Seven Levels of Data Security to Protect Your Business

Security breaches can be devastating, and we believe we have a role to play in sharing our knowledge and helping organizations adopt a holistic approach to protecting themselves.
7 min read
11/09/21
All articles
By Dmitry Vyrostkov
Head of Security at DataArt
Share
Seven Levels of Data Security to Protect Your Business

We have created a practical guide to help companies enhance their security, starting at the most basic and advancing to more comprehensive strategies. We encourage every organization to use this guide to identify and close gaps in their security.

Our recommendations form a pyramid in which each level addresses a particular set of threats and countermeasures. The higher an organization elevates its security, the less likely it is to suffer damaging security incidents.

Enterprise Security Pyramid

Level 0: Ground

An organization must protect all of its IT assets. The first step is to perform a thorough audit and create a complete asset inventory that includes all physical hardware, cloud resources, and storage holding confidential data like passwords. This must be an ongoing exercise because, as the organization grows, new assets are added.

Here is a breakdown:

  • Locate the physical hardware: servers, switches, routers, PC stations, laptops, smartphones, etc.
  • Locate virtual resources: virtual drives (Google, Microsoft, other), Cloud buckets, virtual machines, API gateways, and Docker/Kubernetes containers.
  • Locate confidential information
    • Establish where passwords and certificates are stored and who has access to them.
    • Confidentiality maintenance: create, refresh, revoke, and rotate.
  • Establish ownership: Assign someone responsible for each item.

Level 1: Essential

The next level of our pyramid involves changing all default passwords, settings, configurations, firewall rules, ports, etc., to minimize the risk of breaches. Cybercriminals search for the weakest access points to an organization’s network and systems, and those access points are usually default settings and system configurations and default or standard password combinations. It is also advisable to disable any unnecessary components and uninstall non-essential applications.

Level 2: Basic

After changing all default IT policies, network access to physical and virtual assets must be appropriately restricted. This will require custom firewall configurations with advanced settings, intrusion detection and antivirus software solutions (which need to be well configured and regularly updated), RFID-based authentication, and regular data security testing and audits.

Level 3: Elevated

This level involves segregation of duties, separation of roles, and the IAAA principle.

Segregation of duties means avoiding colocation of hardware, software, and networks that serve different purposes. For example, using the same computer for data storage and web deployment can put the entire network at risk. While segregation of duties is not cost-effective, it mitigates numerous risks and can limit the impact of a breach by reducing the number of components an attacker can access.

Separation of roles means granting access to files, systems, or devices only to the users who need it. The number of users authorized to access any platform, operating system, or device should be as limited as possible, permissions should be granted individually, and identities of all users with access to particular assets should be known at all times.

«IAAA» stands for identification, authentication, authorization, and audit. Following the IAAA principle helps to ensure that data is always thoroughly protected.

Level 4: Advanced

The advanced level of the pyramid is reached only when internal documents are categorized (security-labeled) and protected with permission-based access. This more extensive segregation is absolutely necessary for medium and large enterprises spread over many locations.

Documents must be classified as Public, Private, or Protected, and access permissions can be set for opening, reading, editing, and downloading. For example, a CEO might have permission to access a financial statement for opening, reading, editing, and downloading, whereas the head of a department might only have reading access.

This level also includes the use of password management tools like multi-factor authentication and key management tools like AWS KMS, Azure Key Vault, or HashiCorp Vault. These tools help to ensure that passwords are strong, securely stored, and properly managed.


Security Expertise

DataArt’s featured materials on cybersecurity, secure software development and data protection.

image

Level 5: Endurance

Cyberattacks are not the only security threat. Natural disasters such as earthquakes and floods can severely disrupt or even destroy a business by taking out its hardware and other assets. Every organization should devise plans for mitigating the damage and disruption from any force majeure events it might plausibly face.

This means developing a Disaster Recovery Plan and a Cyber Security Emergency Response Plan. Regular data backups, drills, and routine testing of system vulnerabilities are also recommended.

Level 6: Trust

This level is about improving the human aspect of security.

Always perform a thorough HR screening when hiring new personnel for key positions. New hires must be worthy of trust in their attention to security and handling of confidential information.

Suppliers and vendors should also be carefully vetted. If any significant security gaps or weaknesses are identified, insist that they be addressed.

Finally, Dark Web scanning is crucial for determining whether any of the organization’s data is in possession of hackers.

For additional protection, attacks can be simulated to test how systems will behave and eliminate weaknesses.

Level 7: Paranoia

This level is for companies intent on adding an extra layer of security for their valuable information.

One good step is to build a Security Operation Center that handles all security requests and is charged with preventing and responding to security incidents. Threat detection software can be integrated with the organization’s systems to spot unusual patterns of employee behavior, potential malware, phishing, spamming and other such attacks. Biometric access systems with retina scans, voice recognition, or fingerprint authentication can tighten access to premises, hardware, and endpoints. Security clearance can be required for work with confidential, secret, and top secret information. (Each country has different levels and norms).

There are many other actions that could be taken to enhance control of internal systems, but the approaches presented in levels 0 through 6 should suffice for most enterprises.

Conclusion

We used a pyramid motif to illustrate the multi-layered nature of IT security. But there are many security practices that cannot be attributed to particular levels of the security pyramid. Companies must adopt security as a core cultural value and continuously cultivate security awareness within their teams. All security practices must evolve with the growth of the company, process changes, and knowledge of new threats.

Sign Up for Updates!

Subscribe now to receive industry-related articles and updates

Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
READ MORE
Sign Up for Updates!
Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
Welcome
We are glad you found us
Please explore our services and find out how we can support your business goals.
Get in Touch Envelope