Data security is a complex issue — here's how to tackle it.
TL;DR: Data security is a complex issue — here's how to tackle it.
Chances are, as a kid you probably had a diary or a journal. Maybe you only successfully wrote in it for a week or two, but man was it a great listener. The perfect place to write lists of all the things that were really ticking you off — but moooom won't let me sleep over! — and to jot down all your preteen problems.
And chances are, you had a lock on that diary. And you hid it under your mattress. And you might have even written in code or invisible ink or switched names around to keep your deepest, darkest thoughts top secret. Because if someone got into it and read your thoughts, you'd be embarrassed, and you might have even gotten in serious trouble.
What you were doing with your diary — hiding it, putting a lock on it, using a secret code — that was all data security. Juvenile data security, sure. But it follows the same principals that companies follow today to keep data safe when the stakes are much, much higher. But since you can't just lock up your business's data and carefully store it under your pillow, we've made this primer to get you started thinking about what it means to keep data secure.
What does data security mean?
Data security means protecting your (digital) data and keeping it safe — from attack, from accidental deletion, from security breaches, and anything else that could happen to it. Data security is a wide and complex set of answers to a wide and complex series of problems that show up when trying to secure information, not one unified process.
Some key considerations for your data security are:
- What size is your company?
- What devices are you securing?
- What is your industry?
- Where is your company located?
- Who needs to have access to what data?
- How much time and effort can your internal team expend on security?
Thinking about data security as a series of layers that protect your data in different ways is a great way to understand how to best protect yourself. There are a lot of different measures that you can take to protect and secure your company's digital information that all fall under the umbrella of “data security”. Having a measured approach will allow you to cover all of your considerations one by one.
What are best practices for data security?
There are many parts to a comprehensive data security solution. What follows here is not meant to be a step-by-step break down of everything you need to do to create perfect data security, it's an overview of the heavy-hitters that come together to create a good foundation for data security. What a best practice looks like for your business will depend on many factors, like size, industry and location.
- Manage your identity by restricting access to sensitive documents. Sometimes called data classification, managing who can see what based on their user id is a great way to keep sensitive information restricted to only those that need to see it. This limits the amount of damage that can be done if someone's username or login details are stolen. IAM companies like Auth0 are set up to handle different permissions based on user, and this is a key point to good data security policy.
- Encryption is one of the best tools that we have to keep data safe, but it isn't a monolith. You can't just decide to encrypt all your data and call it a day — that's not exactly how it works. Often, software tools that you use for your business will have some sort of encryption offered, and that's a great place to start. Your information backup service, for example, should be able to encrypt that data for you. You should also make sure you encrypt transmissions to add another layer of security onto any information you send.
Think of encryption as taking your plain data and turning it into a secret code that only you can make heads or tails of — not the bad guys. We don't recommend using historical documents as keys to encryption, though.
- Be prepared for the mobile workforce. As mobile devices take over the workplace, your security threats grow. You need a mobile security plan to keep everyone in line. This should include an enforced protocol for employees, like staying off public wifi on work devices, and having a company-mandated antivirus on their mobile devices.
Preparing for Threats
- Test how good your system is. The best defense is a good offense, and the best offense in having to recover data is testing your own security systems so you don't lose that data in the first place. Either create an internal team to stress-test your system or find someone outside your company to do it, but don't leave your security up to chance.
- Have an incident management plan. When you find out that your company's security has been compromised, the last thing you want to do is panic. Having a comprehensive protocol can keep blood pressure down and limit the damage done. Yes, IT needs to be aware of what to do, but you should also make guidelines for management, letting employees know, and your next steps for recovery.
- Make a disaster recovery plan for your data, in case of corruption or the unhappy scenario where something you need has been deleted or compromised. For many, this means having a secure backup copy of your data that is regularly updated. This backup itself will have to be protected and should also be sufficiently separate from the rest of your data.
- Know how and when to let go. When it's time to get rid of information, you need to know how to dispose of it properly. When you have to throw out sensitive information on paper, you shred it. You cut up your credit cards and write “VOID” on checks before disposing of them. Digital data is no different. Make sure that when you're wiping information, it's really gone and not lingering somewhere that will come back to bite you.
- Don't forget physical copies. If any of your backups are on paper, stored on a thumb drive, are x-rays or microfilm or negatives — or anything else that's physical and totally separate from your digital systems — don't forget about them. When you're deleting digital information, make sure that part of the process is double checking to see if that information has a physical counterpart and destroying it in kind.
"There are rules and regulations that govern what you should and cannot do with your business's data, and they can help lower your risks."
There are rules and regulations that govern what you should and cannot do with your business's data, and they can help lower your risks. Especially if you are dealing with sensitive information, looking towards these laws and guidelines will help give you a better sense of what is appropriate for your company. For example, companies in the medical field are likely required to follow HIPAA requirements.
You can also reduce compliance risks by following open standards. Take identity management, which has guidelines that are available for everyone to follow with the explicit purpose of being as safe and responsible as possible. Auth0, for example, is OpenID Connect certified, which means we follow the official OpenID specifications and have done the legwork to keep your data secure.
To ensure that you have the least risk possible, be thorough in your investigation of the laws that apply to your company and the best practices that have developed in your field or for your concerns. This will depend heavily on industry and location, but it needs to be done correctly to ensure that your data security is as good as possible.
Stay safe, be smart
Creating a comprehensive data security policy for your company can be a tedious task, but it's one of the most important things you can do for your company and for your customers — we don't need to remind you how bad a breach can be.
And if you need a head start on using identity management as part of a comprehensive data security solution, there's no better place to look than Auth0. We can help you cover a variety of compliance risks, manage your data classification and encrypt user information. Read our case studies and learn more about the security and standards we use to find out more.