November 26, 2018 | BLOG POST |
By Prithvi Hariharan, Chief Technology Officer for Envision Financial Systems, Inc.
This post introduces a new series of blog posts about how Envision approaches cybersecurity risks and touches on a key topic: the need to ensure secure handling of data in all its states—at rest, in transit and in use.
A primary consideration for providing cybersecurity is the protection of information. Taking a risk based approach is undoubtedly a best practice. In that way, financial services companies can best ensure their information security investments are commensurate with each calculated risk and the aggregation of related risks. In the mutual fund and brokerage industries, the highest-level risks include:
- Unauthorized cash outs
- Unauthorized trades
- Trade repudiation risks
- Compromise of corporate or individual retirement portfolio
- Breach of personal banking information
- Breach of beneficiary information
Protecting against these risks requires a wide range of critical security practices, ranging from physical networks to user authentication and authorizations to data storage and handling. In this post, we’ll begin by touching on the need to protect data in all its phases.
Data at rest
Data at rest refers to all data residing across multiple devices over a period of time. This also includes copies of backups that may be stored on external devices or offsite on the cloud. Don’t take pains to protect data in transit and in use only to store it on an unsecure network drive!
Keeping track of data at rest across multiple devices is the first step towards protecting it. Protecting data often involves a multi-layer strategy using physical and logical access controls. The files and content themselves need to be encrypted. It is important to stay current on encryption methods. Some encryption algorithms deemed effective only a few years ago are no longer secure.
Data in transit
Data in transit refers to the data that is typically transmitted between networks, is in motion within a network or ready to be processed within devices on the network. Examples of data in motion includes file transfers, emails and communication between various tiers of an application. Encryption of data and usage of encrypted connections for data transmissions are typical ways organization protect data in transit. Some of the examples of encrypting the connections include SSL, HTTPS and TLS.
Data in use
Data in use refers to the data currently being added, viewed, updated or deleted by the application and its users. Drive your system providers to mask sensitive fields in views. Ensure that the application follows the principle of “least privilege”—that is, ensuring a user has access to nothing more than is needed to fulfill that user’s role.
Taking a structured approach
Addressing data in all its phases requires a disciplined, structured approach to cybersecurity that includes careful analysis of how data is generated, transmitted, used and stored. Like any chain, the weakest link defines its overall strength. Taking a risk-based approach is the only way to ensure the necessary attention is paid to data in every one of its phases.