Which of the following ensures that data is accessible to authorized users group of answer choices?

Inhaltsverzeichnis Show

What are the Main Elements of Data Security?
What are Data Security Considerations?
What are Data Security Technologies?
Data Auditing
Data Real-Time Alerts
Data Risk Assessment
Data Minimization
Purge Stale Data
How Do You Ensure Data Security?
Quarantine Sensitive Files
Track User Behavior against Data Groups
Respect Data Privacy
Data Security Regulations
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley (SOX)
General Data Protection Regulation (GDPR)
How Varonis Helps with Data Security

With vehicles becoming more connected and their systems relying more on complex networked information, protecting the information is a priority task.

Think of information as all the bits and pieces that are gathered about something or someone. In a vehicle, information covers the details of the user, the information exchanged between electronic systems, and, even the software that is stored to make the systems work. Cybersecurity simply means that the information is protected against criminal or unauthorized use and/or that measures are taken to achieve this.

When we analyze cybersecurity, the first step is to look into the C-I-A triad, which is a well-known model for cybersecurity development. C-I-A stands for Confidentiality, Integrity and Availability – these security concepts help to guide cybersecurity policies. Automotive systems and related infrastructure must be protected against deliberate or accidental compromise of confidentiality, integrity or availability of the information that they store, process and communicate without hindering safety and functionality. It is important to understand each of these concepts because all risks, threats and vulnerabilities are measured for their potential capability to compromise one or all of these principles.

Confidentiality ensures that data exchanged is not accessible to unauthorized users. The users could be applications, processes, other systems and/or humans. When designing a system, adequate control mechanisms to enforce confidentiality should be in place, as well as policies that dictate what authorized users can and cannot do with the data. The more sensitive the data, the higher the level of confidentiality. Therefore, all sensitive data should always be controlled and monitored.To maintain confidentiality in automotive systems, data needs to be protected inside and outside the vehicle, while it is stored (data at rest), while it is transmitted (data in motion), and while it is being processed (data in use). Memory protection can be applied to data in use. Cryptography is excellent for protecting the confidentiality of data at rest and data in motion, but keep in mind that it imposes computational complexity and increases latency, so it should be used with caution in time-sensitive systems.

Integrity is the ability to ensure that a system and its data has not suffered unauthorized modification. Integrity protection protects not only data, but also operating systems, applications and hardware from being altered by unauthorized individuals. In automotive systems, CRC is known to provide integrity protection against accidental or non-malicious errors; however, it is not suitable for protecting against intentional alteration of data. Hence, the sensitive data should include cryptographic checksums for verification of integrity. Moreover, mechanisms should be in place to detect when integrity has been violated and to restore any affected system or data back to their correct state.

Availability guarantees that systems, applications and data are available to users when they need them. The most common attack that impacts availability is denial-of-service in which the attacker interrupts access to information, system, devices or other network resources. A denial-of-service in an internal vehicular network could result in an ECU not being able to access the information needed to operate and the ECU could become nonoperational or even worst it could bring the system to an unsafe state. To avoid availability problems, it is necessary to include redundancy paths and failover strategies in the design stage, as well as to include intrusion prevention systems that can monitor network traffic pattern, determine if there is an anomaly and block network traffic when needed.

The C-I-A triad is a very fundamental security model, but as with any model there is room for improvement; other attributes such as non-repudiation and authentication are important and needed to be considered too. But at least, ensuring that the three aspects of the C-I-A triad are covered is an important first step towards designing any secure system.

If you want to know more about cybersecurity processes, related standards, and their impact on the automotive industry, come to our two day UL-CCSP training in automotive.

Data Security is a process of protecting files, databases, and accounts on a network by adopting a set of controls, applications, and techniques that identify the relative importance of different datasets, their sensitivity, regulatory compliance requirements and then applying appropriate protections to secure those resources.

Similar to other approaches like perimeter security, file security or user behavioral security, data security is not the be all, end all for a security practice. It’s one method of evaluating and reducing the risk that comes with storing any kind of data.

What are the Main Elements of Data Security?

The core elements of data security are confidentiality, integrity, and availability. Also known as the CIA triad, this is a security model and guide for organizations to keep their sensitive data protected from unauthorized access and data exfiltration.

Confidentiality ensures that data is accessed only by authorized individuals;
Integrity ensures that information is reliable as well as accurate; and
Availability ensures that data is both available and accessible to satisfy business needs.

What are Data Security Considerations?

There are a few data security considerations you should have on your radar:

Where is your sensitive data located? You won’t know how to protect your data if you don’t know where your sensitive data is stored.
Who has access to your data? When users have unchecked access or infrequent permission reviews, it leaves organizations at risk of data abuse, theft or misuse. Knowing who has access to your company’s data at all times is one of the most vital data security considerations to have.
Have you implemented continuous monitoring and real-time alerting on your data? Continuous monitoring and real-time alerting are important not just to meet compliance regulations, but can detect unusual file activity, suspicious accounts, and computer behavior before it’s too late.

What are Data Security Technologies?

The following are data security technologies used to prevent breaches, reduce risk and sustain protections.

Data Auditing

The question isn’t if a security breach occurs, but when a security breach will occur. When forensics gets involved in investigating the root cause of a breach, having a data auditing solution in place to capture and report on access control changes to data, who had access to sensitive data, when it was accessed, file path, etc. are vital to the investigation process.

Alternatively, with proper data auditing solutions, IT administrators can gain the visibility necessary to prevent unauthorized changes and potential breaches.

Data Real-Time Alerts

Typically it takes companies several months (or 206 days) to discover a breach. Companies often find out about breaches through their customers or third parties instead of their own IT departments.

By monitoring data activity and suspicious behavior in real-time, you can discover more quickly security breaches that lead to accidental destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Data Risk Assessment

Data risk assessments help companies identify their most overexposed sensitive data and offer reliable and repeatable steps to prioritize and fix serious security risks. The process starts with identifying sensitive data accessed via global groups, stale data, and/or inconsistent permissions. Risk assessments summarize important findings, expose data vulnerabilities, provide a detailed explanation of each vulnerability, and include prioritized remediation recommendations.

Data Minimization

The last decade of IT management has seen a shift in the perception of data. Previously, having more data was almost always better than less. You could never be sure ahead of time what you might want to do with it.

Today, data is a liability. The threat of a reputation-destroying data breach, loss in the millions or stiff regulatory fines all reinforce the thought that collecting anything beyond the minimum amount of sensitive data is extremely dangerous.

To that end: follow data minimization best practices and review all data collection needs and procedures from a business standpoint.

Purge Stale Data

Data that is not on your network is data that can’t be compromised. Put in systems that can track file access and automatically archive unused files. In the modern age of yearly acquisitions, reorganizations and “synergistic relocations,” it’s quite likely that networks of any significant size have multiple forgotten servers that are kept around for no good reason.

How Do You Ensure Data Security?

While data security isn’t a panacea, you can take several steps to ensure data security. Here are a few that we recommend.

Quarantine Sensitive Files

A rookie data management error is placing a sensitive file on a share open to the entire company. Quickly get control of your data with data security software that continually classifies sensitive data and moves data to a secure location.

Track User Behavior against Data Groups

The general term plaguing rights management within an organization is “overpermissioning’. That temporary project or rights granted on the network rapidly becomes a convoluted web of interdependencies that result in users collectively having access to far more data on the network than they need for their role. Limit a user’s damage with data security software that profiles user behavior and automatically puts in place permissions to match that behavior.

Respect Data Privacy

Data Privacy is a distinct aspect of cybersecurity dealing with the rights of individuals and the proper handling of data under your control.

Data Security Regulations

Regulations such as HIPAA (healthcare), SOX (public companies) and GDPR (anyone who knows that the EU exists) are best considered from a data security perspective. From a data security perspective, regulations such as HIPAA, SOX, and GDPR require that organizations:

Track what kinds of sensitive data they possess
Be able to produce that data on demand
Prove to auditors that they are taking appropriate steps to safeguard the data

These regulations are all in different domains but require a strong data security mindset. Let’s take a closer look to see how data security applies under these compliance requirements:

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act was legislation passed to regulate health insurance. Section 1173d—calls for the Department of Health and Human Services “to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, and the value of audit trails in computerized record system.”

From a data security point of view, here are a few areas you can focus on to meet HIPAA compliance:

Continually Monitor File and Perimeter Activity – Continually monitor activity and access to sensitive data – not only to achieve HIPAA compliance, but as a general best practice.
Access Control – Re-compute and revoke permissions to file share data by automatically permissioning access to individuals who only have a need-to-know business right.
Maintain a Written Record – Ensure you keep detailed activity records for all user objects including administrators within active directory and all data objects within file systems. Generate changes automatically and send to relevant parties who need to receive the reports.

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act of 2002, commonly called “SOX” or “Sarbox,” is a United States federal law requiring publicly traded companies to submit an annual assessment of the effectiveness of their internal financial auditing controls.

From a data security point of view, here are your focus points to meet SOX compliance:

Auditing and Continuous Monitoring – SOX’s Section 404 is the starting point for connecting auditing controls with data protection: it asks public companies to include in their annual reports an assessment of their internal controls for reliable financial reporting, and an auditor’s attestation.
Access Control –Controlling access, especially administrative access, to critical computer systems is one of the most vital aspects of SOX compliance. You’ll need to know which administrators changed security settings and access permissions to file servers and their contents. The same level of detail is prudent for users of data, displaying access history and any changes made to access controls of files and folders.
Reporting – To provide evidence of compliance, you’ll need detailed reports including:
- data use, and every user’s every file-touch
- user activity on sensitive data
- changes including permissions changes which affect the access privileges to a given file or folder
- revoked permissions for data sets, including the names of users

The EU’s General Data Protection Regulation covers the protection of EU citizen personal data, such as social security numbers, date of birth, emails, IP addresses, phone numbers, and account numbers. From a data security point of view, here’s what you should focus on to meet GDPR compliance:

Data Classification – Know where sensitive personal data is stored. It’s critical to both protecting the data and also fulfilling requests to correct and erase personal data, a requirement known as the right to be forgotten.
Continuous Monitoring –The breach notification requirement enlists data controllers to report the discovery of a breach within 72 hours. You’ll need to spot unusual access patterns against files containing personal data. Expect hefty fines if you fail to do so.
Metadata – With the GDPR requirement to set a limit on data retention, you’ll need to know the purpose of your data collection. Personal data residing on company systems should be regularly reviewed to see whether it needs to be archived and moved to cheaper storage or saved for the future.
Data Governance – Organizations need a plan for data governance. With data security by design as the law, organizations need to understand who is accessing personal data in the corporate file system, who should be authorized to access it and limit file permission based on employees’ actual roles and business need.

How Varonis Helps with Data Security

For companies that have a hold on data and have security obligations due to GDPR or other regulatory requirements, understanding our mission at Varonis will help you manage and meet data protection and privacy regulations requirements.

The mission at Varonis is simple: your data is our primary focus, and our data security platform protects your file and email systems from cyberattacks and insider threats. We’re fighting a different battle – so your data is protected first. Not last.

We continuously collect and analyze activity on your enterprise data, both on-premises and in the cloud. We then leverage five metadata streams to ensure that your organization’s data has confidentiality, integrity, and availability:

Users and Groups – Varonis collects user and group information and maps their relationships for a complete picture of user account organization.
Permissions – We add the file system structure and permissions from the platforms that we monitor, and combine everything into a single framework for analysis, automation, and access visualization.
Access Activity – Varonis continually audits all access activity, and records & analyzes every touch by every user. Varonis automatically identifies administrators, service accounts and executives and creates a baseline of all activity. Now you can detect suspicious behavior: whether it’s an insider accessing sensitive content, an administrator abusing their privileges, or ransomware like CryptoLocker.
Perimeter Telemetry – Varonis Edge analyzes data from perimeter devices such as VPN, proxy servers, and DNS – and combines this information with data access activity to detect and stop malware apt intrusions and data exfiltration.
Content Classification – Varonis scans for sensitive and critical data, and can absorb classification from other tools like DLP or e-Discovery. Now we know where sensitive data lives and where it’s overexposed.

These five metadata streams are critical to achieving data security nirvana. When you combine them, you can get reports on sensitive data open to global group access, stale data, data ownership, permissions changes and more. Then, prioritize your custom reports and act to remediate your risk. Meanwhile, you’ll know that your data is continuously monitored and that you’ll receive real-time alerts when suspicious behavior is taking place.

Get a free data risk assessment to see whether your data security strategy is where it needs to be.