Show
With vehicles becoming more connected and their systems relying more on complex networked information, protecting the information is a priority task. Think of information as all the bits and pieces that are gathered about something or someone. In a vehicle, information covers the details of the user, the information exchanged between electronic systems, and, even the software that is stored to make the systems work. Cybersecurity simply means that the information is protected against criminal or unauthorized use and/or that measures are taken to achieve this. When we analyze cybersecurity, the first step is to look into the C-I-A triad, which is a well-known model for cybersecurity development. C-I-A stands for Confidentiality, Integrity and Availability – these security concepts help to guide cybersecurity policies. Automotive systems and related infrastructure must be protected against deliberate or accidental compromise of confidentiality, integrity or availability of the information that they store, process and communicate without hindering safety and functionality. It is important to understand each of these concepts because all risks, threats and vulnerabilities are measured for their potential capability to compromise one or all of these principles.
The C-I-A triad is a very fundamental security model, but as with any model there is room for improvement; other attributes such as non-repudiation and authentication are important and needed to be considered too. But at least, ensuring that the three aspects of the C-I-A triad are covered is an important first step towards designing any secure system. If you want to know more about cybersecurity processes, related standards, and their impact on the automotive industry, come to our two day UL-CCSP training in automotive. Data Security is a process of protecting files, databases, and accounts on a network by adopting a set of controls, applications, and techniques that identify the relative importance of different datasets, their sensitivity, regulatory compliance requirements and then applying appropriate protections to secure those resources. Similar to other approaches like perimeter security, file security or user behavioral security, data security is not the be all, end all for a security practice. It’s one method of evaluating and reducing the risk that comes with storing any kind of data. What are the Main Elements of Data Security?The core elements of data security are confidentiality, integrity, and availability. Also known as the CIA triad, this is a security model and guide for organizations to keep their sensitive data protected from unauthorized access and data exfiltration.
What are Data Security Considerations?There are a few data security considerations you should have on your radar:
What are Data Security Technologies?The following are data security technologies used to prevent breaches, reduce risk and sustain protections. Data AuditingThe question isn’t if a security breach occurs, but when a security breach will occur. When forensics gets involved in investigating the root cause of a breach, having a data auditing solution in place to capture and report on access control changes to data, who had access to sensitive data, when it was accessed, file path, etc. are vital to the investigation process. Alternatively, with proper data auditing solutions, IT administrators can gain the visibility necessary to prevent unauthorized changes and potential breaches. Data Real-Time AlertsTypically it takes companies several months (or 206 days) to discover a breach. Companies often find out about breaches through their customers or third parties instead of their own IT departments. By monitoring data activity and suspicious behavior in real-time, you can discover more quickly security breaches that lead to accidental destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Data Risk AssessmentData risk assessments help companies identify their most overexposed sensitive data and offer reliable and repeatable steps to prioritize and fix serious security risks. The process starts with identifying sensitive data accessed via global groups, stale data, and/or inconsistent permissions. Risk assessments summarize important findings, expose data vulnerabilities, provide a detailed explanation of each vulnerability, and include prioritized remediation recommendations. Data MinimizationThe last decade of IT management has seen a shift in the perception of data. Previously, having more data was almost always better than less. You could never be sure ahead of time what you might want to do with it. Today, data is a liability. The threat of a reputation-destroying data breach, loss in the millions or stiff regulatory fines all reinforce the thought that collecting anything beyond the minimum amount of sensitive data is extremely dangerous. To that end: follow data minimization best practices and review all data collection needs and procedures from a business standpoint. Purge Stale DataData that is not on your network is data that can’t be compromised. Put in systems that can track file access and automatically archive unused files. In the modern age of yearly acquisitions, reorganizations and “synergistic relocations,” it’s quite likely that networks of any significant size have multiple forgotten servers that are kept around for no good reason. How Do You Ensure Data Security?While data security isn’t a panacea, you can take several steps to ensure data security. Here are a few that we recommend. Quarantine Sensitive FilesA rookie data management error is placing a sensitive file on a share open to the entire company. Quickly get control of your data with data security software that continually classifies sensitive data and moves data to a secure location. Track User Behavior against Data GroupsThe general term plaguing rights management within an organization is “overpermissioning’. That temporary project or rights granted on the network rapidly becomes a convoluted web of interdependencies that result in users collectively having access to far more data on the network than they need for their role. Limit a user’s damage with data security software that profiles user behavior and automatically puts in place permissions to match that behavior. Respect Data PrivacyData Privacy is a distinct aspect of cybersecurity dealing with the rights of individuals and the proper handling of data under your control. Data Security RegulationsRegulations such as HIPAA (healthcare), SOX (public companies) and GDPR (anyone who knows that the EU exists) are best considered from a data security perspective. From a data security perspective, regulations such as HIPAA, SOX, and GDPR require that organizations:
These regulations are all in different domains but require a strong data security mindset. Let’s take a closer look to see how data security applies under these compliance requirements: Health Insurance Portability and Accountability Act (HIPAA)The Health Insurance Portability and Accountability Act was legislation passed to regulate health insurance. Section 1173d—calls for the Department of Health and Human Services “to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, and the value of audit trails in computerized record system.” From a data security point of view, here are a few areas you can focus on to meet HIPAA compliance:
Sarbanes-Oxley (SOX)The Sarbanes-Oxley Act of 2002, commonly called “SOX” or “Sarbox,” is a United States federal law requiring publicly traded companies to submit an annual assessment of the effectiveness of their internal financial auditing controls. From a data security point of view, here are your focus points to meet SOX compliance:
General Data Protection Regulation (GDPR)The EU’s General Data Protection Regulation covers the protection of EU citizen personal data, such as social security numbers, date of birth, emails, IP addresses, phone numbers, and account numbers. From a data security point of view, here’s what you should focus on to meet GDPR compliance:
How Varonis Helps with Data SecurityFor companies that have a hold on data and have security obligations due to GDPR or other regulatory requirements, understanding our mission at Varonis will help you manage and meet data protection and privacy regulations requirements. The mission at Varonis is simple: your data is our primary focus, and our data security platform protects your file and email systems from cyberattacks and insider threats. We’re fighting a different battle – so your data is protected first. Not last. We continuously collect and analyze activity on your enterprise data, both on-premises and in the cloud. We then leverage five metadata streams to ensure that your organization’s data has confidentiality, integrity, and availability:
These five metadata streams are critical to achieving data security nirvana. When you combine them, you can get reports on sensitive data open to global group access, stale data, data ownership, permissions changes and more. Then, prioritize your custom reports and act to remediate your risk. Meanwhile, you’ll know that your data is continuously monitored and that you’ll receive real-time alerts when suspicious behavior is taking place. Get a free data risk assessment to see whether your data security strategy is where it needs to be. |