Data Protection is More than Access Control
This breach that has happened at Target will continue to unfold and we’ll learn from it and protect things differently because of it. One thing is clear, dataprotection is going to necessarily change. It simply must.
From the early information (we’ll see how it evolves over time), data was captured not by hacking into the database, not by illicit access, but rather somewhere out in front of the database. This means data in transit at best, and at worst, quite possibly data was compromised at the point of capture. While this has been done before, certainly not at scale.
What are we to do as data professionals? It comes down to protecting information each step of the way. While encryption at the database level is important, so is data in transit. This means as you capture and process information you need to take a step back and figure out how you protect that information. Do you need to capture the data? If not, don’t.
Do you have the right measures in place to protect what you are storing? Are there any intermediate steps the information takes as you work with it? It’s likely that there are. This includes things like payment processor gateways, storage systems, server arrays, etc. Some you can protect, others you cannot. But it’s time to start asking questions and see what’s possible. We’re going to have to lock down each touch point and consider how information is stored, protected and discarded.
Start with the "easy" things – encrypt information with SSL if you’re doing transactions (surely everyone is on this bandwagon, right?) – and encrypt information at-rest. This prevents the hacker from getting usable information. But, as you set these things up (or review things already in place) don’t just check the box that it was encrypted. There’s more to it than that. There are different types of encryption and some are prone to being far less effective than others. Learn about the different tools and best practices at each level.
How do you approach it? Identify your pain points. Set up a plan. Get executing. This isn’t something to shy away from because it’s tedious or a time consuming. This is something where you want to identify the tools, understand what’s needed and get a plan in motion. Today is a great time to start. If not today, how about later today?
We’ll be going into more information about protecting information, considerations and even processes for upgrading your data security. For now, get up to speed on managing keys, understanding what must be protected (either by statute or moral code) and figure out the first steps you need to take.