IHG, Arby’s, Chipotle, University of Washington, Anthem / Blue Cross Blue Shield, Verizon, Equifax, SEC, Deloitte, Whole Foods – these are just a few popular names on a long list of companies that had a data breach this year. As time goes on, data breaches seem to become more ubiquitous and more frequent.
So, what is a data breach? How does it affect you? What can you do as a user to keep your data secure? What can you do as an organization to prevent a data breach?
What is a Data Breach?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, or used by an individual who is unauthorized to do so.
The information that is leaked could be your credit card numbers, passwords, SSN, or any other information that you would consider as private. Therefore, data breaches could lead to credit card fraud, identity theft, or hacked user accounts.
There are several restrictions on how an organization handles sensitive information. The Payment Card Industry Data Security Standard (PCI DSS) dictates who may handle and use sensitive information such as credit card numbers, PINs, and account numbers.
The Health Insurance Portability and Accountability Act (HIPAA) regulates information access in the health care industry and restricts access to information such as Social Security numbers and health history information. When an organization fails to comply or experiences a data breach, they are imposed with heavy fines.
Steps Your Organization Can Take to Avoid a Data Breach
Here are steps an organization can take to avoid a data breach:
1. Build a secure network: The first step for a hacker to gain access to data is to breach into your network. Therefore, it is very important to have strong network security and spam/phishing detection mechanisms in place.
2. Encrypt your data (data encryption): A recent survey results show that about 60% of the companies that were subject to a data breach did not encrypt their data. Therefore, it is very important to encrypt data at rest and during transmission.
Today, there are multiple methods for encrypting data. At Key2 Consulting, we work primarily with Microsoft technologies. Therefore, in this blog I will be discussing several encryption mechanisms available in SQL Server 2016, as well as their pros and cons.
- Transparent Data Encryption (TDE): Transparent Data Encryption(TDE) encrypts SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data files, known as “encrypting data at rest.” In a scenario where the physical media (such as a data drives or backup storage) is stolen, a malicious party can simply restore or attach the database and browse the data. One solution to the problem is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data.
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>';
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate';
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;
ALTER DATABASE AdventureWorks2012
SET ENCRYPTION ON;
- Dynamic Data Masking (DDM): Dynamic data masking limits (DDM) sensitive data exposure by masking it to non-privileged users. It can be used to greatly simplify the design and coding of security in your application. This feature was introduced in SQL server 2016 and it helps to mask string or numeric data partially or completely.
- Symmetric and Asymmetric Key Encryption: Both of these encryption methods are used to encrypt data at column level. In symmetric encryption, a same key is used to both encrypt and decrypt data. In asymmetric key encryption, a public or shared key is used to encrypt the data and a private key is used to decrypt the data. The key size determines the strength of encryption and the performance implication. In most cases, symmetric key encryption is used, but the symmetric keys are encrypted with asymmetric keys to achieve both strong encryption and better performance.
- Comparisons and Use Cases: TDE should be used on all the databases regardless of the data contained in them. This approach can be easily implemented with no impact to current processes or procedures. However, TDE in itself cannot secure data from all types of attacks, as all it takes is knowing one user’s password to gain access to data. Therefore, it is very important to encrypt highly sensitive information like SSN, Credit Card numbers, passwords, and so on at a column level using an asymmetric key pair. It should be noted that this type of encryption is resource intensive and should not be implemented on fields that do not require the highest level of security. Emails and phone numbers could be masked to prevent misuse by vendors or call centers. Remember that masking does not encrypt data and users can still run comparison against the masked field to get the desired result.
3. Train your employees: your network and your data is only as secure as your employee`s practices, so it is very important to coach your employees on the best practices periodically.
4. Encrypt data in transit: It is often a requirement to share data with clients periodically and a common misconception is that the data sent over a secured channel is secured. This is not true, and every file that is sent over the network needs to be encrypted.
5. Manages user privileges carefully: SQL server is a very powerful tool that empowers users to do a lot more than just query a database. For instance, you can do many file system tasks and even control network events. Therefore, it is very important to limit user access to only what they absolutely need.
Recommendations for Users
- As a user, it is always important to carefully review the privacy policies of the companies that you share your sensitive information with. It is very important to secure all your accounts with strong passwords and security measures. When possible, turn on two factor authentication for additional security and track unwanted activity.
To learn more about encryption and have a custom solution tailored towards your business needs, please reach out to us at firstname.lastname@example.org. If you have any questions, feel free to leave a comment below. Thanks for reading!