Book a DemoLog InThe information explosion and cloud migration have made Data Security Posture Management (DSPM) more important than ever. Eureka Security provides security practitioners with the basics - definitions and examples of all data security building blocks in this rapidly evolving cybersecurity sector. Welcome to Data Security 101!
letter=
The fourth phase of the data lifecycle. Data that is no longer in use but cannot yet be deleted will be archived. This is similar to data storage, but no maintenance is generally needed, and no usage is expected. As such, the controls around usage or archives defined in data lifecycle management should be limited and almost any use of this data should be defined as unnecessary. This can also lead to the implementation of stronger access controls.
letter=
Data backup is the technique of moving data from a primary to a secondary location in order to protect it in the event of a disaster, accident, or malicious activity. Even while manual data backup is an option, most businesses employ at least one common backup technology solution to guarantee that systems are constantly and routinely backed up.
letter=
A backup retention policy is an internal organizational guideline that specifies what data the organization retains, where it is retained and for how long. Retention rules are important for several reasons, mainly in order to keep customer or client data safe and easily available. Retention policies may vary according to the specific demands and needs of the sector involved - healthcare, education, IT and retail. Some retention policies could additionally specify when particular pieces of data must be deleted.
letter=
One of the common standards, regulations and compliance frameworks. California Consumer Privacy Act (CCPA) is a state statute for residents of California, United States. Its primary aim is to enhance privacy rights and consumer protection.
letter=
One of the common standards, regulations and compliance frameworks. The Center for Internet Security (CIS) is a nonprofit organization with no official mandate. Its primary aim is to provide a set of best-practice cybersecurity standards for a range of IT systems and products.
letter=
Cloud Asset Management is the process of controlling an organization's cloud infrastructure and application data in the cloud. Many businesses store and manage their digital assets using a range of cloud-based tools. CAM assists in organizing assets using a variety of cloud-based asset sources to prevent operational bottlenecks and security issues.
letter=
Cloud computing is the on-demand, pay-as-you-go distribution of IT services over the Internet. Rather than purchasing, operating, and maintaining physical data centers and servers, a cloud provider is used to obtain technology services such as processing power, storage, and databases on an as-needed basis.
letter=
Object storage is a data storage architecture that is used to store vast amounts of unstructured data. Each piece of data is designated as an object, kept in a distinct repository, and packaged with metadata and a special identifier for quick access and retrieval.
letter=
One of the most common non-relational databases. Wide-column databases, also known as column family databases, are a particular kind of NoSQL database in which the names and formats of the columns can differ between rows, even within the same table. The fact that data is organized into columns makes it possible to search and load the full column rapidly when a query is made for a specific value in a column. Examples include Apache Cassandra, ScyllaDB and Apache Parquet.
letter=
The first stage of the data lifecycle is the creation of data. This includes both data captured using an unstructured format, such as a file uploaded by a user, or data captured into a structured database, such as a record added to an SQL database. Additionally, data creation does not necessarily refer to new data, but extends to copying existing data into a similar format or modifying the format for different purposes. The main security concern in this particular phase is keeping up with data creation across the organization and ensuring that security policies are applied as early as possible in its life cycle.
letter=
A Data Protection Policy (DPP) is a security measure used to standardize data usage, monitoring and administration. The primary objective of this policy is to safeguard and protect all data used, managed and stored by the organization. Although not mandated by law, this policy is frequently used to assist organizations in adhering to internationally recognized rules and standards for data protection.
letter=
A data breach occurs when information is copied from a system without the owner's knowledge or consent. Stolen data may contain sensitive, proprietary or confidential information, and its exposure can cause financial and reputational harm to the target.
letter=
Data classification is the process of labeling data based on type, sensitivity and value, in order to assist companies in implementing necessary controls and regulations to limit and reduce security risks. Among the most sensitive data types are PHI, PII, and PCI.
letter=
One of the data protection positions. A Data Controller is the individual who, alone or with others, decides on the objectives and means of the processing of personal data. This individual may be a person, a company, a public authority, an agency, or another entity. National or community laws may identify the controller or the precise requirements for the nomination of the controller where the aims and means of processing are governed by such laws or regulations.
letter=
One of the data protection positions. A Data Custodian is often a person in an IT position who oversees infrastructure management for storage and security. Data Custodians concentrate on the "how" of data storage, and likely get day-to-day tasks from the Data Owner. They can structure or restructure a relational database system, employ middleware to support a central data warehouse, or provide workflows or schemes that demonstrate how databases are organized.
letter=
A data inventory is a comprehensive list of all data assets owned by a company (also known as a data map or data mapping). A properly-maintained data inventory contains up-to-date, thorough information about the data as well as the organization's sources for the data. When properly constructed, a data map can offer significant insights into the different types of data that an organization gathers, where that data is located, who has access to it, and how that data is used.
letter=
Both are built to store vast amounts of data. However, in data lakes the data is usually in a raw format and prepared for consumption, whereas in data warehouses the data is pre-processed and filtered to support specific analytics purposes.
letter=
Data Lifecycle Management is a method that enables businesses to control the flow of data at all stages of its lifecycle, from initial creation to final disposal. The process is broken down into five stages: data creation, storge, usage, archival and destruction.
letter=
Data lineage tracks the complete journey of data from its origin through all the transformations, processes, and systems of the data lifecycle until it reaches its final destination.
letter=
Data management refers to the process of consuming, storing, organizing, and managing the data produced and gathered by an organization. Effective data management is a critical component of IT systems that run business applications and provide analytical data that enables corporate executives, business managers, and other end users to execute operational decision-making and strategic planning.
letter=
Data flow refers to the movement of data through a system made up of hardware, software, or both. Data flow is frequently described using a model or diagram that depicts the full process of moving data from one part of a program or system to the next, while taking into account how it's form changes along the way.
letter=
One of the data protection positions. A Data Owner has full legal authority and control over all data components, and is responsible for the organization's classification, protection, usage, and quality of one or more data sets.
letter=
One of the data protection positions. A human or legal being, governmental entity, business, or other organization that handles personal data on behalf of the controller. In some cases, an entity can be both a data controller and a data processor.
letter=
The administration and security of data requires the collaborative effort of numerous stakeholders in organizations, each with their own specific responsibility.
letter=
Data sovereignty is a concept surrounding information that has been translated into digital form and stored. This information is considered to be governed by the laws of the nation in which it is located. Many of the current concerns about data sovereignty have to do with upholding privacy laws and preventing data stored abroad from being subpoenaed by the government of the host country.
letter=
One of the data protection positions. A Data Steward is a subject-matter expert who has a thorough understanding of a specific data set. In accordance with the data governance principles established by the Data Owner, the Data Steward oversees the maintenance and implementation of the classification, protection, use, and quality of that data. Data Stewards are appointed to assist Data Owners in putting data policies into action.
letter=
One of the data protection positions. A Data Subject is a person who may be identified, either directly or indirectly, by using an identifying number or one or more characteristics that are unique to their identity in terms of their physical, physiological, mental, economic, cultural, or social characteristics (e.g., telephone number, IP address).
letter=
A data warehouse is a data management system created to facilitate and assist business intelligence (BI) activities, particularly analytics. Data warehouses frequently include significant volumes of historical data and are used only to conduct queries and analysis. The data in a data warehouse typically originates from a variety of sources, including transaction apps and application log files.
letter=
Database-as-a-Service (DBaaS) is a managed cloud service paradigm that enables individuals and businesses to effortlessly access database services without worrying about managing software or infrastructure. All database infrastructure and data are hosted on DBaaS providers, who also make API endpoints available for access. They operate the databases while adhering to best practices, and are therefore responsible for quick provisioning, scalability, resilience, failover, backup, and restoration.
letter=
Declassification is the process of officially changing the classification of data from classified to unclassified. There are a few declassification procedures, and in each one, the data is either completely or partially masked or hidden using different classifications.
letter=
The fifth and last phase of the data lifecycle. When data is no longer needed, it can and should be removed in order to improve on costs and compliance, with an additional - and significant - security bonus, as data that does not exist can no longer be at risk.
letter=
One of the four main backup types. All files that have changed since the last full backup are included in the differential backup. Unlike a complete backup or an incremental backup, a differential backup has the advantage of speeding up the restoration process. However, if you run the differential backup too frequently, it can end up taking up more space than the initial full backup.
letter=
One of the most common non-relational databases. A document database controls a collection of named string fields and object data values in an entity known as a "document." Document databases offer a large deal of flexibility by not requiring that all documents maintain the same data structures. Documents are commonly saved as JSON files, which can be encoded using a number of different methods, including XML, YAML, JSON, BSON, or plain text.
letter=
An ephemeral datastore is one that is intended to exist for a short period of time as a specific requirement develops and then be destroyed once that need is met. The duration of that period can range from a few hours to a few weeks, depending on how quickly the CI/CD pipeline is executed (i.e. a customer issue is being reproduced).
letter=
One of the common standards, regulations and compliance frameworks. Federal Information Security Management Act of 2002 (FISMA) is mandated by United States federal law. Its primary aim is to reduce the security risk to federal information and data while managing federal spending on information security.
letter=
One of the four main backup types, which contains all of the information stored in the folders and files that are chosen to be backed up, and serves as the foundation for all other forms of backup. Because full backups keep all files and directories, they enable quicker and easier restoration processes.
letter=
One of the common data standards, regulations and compliance frameworks. General Data Protection Regulation (GDPR) mandated by the European Union and the European Economic Area Law. Its primary aim is enhancing individuals' control and rights over their personal data and simplifying the regulatory environment for international business.
letter=
These are the most complicated non-relational databases, created to effectively store relationships between entities. Graph databases are excellent solutions when data is heavily interrelated, such as in purchasing and manufacturing systems or catalogs used for reference. Examples include FlockDB and GraphDB.
letter=
One of the common standards, regulations and compliance frameworks. The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is mandated by the United States Congress. Its primary aim is detailing methods for the protection of personally identifiable information (PII) maintained by the healthcare and healthcare insurance industries.
letter=
Identity and Access Management (IAM) is a set of business processes, regulations, and technologies that make it easier to manage and oversee electronic or digital identities. IAM frameworks allow Information Technology (IT) administrators to govern user access to sensitive data within their organizations.
letter=
Information Rights Management (IRM) is an IT security solution intended to prevent unauthorized access to documents containing sensitive data. IRM applies to documents, spreadsheets and presentations created by individuals, in contrast to traditional Digital Rights Management (DRM) solutions, that are only relevant for mass-produced media such as songs and movies. IRM prevents illegal copying, viewing, printing, forwarding, deleting, and editing of this data.
letter=
One of the four main backup types. The incremental backup procedure saves any files that have changed since the last full, differential or incremental or backup. The benefit of an incremental backup is the short period of time it takes from initiation to completion. However, each incremental backup must be analyzed during a restoration procedure, which could take some time.
letter=
One of the most common non-relational databases. The key-value store is the simplest NoSQL database and, as its name suggests, is only a collection of key-value pairs stored within an object. Examples include Redis, Amazon DynamoDB and Oracle NoSQL database.
letter=
When using databases in cloud environments, there are different ways to deploy, manage and use their infrastructure. The two common options are managed and unmanaged databases. A managed database is a cloud computing service in which a cloud service provider is paid to manage the underlying infrastructure while providing the company with access to the database itself. A self-managed (or unmanaged) database is one in which the database software runs on virtual machines in a cloud environment. Users have full control over the VMs themselves and overthe related database infrastructure.
letter=
One of the four main backup types. The mirror backup is similar to the full backup, but the files are not compressed in zip files and cannot be password protected. A mirror backup is mostly used to produce an exact copy of the source data. The advantage of a mirror backup is that programs may easily view the backup files.
letter=
Multi-cloud is a cloud computing paradigm where an organization uses a combination of clouds to distribute applications and services. These clouds can be two or more public clouds, two or more private clouds, or a combination of public, private, and edge clouds.
letter=
One of the common standards, regulations and compliance frameworks. National Institute of Standards and Technology (NIST) is mandated by the regulatory agency of the United States Department of Commerce. The primary aim of NIST 800-53 is to provide a catalog of security and privacy controls for all US federal information systems except those related to national security. NIST 800-171 is a codification of the requirements that any non-federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.
letter=
The non-relational database, often known as a NoSQL database, holds data, but unlike in relational databases, this data is stored without any tables, rows, or primary keys. Instead, the non-relational database employs a storage architecture tailored to the particular needs of the sort of data being stored.
letter=
One of the most common data classifications. The sensitive data in the PCI category includes cardholder data such as the cardholder’s name, their primary account number, and the card’s expiration date and security code. It also includes sensitive authentication data such as magnetic-stripe data and the equivalent data contained on a chip, or PINs. In order to prevent credit card fraud, the PCI Security Standards Council (SSC) created the Payment Card Industry Data Security Standard (PCI DSS) in 2004. PCI DSS is a security standard used by payment card companies around the world to securely process, store, and transfer cardholder data. All credit cards have PCI DSS security measures in place to protect cardholders from card fraud and identity theft.
letter=
One of the common standards, regulations and compliance frameworks. The Payment Card Industry Data Security Standard (PCI DSS) is mandated by the card organization's brand but administered by the Payment Card Industry Security Standards Council. It is an information security standard for handling branded credit cards in major card schemes.
letter=
One of the most common data classifications. Any health-related information generated or acquired by any entity protected by health privacy statutes. PHI includes any demographic data that relates to the physical or mental health of a person in the past, present, or future and any medical care that someone receives during their life.
letter=
One of the most common data classifications. A person's name, address, Social Security number, phone number, email address, or any other number or code that can be used to directly identify a person is considered PII. Along with other types of information, such as gender, race, date of birth, and location, PII is data that an organization can use to identify specific people. PII also includes any contact details that can be used to locate a person physically or online. In order to safeguard PII against unauthorized access, use, deletion, alterations, or other data breaches, organizations may be legally required by regional or national laws to maintain specific security controls.
letter=
Point-in-Time Recovery (PITR) is a technique that enables a database administrator to restore or recover a set of data from a backup that dates back to a specific point in time. Once PITR begins logging a database, the administrator can restore a database backup from a specific point in time. When someone unintentionally deletes a table or records from a database or if something goes wrong and corrupts the current database, PITR is crucial. The quickest way to handle this is to collect the transaction logs and restore the database to a previous "known good" point.
letter=
A relational database, also known as a Relational Database Management System (RDBMS) or SQL (Structure Query Language) database, is a collection of data items with pre-established relationships between them. Data items in relational databases are organized as a series of tables with columns and rows. A field keeps the actual value of an attribute, and each column in a table holds a specific type of data. The table's rows stand for a group of connected values for a single object or entity. A primary key, which serves as a distinctive identifier for every row in a table, can be used to link rows from different tables together.
letter=
Remediation and mitigation are the direct result of a risk assessment conducted following the discovery of a new Advanced Persistent Threat (APT). Remediation is the elimination of a threat when possible, whereas mitigation is the development of techniques to reduce the negative impact of a threat and the possibility of a vulnerability being exploited if it cannot be eliminated.
letter=
One of the common standards, regulations and compliance frameworks. The Service Organization Control (SOC2) is a voluntary compliance standard developed by the American Institute of CPAs (AICPA). Its primary aim is to specify how organizations should manage customer data.
letter=
One of the common standards, regulations and compliance frameworks. The Sarbanes–Oxley Act of 2002 (SOX) is mandated by United States federal law. Its primary aim is to provide common practices in financial record keeping and reporting for corporations.
letter=
One of the most common data classifications. Secrets are the credentials that organizations employ to carry out digital authentication anytime privileged users need to access critical corporate data or delicate applications and services. Secrets can exist in a variety of formats, such as passwords, API keys, tokens, SSH keys, private certificates, and encryption keys. Securing secrets is critical to the overall security of any business, and IT teams frequently use secrets management technologies in their DevOps settings.
letter=
Data-use compliance refers to the rules and guidelines that specify how businesses and governmental bodies must protect customer and employee information from theft, unauthorized access, and other harm. This is frequently used to protect consumer data, but it can also apply to employee data, financial records, and other information.
letter=
Semi-structured data, sometimes referred to as partially-structured data, is data that lacks the tabular organization common to relational databases and other types of data tables but still has tags and metadata to distinguish semantic components and create hierarchies of records and fields.
letter=
Shadow data are company records that are hidden from organizational view or not covered by a centralized data management framework, putting them at higher risk. Shadow data is typically the result of data that has been copied, backed up, or stored in a datastore that is not controlled, is not governed by the organizational security framework, and is not kept up-to-date.
letter=
Snapshot backups are primarily used to act as the system's restore point to when the snapshot was taken and to restore a system, virtual machine, disk, or drive to operating condition. It differs from a backup copy and does not actually store the data; rather, it merely specifies where and how the data was kept and arranged at a specific time.
letter=
The second phase of the data lifecycle. After data has been created, it is then stored for different purposes. A good data lifecycle management program will include policies to reduce the risk to the data stored – storing it only if needed, backing it up using a robust process, limiting access to relevant users and applications only, and maintaining a good security posture around the controls available for the data.
letter=
Structured data is data that is in a standardized format, has a well-defined structure, follows a consistent order, and is easily accessed by humans and programs. Usually, a database is used to store this type of data.
letter=
The functionality that databases offer to users is largely dependent on their design. Since data is a dynamic object, there are many different ways it can be stored, and therefore businesses create database systems to meet their own requirements.
letter=
Unstructured data can take on any number of different forms and lacks any pre-established formation. Unstructured data examples include graphics and text files such as PDF documents, as well as video and audio files.
letter=
The third phase of the data lifecycle. Data is only helpful when it is used to support the business. It will need to be accessed and changed constantly, and may also be made available to share outside of the organization. The data lifecycle management policies will need to balance the business use cases with security needs, and to differentiate between legitimate use of the data and use that would put business or the privacy of the data at risk. Maintaining audit trails around data usage, monitoring for unnecessary usage and identifying any anomalies are key.
letter=
User Access Review is a control that ensures that only authorized users have access to applications or infrastructure. A User Access Review may lead an application business or IT owner to discover that users who have left the company or moved to another team still have access to applications or infrastructure athough this access should have been disabled.
letter=
Backup versioning is the process through which a backup solution enables a computer file to have several archived versions. A number of a file’s previous versions are typically stored in file systems that support backup versioning. Most versioning programs periodically snapshot changing files at hourly, daily, weekly, and monthly intervals.
letter=
Zero Standing Privilege (ZSP) is a concept that promotes improved IT security by eliminating standing privileges (broad user access privileges that are essentially “always on”) in the form of accounts that are associated with administrative controls. The availability of such accounts increases the attack surface for privilege misuse, which poses a serious risk to organizations.
