Data Security at all levels

In most organisations data is the primary source of value. Wether that data is the source code to the next big breakthrough, a list of opportunities and sales tactics, or a more traditional data set such as a back catalogue of music, how it is managed is critical to modern businesses and losing that data brings major consequences.

This post in a series on security at all layers focuses on the security of data. I'll look at how data can be protect in three states; At Rest (Store), In Transit (Move), and In Use (Access), and in three ways; Encryption, Permissions, Resiliency.

When thinking about data security it's important to firstly understand how and why you classify your data. Being able to categorise data will then allow you to understand which security control need to be in place. Often security is lax because it is seen as over burdensome, especially when looking at data. As a result the "anyone can ready anything, just in case" is often the fallback position to avoid extra complexity, cost, or delay. Being able to determine which controls are needed ensures that only the "barriers" that are needed are implemented.

So I like to think of my storage technologies as a self-storage facility for my data. For some data I have self-service location similar to shipping containers cheap and dirty. For my crown jewels of data such as PII or IP, I use a regulated and bonded storage facility. For everything else there are grades in between each with different characteristics and force me to do things in a particular way.

Storage

Where and how you store data has a huge impact on how secure it can be. A file on a EBS volume can be managed differently to one on an EFS share or in an S3 bucket. However, the same principles can be applied and should hold true for which ever technology you choose, on-premises or in the cloud.

Whether in my container (S3) or bonded (Instance Store)

Encryption

Do I encrypt the storage or the data?

Permissions

Resiliency