When it comes to protecting your data and systems you will have security in place to stop external access and attacks. But recent events show that a security breach can just as easily come from inside your own company. When thinking about your information security you should consider protecting your data from potential internal as well as external breaches.
And these internal security breaches could come from people and users who have authorised access to your systems, such as IT teams, administrators and system users.
How do you provide maximum protection for your data whilst still allowing your teams to do their jobs?
Who really needs access to your data – and who can actually see it?
When considering internal system access you will no doubt have thought very carefully about making sure you only give the relevant users access to the systems and data they need. You will have put password policies in place to make sure your users change their passwords regularly. And that the passwords they do use conform to some format to make sure they are strong. You may also have linked your systems to LDAP or Active Directory for secure user authentication.
But what about your IT team? They can access your database to carry out administrative services for example.
And if your IT is outsourced to a 3rd party organisation then they could also have access to your sensitive information. It may also be the same if your system is being hosted.
Encrypting data ‘at rest’
Encrypting data when it is ‘at rest’ helps to protect your sensitive information when accessed via the database itself. The data is stored in encrypted format within the database tables. So even if your IT team does have access to the raw data it is encrypted and only decrypted when viewed from within the application.
Protecting your data from authorised internal users
Your teams need access to information in order to carry out their jobs successfully. You will have carefully considered and set up the relevant security measures to access your systems. But once your users are logged in – do they really need access to all the information for their jobs?
Being able to select the data that your users have access to is the first step. This can help to limit any data breaches to subsets of information should this event occur.
Field-level data encryption adds an extra layer of protection to your data by obscuring sensitive data values while still giving your users access to the data they need. Field-level encryption allows you to restrict access to identifiable or commercially sensitive information. This could include details such as date of birth, email, postal addresses and surname. But your users can still see the enquiries made or biological samples provided to complete their processes.
And when accompanied with rules-based encryption users only see the decrypted data based on your rules. These rules are based on your data set, such as the record must be linked to an event or project that you have been assigned to or you can only see this data when the record set has been approved. So even as an administrator or advanced user your access to sensitive data is limited.
Final thoughts on protecting your data from potential internal security breaches
When thinking about your data security don’t forget to consider everyone who can access your data – internally and externally. Making sure internal access to your systems is carefully controlled with comprehensive password policies is just the first step. Using encryption methods to restrict access to your information can bolster your security and protection measures and help protect against both internal and external security breaches.