Protecting customer data is a complex topic, and many organizations are struggling to keep up. Even with money available in the budget, it can be hard to identify the highest advantage, lowest impact changes — yet, with the the pressure to do so increases on a daily basis.
Businesses who follow certain protocols when weighing digital security measures can increase security, lower risk and reduce deployment costs.
Before we get into how to protect sensitive data, keep in mind the most effective, cheapest and easiest way to protect data: don’t store it in the first place. If you don’t have the sensitive data, you can’t lose it. This can be done as a business decision or through the use of a tokenization provider, like Stripe or Braintree for credit card data. SafeNet and Vormetric, among other providers, offer more advanced solutions that allow for arbitrary tokenization of data.
If You Must Store ...
If you must store data, however, you must also protect it. Many compliance regimes, like the PCI-DSS, require this type of protection. All sensitive data should be protected using the TLS 1.2 protocol only. Older versions of TLS or SSL are not sufficient for protecting sensitive data.
Providers of APIs for mobile platforms rarely need to worry about extended validation (EV) certificates, but every endpoint should require encryption with modern cipher suites. Additionally, while browsers do a good job verifying these certificates out of the box, mobile developers must ensure that they validate the certificates in their code. Apple had taken strong steps with iOS 9 by making this the default rather than the exception.
Encryption Is Your Friend
Once data is stored in your environment, it must be encrypted to protect it both from external malicious access, as well as privileged insider access. While properly protecting data encompasses a much wider set of technologies, services and policies, good encryption is a strong tool for protecting data. When thinking of deploying encryption services, we generally divide the work into two groups: data at rest and data in transit.
Solutions like the one from Vormetric allow customers to create fine-grained policies to protect data and report on access. These systems can be backed by a Hardware Security Module (HSM) for strong key protection and auditability.
Another common recommendation is for customers to deploy multi-factor authentication. There are many companies, such as Duo Security, that have simple, easy to use platforms that allow for quick onboarding of your team and strong protection across a wide variety of platforms for a low cost. If customers want physical tokens, Duo’s partnership with YubiKey allows for inexpensive deployments.
Secure Your Environment
While deploying tools into the environment can have great benefits, it’s also important to make sure the environment itself is as hostile to intruders as possible.
This includes ensuring all tools are patched, especially critical third-party software like Java. Firewalls should be locked down to only allow connections from trusted machines and enforce encryption. Hosts should be hardened to leave as little attack surface as possible. The Center for Internet Security is a good resource, but many companies and open source projects provide great hardening guides.
Finally, organizations must assume that even the most modern security platforms will be breached. Zero-day and non-malware compromise platforms like CrowdStrike can be useful here, but require significant know-how. At a minimum, customers should collect and store the logs from their environment in an external store like Alert Logic’s Log Manager.
No Man is a (Security) Island
While the tools described above offer important capabilities in protecting a customer’s environment, it’s still the case that many customers have a difficult time selecting, purchasing, deploying and staffing these tools to get the best value.
Managed security providers can help in the area by providing high levels of expertise to bear when designing systems. With the flood of new threats and new tools to protect against them coming in every day, security cannot be a one-person operation — everyone in an organization needs to be cautious and aware.