As the digital economy exponentially gains more ground and extends its roots in every sector of the global economic landscape, data management becomes more relevant and more crucial in the general workflow of any economic enterprise. Valuable information is regularly gathered, produced, utilized, and stored, which is often what gives a competitive advantage to one company over another.
Intellectual property, prototypes, contracts, policy manuals, R&D documents, user data, and customer records are only a handful of examples of the vital and often confidential information that a company accumulates throughout its life cycle, a great portion of which are fundamental to the organization’s ability to function on a daily basis.
The necessity of protecting these assets brings many companies to the question of what is the best data protection strategy. There is no single answer to this question as circumstances widely vary, but as true for tailoring any strategy, we should begin with situational assessment and define the objective.
The Nature of the Data and Objective
To understand the data, we first need to figure out where they are stored, how they are used, and how they flow between endpoints in internal processes. Then, we should make a risk assessment to understand the data’s level of sensitivity and the repercussions should they be stolen, changed, or lost. By segregating the data by how valuable they are, we can better decide on access control and encryption measures.
The subsequent step would be to set the primary objective of our data protection strategy. We need to know about the end before deciding on the means. For many companies, that end is regulatory compliance. While in the US, there is no single legislation regarding the protection of the US residents’ personal information, there are a few regulations like HIPAA and agencies such as PCI on the national and international levels that mandate businesses abide by certain rules.
Another objective that is very common especially in large enterprises is the protection of intellectual property. These assets are often unstructured files and documents that their protection requires a different approach. Securing these sensitive data is not only pertinent to cyber-attacks but also includes protecting a company’s valuable digital assets—such as design concepts or spreadsheets containing confidential information—in business partnerships or any form of interaction with external entities.
The Building Blocks of Data Security
There are various security models each focused on a certain aspect of information systems, but the one that is centered around data security and is an integral part of any data protection strategy is the CIA Triad. CIA is an acronym for three components of data security: confidentiality, integrity, and availability. These principles apply for all three states of data which are data at rest (stored somewhere without being used), data in motion (when is being transferred from one location to another), and data in use.
Confidentiality
Confidentiality is all about authorized access. It ensures that the data is accessed only by the right individuals. Confidentiality is achieved by encryption techniques where the data is locked with a key, so to speak, and the key is passed to whom we intend to give access.
Integrity
Integrity is about maintaining the reliability and consistency of data. Any measure taken to prevent data loss and data alteration falls into this category. File permission and user access control keep the data safe from unwarranted changes while backups and checksums protect them from unintentional and non-human threats.
Availability
Availability is simply defined as guaranteeing reliable access to the data and taking every measure to ensure that the data is readily accessible—regardless of human errors or natural disasters—for ongoing business needs. It involves the usage of recovery sites, backups, and hardware maintenance.
Backup vs Archive
Sometimes backups and archives are wrongly used interchangeably in the context of data protection but they are separate concepts for different purposes.
The primary objective of a data backup is to make sure that the data is recoverable in the event of a disaster. Backups are additional copies of data used for getting the companies back up and running in case of primary data failure. So by definition, a backup is a short-term copy of the data since it’s regularly overwritten as the sensitive information in a business is changed and updated over time. Therefore, it’s not a proper solution for keeping the data long-term.
On the other hand, an archive is not a copy, but rather a primary instance of data that is no longer being used regularly. Since it’s inactive and no longer changing, the archived data is usually moved to be kept in more cost-effective storage systems. While these types of data are no longer necessary for ongoing business operations, they are still valuable and need to be preserved, either for compliance purposes and regulatory requirements or for occasional situations where access to them is required.
