ORGANIZATIONS1DATA INTE.docx
 

Dernier

Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 

Dernier (20)

Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 

Data Security

  • 1. Ankita_Kashyap 1 SECURITY Definition Security is “The quality or state of being secure to be free from danger.” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is the objective. National security, for example, is a multilayered system that protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appropriate level of security for an organization also requires a multifaceted system. A successful organization has multiple layers of security in place to protect its operations:-  Physical security, to protect physical items, objects, or areas from unauthorized access and misuse  Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations  Operations security, toprotect the details of a particular operation or series of activities  Communications security, to protect communications media, technology, and content  Network security, to protect networking components, connections, and contents  Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology. Eg.
  • 2. Ankita_Kashyap 2 In a time when mobility is the present and future of IT, allowing employees to access a network from a remote location, like their home or a project site, can increase the value of the network and efficiency of the employee. Unfortunately, remote access to a network also opens a number of vulnerabilities and creates difficult security challenges for a network administrator. As companies make an effort to adapt to new and mobile IT world, fundamental business operations increasingly rely on the Internet, leaving them exposed to the growing threats. Today we all need to know continually address spam and viruses, which plague email worldwide, and spyware that attaches itself to user PC's even through innocent Web surfing.
  • 3. Ankita_Kashyap 3 Personal Data Personal data are defined in the Data Protection Act, as follows: - "data which relate to a living individual who can be identified: - * from those data; or * from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual". The DPA applies to all personal data relating to living individuals, including names, addresses, etc. The DPA also distinguishes between "ordinary" personal data and sensitive personal data, imposing more stringent conditions for processing the latter. Sensitive personal data consists of information as to:  racial or ethnic origin;  political opinions;  religious beliefs or other beliefs of a similar nature;  membership of a trade union;  physical or mental health;  the commission, or alleged commission of, any offence; and  any proceedings for any offence committed or alleged to have been committed and the outcome of such proceedings. Sensitive personal data does not include financial records or other information that individuals may regard as private or confidential. The DPA applies to data held on computers and to manual data, such as paper files, which is structured either by reference toindividuals or to criteria relating to individuals where that personal data is readily accessible. Where personal data in manual folders or documents is not readily accessible (for example, a box of documents that are in no particular order), the DPA may not apply, meaning that the data subject is not entitled to inspect their personal data further to a subject access request. These are discussed further below.
  • 4. Ankita_Kashyap 4 Data Security Definition Data security is the process of protecting information systems and its data from unauthorized accidental or intentional modification, destruction or disclosure. The protection includes the confidentiality, integrity and availability of these systems and data. Risk assessment, mitigation and measurement are key components of data security. To maintain a secure environment, data security protocols require that any changes to data systems have an audit trail, which identifies the individual, department, time and date of any system change. Companies utilize personnel, policies, protocols, standards, procedures, software, hardware and physical security measures to attain data security. Data security may include one or a combination of all of these. Data security is not confined to the Information Services or Information Technology departments, but will involve various stakeholders including senior management, the board of directors, regulators, internal and external auditors, partners, suppliers and shareholders. Data security encompasses the security of the Information System in its entirety. The U.S. National Information Systems Security Glossary defines Information Systems Security (INFOSEC) as: “The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.“ Protecting data from unauthorized access is one component of data security that receives a great deal of attention. The concern for data protection extends beyond corporate concerns but is a high priority consumer interest as well. Data can be protected against unauthorized access through a variety of mechanisms. Passwords, digital certificates and biometric techniques all provide a more secure method to access data. Once the authorized user has been authorized or authenticated, sensitive information can be encrypted toprevent spying or theft. However, even the most sophisticated data security programs and measures cannot prevent human error. Security safeguards must be adhered to and protected to be effective. Information is typically categorized as being in either a structured format or an unstructured format. The meaning of these terms is subject to different interpretations by divergent groups.
  • 5. Ankita_Kashyap 5 Unstructured Data Structured data is data that conforms to some sort of strict data model and is confined by that model. The model might define a business process that controls the flow of information across a range of service-oriented architecture (SOA) systems. Database Security Concepts Architecturally, relational databases function in a client-server manner (although they can certainly be used as part of multitier applications). That is, a client computer, application, or user can only communicate directly with the database services that are running. They cannot directly access the database files, as can be done with “desktop” database systems, such as Microsoft Access. This is an important point, since it allows security configuration and management to occur at the database level, instead of leaving that responsibility to users and applications. Databases can be used in various capacities, including: • Application support: Ranging from simple employee lists to enterprise-level tracking software, relational databases are the most commonly used method for storing data. Through the use of modern databases, users and developers can rely on security, scalability, and recoverability features. • Secure storage of sensitive information: Relational databases offer one of the most secure methods of centrally storing important data. As we’ll see throughout this chapter, there are many ways in which access to data can be defined and enforced. These methods can be used to meet legislative requirements in regulated industries (for example, the HIPAA standard for storing and transferring healthcare-related information) and generally for storing important data. • Online transaction processing (OLTP): OLTP services are often the most common functions of databases in many organizations. These systems are responsible for receiving and storing information that is accessed by client applications and other servers. OLTPdatabases are characterized by having a high level of data modification (inserting, updating, and deleting rows). Therefore, they are optimized to support dynamically changing data. Generally, they store large volumes of information that can balloon very quickly if not managed properly.
  • 6. Ankita_Kashyap 6 • Data warehousing: Many organizations go to great lengths to collect and store as much information as possible. But what good is this information if it can’t easily be analyzed? The primary business reason for storing many types of information is to use this data eventually to help make business decisions. Although reports can be generated against OLTP databases, there are several potential problems: Reports might take a long time to run, and thus tax system resources. If reports are run against a production OLTP server, overall system performance can be significantly decreased. OLTP servers are not optimized for the types of queries used in reporting. thus making the problem worse. Reporting requirements are very different. In reporting systems, the main type of activity is data analysis. OLTP systems get bogged down when the amount of data in the databases gets very large. Therefore, production OLTP data must be often archived to other media or stored in another data repository. Relational database platforms can serve as a repository for information collected from many different data sources within an organization. This database can then be used for centralized reporting and by “decision support” systems. Database Security Layers Server-Level Security A database application is only as secure as the server it is running on. Therefore, it’s important to start considering security settings at the level of the physical server or servers on which your databases will be hosted. In smaller, simple configurations, you might need to secure only a single machine. Larger organizations will likely have to make accommodations for many servers. These servers may be geographically distributed and even arranged in complex clustered configurations. One of the first steps you should take in order to secure a server is to determine which users and applications should have access to it. Modern database platforms are generally accessible over a network, and most database administration tasks can be performed remotely. Therefore, other than for purposes of physically maintaining database hardware, there’s little need for anyone to have direct physical access to a database. It’s also very important to physically protect databases in order to prevent unauthorized users from accessing database files and data backups. If an unauthorized user can get physical access to your servers, it’s much more difficult to protect against further breaches.
  • 7. Ankita_Kashyap 7 Network-Level Security Databases work with their respective operating system platforms to serve users with the data they need. Therefore, general operating system and network-level security also applies to databases. If the underlying platform is not secure, this can create significant vulnerabilities for the database. Since they are designed as network applications, you must take reasonable steps to ensure that only specific clients can access these machines. Some standard “best practices” for securing databases include limiting the networks and/or network addresses that have direct access to the computer. For example, you might implement routing rules and packet filtering to ensure that only specific users on your internal network will even be able to communicate with a server. Of course, few real-world databases work alone. Generally, these systems are accessed directly by users, and often by mission-critical applications. Later in this chapter, we’ll look at some methods for mitigating risks related to Internet- accessible applications. Data Encryption Another method for ensuring the safety of database information is to use encryption. Most modern databases support encrypted connections between the client and the server. Although these protocols can sometimes add significant processing and data transfer overhead (especially for large result sets or very busy servers), the added security may be required in some situations. Additionally, through the use of virtual private networks (VPNs), systems administrators can ensure that sensitive data remains protected during transit. Depending on the implementation, VPN solutions can provide the added benefit of allowing network administrators to implement security without requiring client or server reconfiguration. Operating System Security On most platforms, database security goes hand in hand with operating system security. Network configuration settings, file system permissions, authentication mechanisms, and operating system encryption features can all play a role in ensuring that databases remain secure. For example, on Windows-based operating systems, only the NTFS file system offers any level of file system security (FAT and FAT32 partitions do not provide any file system security at all). In environments that use a centralized directory services infrastructure, it’s important for systems administrators to keep permissions settings up to date and to ensure that unnecessary accounts are deactivated as soon as possible. Fortunately, many modern relational database platforms can leverage the strengths of the operating systems that they run on.
  • 8. Ankita_Kashyap 8 Database Backup and Recovery An integral part of any overall database security strategy should be providing for database backup and recovery. Backups serve many different purposes. Most often, it seems that systems administrators perform backups to protect information in the case of server hardware failures. Although this is a very real danger in most environments, it’s often not the most likely. Data can be lost due to accidental human errors, flawed application logic, defects in the database or operating system platform, and, of course, malicious users who are able to circumvent security measures. In the event that data is incorrectly modified or destroyed altogether, the only real method to recover information is from backups. Since all relational database systems provide some method for performing database backups while a server is still running, there isn’t much of an excuse for not implementing backups. The real challenge is in determining what backup strategies apply to your own environment. You’ll need to find out what your working limitations are. This won’t be an easy task, even in the best-managed organizations. It involves finding information from many different individuals and departments within your organization. You’ll have to work hard to find existing data, and make best guesses and estimates for areas in which data isn’t available. Tofurther complicate issues, there are many constraints in the real world that can affect the implementation of backup processes. First, resources such as storage space, network bandwidth, processing time, and local disk I/O bandwidth are almost always limited. Additionally, human resources—especially knowledgeable and experienced database administrators—may be difficult to find. And, performance requirements, user load, and other factors can prevent you from taking all the time you need to implement an ideal backup solution. Typesof DatabaseBackups In an ideal world, you would have all of the resources you need to back up all of your data almost instantly. However, in the real world, large databases and performance requirements can often constrain the operations that can be performed (and when they can be performed). Therefore, you’ll need to make some compromises. For example, instead of backing up all of your data hourly, you might have to resort to doing full backups once per week and smaller backups on other days. Although the terminology and features vary greatly between relational database platforms,
  • 9. Ankita_Kashyap 9 The following types of backups are possible on most systems: • Full backups This type of backup consists of making a complete copy of all of the data in a database. Generally, the process can be performed while a database is up and running. On modern hardware, the performance impact of full backups may be almost negligible. Of course, it’s recommended that database administrators test the performance impact of backups before implementing an overall schedule. Full backups are the basis for all other types of backups. If disk space constraints allow it, it is recommended to perform full backups frequently. • Differential backups This type of backup consists of copying all of the data that has changed since the last full backup. Since differential backups contain only changes, the recovery process involves first restoring the latest full backup and then restoring the latest differential backup. Although the recovery process involves more steps (and is more time-consuming), the use of differential backups can greatly reduce the amount of disk storage space and backup time required to protect large databases. • Transaction log backups Relational database systems are designed to support multiple concurrent updates to data. In order to manage contention and to ensure that all users see data that is consistent to a specific point in time, data modifications are first written to a transaction log file. Periodically, the transactions that have been logged are then committed to the actual database. Database administrators can choose to perform transaction log backups fairly frequently, since they only contain information about transactions that have occurred since the last backup. The major drawback to implementing transaction log backups is that, in order to recover a database, the last full (or differential) backup must be restored. Then, the unbroken chain of sequential transaction log files must be applied. Depending on the frequency of full backups, this might take a significant amount of time. However, transaction log backups also provide one extremely important feature that other backup types do not: point-in-time recovery. What this means is that, provided that backups have been implemented properly, database administrators can roll a database back to a specific point in time. For example, if you learn that an incorrect or unauthorized database transaction was performed at 3:00 p.m. on Friday, you will be able to restore the database to a point in time just before that transaction occurred. The end result is minimal data loss.
  • 10. Ankita_Kashyap 10 Database Auditing and Monitoring The idea of accountability is an important one when it comes to network and database security. The process of auditing involves keeping a log of data modifications and permissions usage. Often, users that are attempting to overstep their security permissions (or users that are unauthorized altogether) can be detected and dealt with before significant damage is done; or, once data has been tampered with, auditing can provide details about the extent of loss or data changes. There’s another benefit to implementing auditing: when users know that certain actions are being tracked, they might be less likely to attempt to snoop around your databases. Thus, this technique can serve as a deterrent. Unfortunately, in many environments, auditing is overlooked. Though it won’t necessarily prevent users from modifying information, auditing can be a very powerful security tool. Most relational databases provide you with the ability to track specific actions based on user roles or to track actions on specific database objects. Although auditing can provide an excellent way totrack detailed actions, sometimes you just want to get a quick snapshot of who’s using the server and for what purpose. Most databases provide easy methods for viewing this information (generally through graphical utilities). You may be able to get a quick snapshot of current database activity or view any long-running transactions that are currently in process. The Data Protection Principles  Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met (set out in schedules 2 and 3 to the DPA).  Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.  Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.  Personal data shall be accurate and, where necessary, kept up to date.  Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.  Personal data shall be processed in accordance with the rights of data subjects under the DPA.  Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.  Personal data shall not be transferred toa country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  • 11. Ankita_Kashyap 11 The Eight Data Protection Act Principles The act contains eight “Data Protection Principles”. These specify that personal data must be:  Processed fairly and lawfully.  Obtained for specified and lawful purposes.  Adequate, relevant and not excessive.  Accurate and up to date.  Not kept any longer than necessary.  Processed in accordance with the “data subject’s” (the individual’s) rights.  Securely kept.  Not transferred to any other country without adequate protection in situ. Data Collection When collecting personal data make sure that people know: 1. Who you are 2. What the data will be used for 3. Towhom it will be disclosed. This information can often be provided on an application form or similar. It is equally important NOT to collect more personal data than is actually needed. Handling Data When handling, collecting, processing or storing personal data, ensure that: 1. All personal data is both accurate and up to date 2. Errors are corrected effectively and promptly 3. The data is deleted/destroyed when it is no longer needed 4. The personal data is kept secure at all times (protecting from unauthorized disclosure or access) 5. The Data Protection Act is considered when setting up new systems or when considering use of the data for a new purpose. Note that this may affect the existing registration with the Data Protection Authority 6. Written contracts are used when external bodies process/handle the data explicitly specifying the above requirements with respect to the data It is equally important NOT to:
  • 12. Ankita_Kashyap 12 1. Access personal data that you do not need for your work 2. Use the data for any purpose it was not explicitly obtained for 3. Keep data that would embarrass or damage YOUR-COMPANY if disclosed (eg: via a subject access request – see below) 4. Transfer personal data outside of the European Economic Area unless you are certain you are entitled to or consent from the individual concerned has been obtained 5. Store/process/handle sensitive personal data (see below) unless are certain you are entitled to or consent from the individual concerned has been obtained Subject Access Individuals, who the data relates to, have various rights: 1. To receive on request details of the processing relating to themselves. This includes any information about themselves including information regarding the source of the data and about the logic of certain “fully automated decisions” 2. To have any inaccurate data corrected or removed in a timely fashion 3. In certain circumstances to stop processing likely to cause “substantial damage or substantial distress”. 4. To prevent their data being used for advertising or marketing 5. Not to be subject to certain “fully automated decisions” if they significantly affect him/her. When a subject access request is received, it is important to act promptly and effectively as certain time scales are imposed regarding response ('Sensitive Data' means data pertaining to: racial or ethnic origin; religious or similar beliefs; trade union membership; physical or mental health or sexual life; political opinions; criminal offences. This data may only be held in strictly defined situations or where explicit consent has been obtained. 'Data Controller' is a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed. 'Subject Access' is the right of individuals to have access to the data about them and other related information. 'Notification' is the process of notifying the Data Protection Authority of the purposes for which personal data is held/processed.)