Data Security

Big data, AI and machine learning are becoming part of business as usual for many organisations in the public and private sectors. This is driven by the continued growth and availability of data, including data from new sources such as the Internet of Things (IoT), the development of tools to manage and analyse it, and growing awareness of the opportunities it creates for business benefits and insights.

Although the use of big data analytics is becoming more common it still represents a significant change in the way organisations use data with a tendency to collect ‘all the data’ including new types of data, using that data for multiple things often over and above what may have been initially intended and applying algorithms to derive insights that wouldn't be possible using more traditional means.

Data Access Control

We have experience with helping a large Swiss bank design and implement the rules and technique for ensuring data can only be accessed in an appropriate way. With some complicated interrelated rules based on the roles the user has, classification and categorisation of the data, specifics about the data itself such as client identifying factors and their waiver status and even the current physical location of the employee accessing the data, we needed to build a well structured framework for defining and applying the rules.

Not only was the requirement to prevent or allow access to data, but to mask certain fields in certain circumstances in a way that joins to other data could still be made where appropriate but using the masked values for trend analysis over time would not be possible. This allows for the wider usage of that data then would otherwise be possible, so in this case certain tasks could be moved to lower cost locations. In tandem with these business data access requirements was a need to support copying production environment into test and development systems for the IT team, with anonymisation of sensitive data.

Working within the clients team, our consultants helped design and build the framework for managing and controlling access with implementations in Hadoop, Spark SQL and Oracle Exadata. We helped put in place procedures for defining how data would be restricted and adjusted as it is copied to non-production environments. This definition is used to sanitise the data the IT team has to work with in development and testing. We also helped identify and address considerations such as what data was written to access logs and audit trails, coming up with an approach to mask potentially sensitive data so as to allow for support to still be done from offshore locations.

Weakest Link Analysis

Cyber criminals often exploit the weakest link in the data chain. Thorium can help you trace each step in data flows and review the systems and controls they pass through. From internal systems to cloud computing providers: all data storage and communications must be checked to ensure you aren't left exposed.

That leaves your data users - typically employees that are typically the weakest link. There are several things you can do to limit the data security risk from your users:-

  1. Reduce the number of employees with access to sensitive, confidential or regulated data. The fewer users of the data, the less likely you are to experience a leak, hack or malicious intent.
  2. Develop policies governing the most important categories of information. For example if your company stores personal data about its customers: make sure your staff understand the sensitivity of that information and how to handle it.
  3. Train your team on a range of cybersecurity safety techniques such as using difficult to guess passwords, not clicking on suspicious emails, not viewing sensitive data in a public place.

Systems Hardening

We can recommend a number of techniques to harden your systems. These include ensuring that data is encrypted when at rest and on the move and the keys stored in a different location. All access and manipulation of data must be logged. These logs must be audited regularly (on a weekly or less period), and ideally the logs should be automatically monitored by anomaly detection systems for inappropriate usage and unexpected patterns Use automated scanning technology to constantly monitor the network and applications for vulnerabilities and malware. Monitor data leaving your network for anomalies in traffic patterns (in particular large outgoing files). You can even create a number of unique fake records in your data set with the aim of detecting them where they shouldn't be. This acts as a digital version of marked banknotes which you can search for internally and across the web.

PCI Compliance

PCI DSS is the worldwide Payment Card Industry Data Security Standard that was set up to help businesses process card payments securely and reduce card fraud. The PCI DSS applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit card holder data, you need to store your data securely in a PCI compliant way. Even accepting PayPal payments requires you to be PCI compliant

Unfortunately there's not a great deal of guidance on how to approach meeting these requirements. Thorium can help you work through PCI DSS requirements section by section and apply them to your organisation and environment. We can help turn them into clear design and plan for how operate in compliance with the standards with minimal disruption.