Encyclopedia of Security and Emergency Management

Living Edition
| Editors: Lauren R. Shapiro, Marie-Helen Maras

Data Protection

  • M. Nazrul IslamEmail author
Living reference work entry
DOI: https://doi.org/10.1007/978-3-319-69891-5_95-1

Keywords

Data breach Data security Data availability Data management Top secret data 

Definitions

Information: Anything that contains something which is timely delivered and will be useful to an audience.

Data: Binary bits stored on a digital media and processed by a processor. The bits can represent different types of information, text, audio, image, video, depending upon the software tool used to process the data.

Data security: Protection of digital data from unauthorized access, unintended modification, or fabrication, and ensuring safe delivery to authorized recipients.

Data breach: Unauthorized access to data.

Hardware: Digital devices that process, transmit, and store binary data.

Software: Programming codes that process binary data.

Introduction

We are living in a digital society where all our personal, social and professional activities involve either generation, processing, or storage of digital data. Every organization, small or large, private or federal, technical or nontechnical, deals with a huge amount of digital data, which contains either confidential, proprietary, or legal information; some may even be state top-secret information crucial to national security. With the growth of Internet, digital and communication technologies, and mobile applications, use of data is increasing at an exponential rate (Gartner 2018). This growth, in turn, raises the serious concerns of data security (Stalling and Brown 2018; Whitman and Mattord 2016). Protection of data from malicious attacks has become a great challenge for research and development (Muhleisen 2018).

The objective of this chapter is to present some fundamental concepts on the data security and protection techniques. It will begin with the basic characteristics of data from security perspectives. Threats to data will be discussed. Then different approaches to protect the data, including technological and sociological, will be presented.

Data Basics

From digital point of view, data is simply a series of binary 1’s and 0’s stored in some electronic, optical, or magnetic medium or transported through a network connection. Different groups of digital data represent different types of information, which could be text, graphics, audio, or video type. It is the set of hardware and software that translates between specific information and digital data. Therefore, security of data is primarily based on the type and importance of information.

“Information” is characterized by both “knowledge” and “communication” (Muhleisen 2018). Knowledge is recorded in some form, i.e., text, graphics, audio, video, and then is conveyed to its authorized user. Therefore, information is analyzed in security field by three main characteristics, namely, confidentiality, integrity, and availability (CIA). The first two characteristics connect to “knowledge,” while the third one refers to “communication” of information. Information characteristics are often explained using a CIA triad as shown in Fig. 1 (Stallings and Brown 2018).
  1. 1.

    Confidentiality: Data is disclosed to only its authorized users. Any exposure to an unauthorized entity destroys the confidentiality of information, which may cause severe damage to the entities involved to the data.

     
  2. 2.

    Integrity: Data remains whole, complete, and uncorrupted. Any malicious attack or simple technical failure may impact the consistency and accuracy of data which destroys its trustworthiness.

     
  3. 3.

    Availability: Data is available to its authorized user when asked for. Any interference or jamming in the communication medium or technical failure may cause unavailability of data which destroys the purpose of the information.

     
Fig. 1

CIA triad of information security (Stallings and Brown 2018)

In addition to the above three prime characteristics, data is also described by a number of other parameters, some of which are listed below.
  1. 1.

    Accuracy: The data delivered to the end user must contain the correct information. If the information is false or manipulated, the data loses its accuracy.

     
  2. 2.

    Authenticity: The data communication includes the information about the source/sender. It must be received from the right source as it pretends to be.

     
  3. 3.

    Utility: The data must have some value or meaningful purpose to the end user when received.

     
  4. 4.

    Possession: The source/sender and the destination/receiver must have appropriate legal rights concerning the data.

     
Data is also characterized by its state, which includes:
  1. 1.

    Storage: Data is saved in a medium, which determines the accuracy and integrity of data.

     
  2. 2.

    Processing: Data is processed using hardware and/or software, which determines the utility of data.

     
  3. 3.

    Transmission: Data is traversing a network, which determines authenticity, integrity and availability of data.

     

Data Security

Before we talk about data protection, we need to understand how data can be hacked and hence loses its characteristics. As data is processed, stored, and transmitted using widely available digital technologies, it is vulnerable to a variety of threats. As a result, security of data and hence information is very crucial to individual, organizational, and even national interests. Typical motives for malicious attacks on data include the following (Whitman and Mattord 2016).
  1. 1.

    Status: Some people, who are computer savvy, play with software tools to destroy or manipulate some data just for fun.

     
  2. 2.

    Revenge: People may take revenge by misusing some confidential data. For example, a terminated employee may destroy the company data.

     
  3. 3.

    Economic gain: People or competing organizations may attack secure data for financial purposes.

     
  4. 4.

    Political achievement: Use of cyber domain is increasing for political movement, propaganda, spying and even civil war.

     
There are many different ways that confidential data can be attacked. Most of the attacks are involved to the communication network as shown in Fig. 2a. The attack techniques can be categorized into the following four main groups (Fadia and Zacharia 2008).
  1. 1.

    Interruption: The communication between the sender and the receiver is interrupted or the source system is attacked such that the receiver cannot get the requested service from it as depicted in Fig. 2b. The availability characteristics of data are lost.

     
  2. 2.

    Interception: Figure 2c demonstrates how an unauthorized party intercepts the communication silently without the knowledge of sender or receiver and gets access to data. Data is no longer confidential.

     
  3. 3.

    Modification: The attacker interrupts the direct communication between sender and receiver and diverts the data to itself as shown in Fig. 2d. Then it sends the modified data to the receiver. The integrity of data is lost.

     
  4. 4.

    Fabrication: The attacker sends false data to the receiver pretending itself as a legitimate sender as demonstrated in Fig. 2e. The authentication of data fails.

     

Data Protection

Data protection
Fig. 2

Attack technologies: (a) ideal communication network, (b) interruption, (c) interception, (d) modification, (e) fabrication

is a complex process because it involves multiple different entities. In general, a data system includes the following components (Stair and Reynolds 2017):
  1. 1.

    Hardware

     
  2. 2.

    Software

     
  3. 3.

    Data

     
  4. 4.

    Network

     
  5. 5.

    People

     
  6. 6.

    Procedure

     
Threats to data can occur from any of the above components. As a result, a comprehensive data protection strategy needs to include the following three approaches:
  1. 1.

    Technology

     
  2. 2.

    Policy

     
  3. 3.

    Education

     

In each of these categories, there is no single solution, rather a combination of multiple strategies.

Technological Solutions to Data Protection

Technological solutions depend on the status of data, whether in storage, or processing or in transmission. There are three main principles of data protection techniques:
  1. 1.

    Preventing access to data

     
  2. 2.

    Making data unreadable

     
  3. 3.

    Monitoring data

     

Preventing Access to Data

The best approach is to make the confidential data completely inaccessible by any unauthorized party. Several techniques can be incorporated which will control and even block the communication to the data to be protected.

Firewall: A hardware technique or a software tool or a process or a combination to control and monitor the access requests to any data. Usually placed in the perimeter of a network, it checks for any malicious code or suspicious network communication to and from the data source.

Proxy Server: Conceals the secure data source in a network by isolating from the external network. Ensures the anonymity of internal hosts and acts on its behalf to receive, process, and respond to any data communication requests from outside network.

Bastion Host: System designed to represent the internal network to the outside world and withstand any attack targeted to secure data or systems.

Device Authentication: Any device plugged into a system or network needs to be authenticated before accessing or processing data.

Making Data Unreadable

Data is scrambled or hidden so that an intruder cannot read or interpret the data even if he/she gains access to it. There are two main data scrambling techniques:

Cryptography: Convert the data to a different form such that it is either unreadable or unusable by any intruder. A mathematical or logical algorithm translates the plaintext data using a single or a set of secret keys to a ciphertext data as demonstrated in Fig. 3. Only an authorized user having the right key can decrypt the ciphertext data back to plaintext data and then use it. Cryptographic techniques vary in encryption/decryption algorithms and selection and management of secret keys.
Fig. 3

Cryptography principle: (a) encryption, (b) decryption

Steganography: Process of hiding data inside other data which can be open to public. The most popular technique is hiding the data inside an image. The image before hiding data is called a cover image and that with data hidden is called a stego image. As shown in Fig. 4, the least significant bits of pixels are replaced by the confidential data such that the overall intensity or color of the stego image will not be significantly different from the cover image. There are more complex algorithms for choosing bits from the cover image and replacing them with data bits (Islam et al. 2015). Similarly, the confidential data can be hidden in a text message between alphabets by altering the given bits.
Fig. 4

Steganography principle

Monitoring Data

A hardware or software or a combination tool can be designed to constantly monitor all of the activities with data in all three phases of data, storage, processing, and transmission. It logs each activity, distinguishes between authorized and suspicious activities, and generates alert messages for the data owner, user, or manager. In a network, it performs intrusion detection live. A smarter tool can also be designed to stop the suspicious activity as soon as it is detected.

Law and Policy for Data Protection

As data involves human users, in addition to hardware and software, only technological solutions cannot ensure data protection. Therefore, data protection approaches involve laws and policies.

Data Protection Act

European Union’s General Data Protection Regulation (GDPR) was transposed into the United Kingdom’s law as the “Data Protection Act 2018” to control personal information used by any organization. It ensures the proper use of data.
  1. 1.

    Data is used fairly, lawfully and transparently.

     
  2. 2.

    Data is used for specified and explicit purposes.

     
  3. 3.

    Data is used in a way that is adequate, relevant and limited to only what is necessary.

     
  4. 4.

    Data is accurate and, where necessary, kept up to date.

     
  5. 5.

    Data is kept for no longer than is necessary.

     
  6. 6.

    Data is handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage.

     
The Act gives an individual the following rights on a personal data stored by an organization.
  1. 1.

    Know how the data is used.

     
  2. 2.

    Access the data.

     
  3. 3.

    Update any incorrect data.

     
  4. 4.

    Erase data.

     
  5. 5.

    Stop or restrict processing the data.

     
  6. 6.

    Receive and reuse data for different services.

     
  7. 7.

    Monitor how data is processed in certain circumstance.

     

Security Policy

A data protection policy is usually designed by an organization to govern the data usage and prosecution procedure. A typical policy typically includes the following components:
  1. 1.

    How to use the organization’s data resources safely.

     
  2. 2.

    How to respond to any data breaches.

     
  3. 3.

    What defenses should be incorporated.

     
There are certain guidelines on how to devise an effective data protection policy (Whitman and Mattord 2016):
  1. 1.

    It needs be comprehensive and include all possible scenarios.

     
  2. 2.

    It should be open to revisions and updates.

     
  3. 3.

    It should be simple and easy to understand.

     
  4. 4.

    It should define what data and activities are subject to organization policy.

     
  5. 5.

    It should be available to all data users.

     
  6. 6.

    There should be a procedure to enforce the policy while data is in use.

     
  7. 7.

    Users should be warned about the penalty for mishandling data.

     

Security Awareness

No matter how sophisticated technology is implemented and/or how vibrant policy is devised, data will not be safe unless the human users are well educated and well aware of consequences of data breaches. The users must understand the significance of data to the organization, learn the technology and how to use data, and realize the penalty for policy violation.

Security awareness can be incorporated through a number of activities as follows.
  1. 1.

    Security Training: The users need be trained on the data usage and protection schemes. Such training must be included in the new-employee orientation program. In addition, there should be frequent workshops and seminars to keep them updated on the data protection technique and policy.

     
  2. 2.

    Security Drills: Like fire drills, security drills can be designed and implemented in order to assess the users’ performance in case of malicious incidences.

     
  3. 3.

    Security Alerts: Warning messages, emails, pop-up windows, and several other strategies should be adopted to keep the users aware of data protection techniques and policies.

     

Conclusion

Digital data contains confidential information that are crucial to individuals, organizations and the nation. Data needs be protected from access, modification or destruction by any unauthorized party. There are three approaches to protect data, namely, technology, policy, and education. Technological schemes involve hardware and software tools to prevent access to data, hide data from intruder, and constantly monitor the data operations. Laws and policies reserve the rights of different entities involved to data, namely, users, owners, senders, and recipients. Finally, security awareness programs, including training, drills, and alerts, educate the users and keep them updated on the safe usage of data.

The world is moving around digital data which are very vulnerable to many different types of attacks. The most challenging part is that the hackers are always developing new attack technologies. Therefore, data protection techniques should be innovative, dynamic, and proactive. All three approaches to data protection, technology, policy, and education need to function efficiently, in synchronization and in depth in order to defend against any malicious attack on data.

References

  1. Fadia, A., & Zacharia, M. (2008). Network intrusion alert: An ethical hacking guide to intrusion detection. Boston, Massachusetts: Course Technology.Google Scholar
  2. Gartner. (2018). Gartner worldwide IT spending forecast, Gartner Market Databook. https://www.gartner.com
  3. Islam, M. N., Islam, M. F., & Shahrabi, K. (2015). Robust information security system using steganography, orthogonal code and joint transform correlation. International Journal for Light and Electron Optics, 126, 4026–4031.CrossRefGoogle Scholar
  4. Muhleisen, M. (2018). The long and short of digital revolution. Finance & Development, International Monetary Fund.Google Scholar
  5. Stair, R. M., & Reynolds, G. W. (2017). Fundamentals of information systems. Boston, Massachusetts: Cengage Learning.Google Scholar
  6. Stallings, W., & Brown, L. (2018). Computer security: Principles and practice. Upper Saddle River, New Jersey: Pearson.Google Scholar
  7. Whitman, M. E., & Mattord, H. J. (2016). Principles of information security. Boston, Massachusetts: Cengage Learning.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Farmingdale State CollegeState University of New YorkFarmingdaleUSA