HIERARCHY AND LAYERS OF DATA SECURITY CONTROLS

The data security has become an imperative structure inside the design of data centers/ cloud rather than an option to add a fancy feature in the list. At a recent IT infrastructure conference in Portland, a very famous Maslow’s theory was used for identifying and prioritizing the layers of security. In Maslow’s Theory, a pyramid is built on the motivation theory; human action first prioritizes the safety and nourishment while moving on to the other factors like entertainment, emotional well-being, and adventure. The Maslow’s pyramid was used to structure the Dasher’s hierarchy of data security.

1. Self-awareness:

This is the most fundamental and important stage in the hierarchy of data security. This stage helps you to determine your requirement and also what you want to achieve in your data security. It’s a stage where you make the list of the most important things you want in your data security. Software and hardware requirements to maintain the level of security for business operation. Self-awareness helps the businesses to understand the need for security and how it would affect their business needs.

2. Basic Need:

Most enterprises skip the self-awareness stage and directly jump on to the basic need stage. The enterprises ask the IT Department for the basic needs to run a business operation. A security software for all the physical system, a firewall to protect the network and one step identity authorization for the operation.

3. Data and user protection:

Usually, if the enterprises are exhaustively self-aware about the security goals and implement them, data and user protection stage would not be needed. In Data and User protection stage, enterprises divide the operations of the different department and then secure the network depending on the data.

4. Security Actualization:

The stage is actually achieved when an enterprise has actually achieved a 100 percent security cover. Actualization gives us the benefit of determining the threat even before it arises. Security actualization can be achieved with security analytics to determine the threat status and network health.

For more details, you can download whitepapers on Data Security.

As the hierarchy is defined, we now need to understand different layers that affect the security. Layers help the enterprise define the security for each layer and the risks that can be mitigated at the protection layer.

Physical Layer: 

The lowest level of protection is applied at the physical level Flash, disks or other storage spaces that need to be protected. Protecting the data at this level means that you save the data from physical improper transfer, loss or theft. The control is usually handed over to the full disk encryption (FDE) or key management for arrays.

For mobile devices that actually carry a lot of physical data, the encryption could be a great way to protect the data. A mobile device usually carries a risk of theft, lost or even thrown away encryption would save the data against unauthorized use. The encryption of the data is not the best way to protect the sensitive data stored in a data center or cloud environment.

As the system that is authorized to access the information is operational, there would be no limits to the access of data. A simple handover in the security can result in the leakage of sensitive data from any of the mobile sources. Physical layer protection offers an easy solution to the enterprise for data protection, but it limits the security functions.

System Layer: 

The next level of security that is applied at enterprise-level is the file or volume encryption, access control along with privileged access management. Encryption of the data is the same as we saw in the physical layer, however, the access control protects against the unidentified access to the sensitive data. The control access helps to provide only authorized access to data for signed database process and user. System layer helps to meet the required mandate for access control on different sensitive information.

System layer is critical for data security in Infrastructure as a service cloud environment. The deployment of the system layer they ensure that all the data stays under the control of the enterprise. This protects against compromise of the data from any cloud provider or failure as the encryption and access offer levels of security.

Application and Database Layer Protection

Encryption and access control protect the data well against any system level threats. They are not designed to protect the data against a threat coming in from application or database environment. The next level of protection that encrypts the data and creates the access control from within the application and database is required.
These are best implemented during the development of the applications as they require the configuration of application or database.

The implementation of the following during the operation can be challenging. Here are some of the controls:

1. Application Encryption 
2. Data Masking.
3. Database access monitoring 
4. Tokenization.
5. TDE key management. 

Hierarchy helps in defining the most important procedures that need to be followed for the data protection and Layers provides us the brief about our data architecture. It’s important that the organization understands that data security should be a priority in the business operation. For more details, download whitepapers on Data Security.