Automation to manage end-to-end data security

Employing automation solutions to implement data security depends on the particular business context. If your enterprise functions in a highly sensitive or regulated industry, then automation solutions can be a great way to minimize downtime and reduce the attack surface.

There is no one-stop solution when it comes to data security automation. It entirely depends on factors such as the sector you operate in, your business framework, budget constraints, or maturity level of teams. When you begin the journey to employ data security automation in your environment, it is important to consider data in its entirety, at all stages of the life cycle.

When you look at the data lifecycle, there are three predominant areas where data needs to be secured. The solutions and security practices at each of these layers are varied to enable data security.

Data security automation

1.       Data in transit – Typically, most organisations are aware of data in transit. It refers to communication between client to server between two entities. It could also be local communication between two systems.

2.       Data at rest – This refers to data stored in your database.

3.       Data in use –When IT refers to ‘data in use’, it is data which is being interpreted at the moment, when the data is being executed on the system.

Securing and protecting data at various points of the data lifecycle

Whether data is being used, in transit or at rest, the ways in which the data is vulnerable vary, and therefore specific solutions must be deployed to enable data security in each of these different areas.

·         Data security for data in transit

When there is any communication exchanged between two entities, there should be some kind of encryption enforced. Ideally, it is HTTP protocol, configured at the server level. When you see ‘https’, this means the communication is being encrypted while sending messages or receiving data from the server. For data in transit, most IT teams have solutions like installing a buyer’s certificate and configuring the server certificate. They ensure that communication is taking place on https or a secure layer. This is a configuration-level activity typically done by an IT operations or admin team.

Automation at this level is not a big concern for organisations. In case of a client server architecture, even when there are client-to-client communications, there are generally certificate-based authentications. Based on this, the communication is encrypted. You verify the sender and receiver’s signatures to validate that they are talking to the entities intended.

·         Protection and automation for data at rest

Data at rest is about database security. Database security features are provided by DB vendors like Microsoft SQL server, MySQL themselves. The database is protected with a username and password. Only DB administrators have access to these details, acting as a first layer of defence.

Database hacks indicate there are no protections or inadequate protection. Either the username and password is insecure or data stored into the database is in plain text. If an attacker gains access to the database, the entire DB records are exposed. A general practice followed by developers in most organisations is to have encryption libraries to encrypt and store data in the database. Unfortunately, not many are aware of the best practices.

No two data values will have the same level of security. Passwords require hashing.Storing credit card details requires obfuscation or masking credit card details except for the last four digits.As for other sensitive information, you could encrypt and store values highly sensitive for your business in the database. All these have different sort of libraries so development teams should know when to apply what based on the context.

A particular resource must be trained in enforcing security on data elements to be stored or processed. Otherwise, they will not know what sort of automations to apply or the most up to date solutions existing in the market. Automation in this regard is purely based on business use cases – the specific libraries, frameworks and solutions required to perform that particular activity.

·         Data protection for data in use

When the data has to be processed, it must be retrieved from the database to enable transformations or modifications. Even at this time, there are some security risks. Once the attacker gains access to that particular server or machine, he can see what sort of data is stored there, or how the data is being processed. These are highly complicated attacks because the attacker has to gain access to the server in order to exploit any data in use. User accesses and permissions are the best way to protect data in use. Organizations can restrict access by user role. They can also deploy encryption and monitoring solutions to detect breaches.

In the case of data in use, data protection is purely based on the processor. For example, the latest Intel processors have secure enclave features to store highly critical encryption or decryption keys. These are tamper-resistant. The iPhone has a secure enclave in the processor. This is a hardware-level security feature rather than software-level. Software-level security features can be cracked but hardware level security features make it very challenging for hackers. The processing unit has a dedicated chip with biometric details or facial ID mapped into it that is highly secure.

Automating data security for cloud environments

Most organisations face multiple challenges on data security, if they don’t rely on automation. They need to identify services readily available and leverage them to be prepared for attacks. They need to bounce back with minimal downtime and disruption to business, and have confidence that even if data is leaked, there are robust encryptions in place.

Cloud Service Providers (CSPs), understand the requirements or challenges faced by organizations. However, organizations must be aware that using a cloud service provider does not automatically provide them with in-built data security. Data protection and data security are additional features and services provided by CSPs that companies can avail of. They provide data protection automation solutions with dashboards, alerts, notifications, and easy password or security management.

For example, when you want to store sensitive details, AWS provides key Management Service or Azure provides key Vault. These solutions allow you to create security keys or random tokens in your security context but also to delete or revoke them. In the case of a data breach, the organisation has to terminate that key and replace it with a new key in the fastest manner possible in order to reduce the attack surface. Automation of data security enables companies to react and respond quickly, to mitigate the impact of the breach.

Data protection and security automation technologies offered by cloud service providers

Cloud service providers offer some levels of data protection and data security automation including key rotation policies and certificate managers. Key rotation policies automatically rotate the keys in a particular time frame. For example, you can set 90 days as the timeline to rotate the keys. This way, even if encrypted data is hacked and the hacker is trying to decrypt the data, you can change the encryption key to ensure the earlier data is of no use. Certificate managers are useful to manage certificates. They are defined by cloud service providers to encrypt the SSL part of data in transit.

Various cloud service providers offer solutions that are well designed and address data security, management of security practices and compliance. Key Management Services (KMS)from AWS or Key Vault from Azure are secure and resilient services that help you manage encryption keys. Secrets Manager from AWS is more focused on storing certain limited data values. It protects secrets needed to access applications, services, and IT resources. The service also enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

For data in use, cloud service providers have similar data security processes at the hardware level for organisations’ server infrastructure or highly critical infrastructures. Based on the cost and pricing structure, organisations can opt for these secure servers, with these benefits available out of the box. Once they have dedicated these servers to their application stack, developers can use these native-level features. They could store some highly confidential data to a secure enclave. This is embedded at the chip level, which cannot be easily hacked into.

Reliability of cloud service providers for data security solutions

Cloud service providers define automation solutions based on up to date industry standards. They invest in security audits and refer to security standards and community guidelines before delivering these services to organisations. This is because they deliver these services to not only SMEs but also to government sectors, military and other highly sensitive industries.

Generally, there are no loopholes identified in the security services provided. It’s at the configuration level that mosthacks are carried out. For example, ifan organisation is consuming KMS as a service on AWS but not using the key rotation policy. The loophole here is that the customer is not in a position to understand how to consume all the security features provided by CSPor the configuration side of things. This is why cloud experts or external security advisors are required, especially to advise on security for cloud-native applications, or apps moving to the cloud. If the organisation is not in position to identify and categorise the severity of a particular issue, they have to rely on external security specialists like Entersoft.

Best practices in security automation

–          Data classification is a must: Once data is defined, it becomes easy to identify and apply the relevant security measures.

–          Having a key rotation policy and storing some of your encryption / decryption keys on KMS services. Highly sensitive values can be stored in Secrets Manager.

–          As a best practice, passwords should be hashed and stored. There are certain hashing algorithms such as Argon2 and Bcrypt which could be specifically used for password protection.

–          Usernames and passwords of the database are to be stored in the Secrets Manager. During Entersoft’s Source Code Reviews for customers, we have found that many developers store database connection strings on configuration files. Store database connection strings in the Secrets Manager rather than storing them in a hard-coded fashion or in a configuration file. You can return these values to the source code whenever required.

–          Manage user accesses and permissions for sensitive data, following a zero trust policy

–          Deploy data protection platforms using tokenization and encryption a required

The Entersoft perspective

Our team at Entersoft are certified in industry-leading security services and assessments. During our security audits for customers, we encounter the following scenarios:

–          Limited cloud security knowledge –Many organizations, both large and small, were not well aware of cloud security features. Generally, several clients who use cloud services are not in a position to look into the configuration side of things, and reach out to Entersoft as security experts for cloud security reviews. In a recent case we encountered, a client had set the key rotation policy to a number of years which is not a good practice. At Entersoft, we follow CIS baselines which maintain a standard for cloud providers as well. We go through all the checklists.For instance, AWS has 110 checklists. We then report to the customers that as per security standards, what is the recommended configuration. Once they have this information, the internal teams fix the issues themselves.

–          Need for external assessment–Many organizations that Entersoft works with have in-house security teams but still rely on security vendors. This is a management decision as an extra level of caution and impartiality, and to ensure their security teams or internal teams are following best practices. Many other customers come to us due to an audit, regulatory or compliance requirement that such reviews must be reported by a third-party vendor.

In all these cases, our team of White-Hat hackers and military grade security experts conduct the audit manually and with a level of automation. These assessments on data security, cloud and data protection are shared along with actions on priority to fix. If they cannot implement a change being enforced by the security community for certain reasons, Entersoft provides a detailed review on how they can work around and be assured that their entire environment is secure.