Data security aims to protect digital data from attackers, from the unwanted actions of unauthorized users and accidental disclosure such as a cyber attack or a data breach.
Data at Rest
- Stored in database
- file servers
- secure environments (ex. Cardholder Data Environments)
- Backup Data (HDD, USB Data, Tape Drives, CD/DVDs)
- Physical Data (paper forms, xerox copies)
Data in Transit
- Web Services
- HTTP, HTTPS, FTP, FTPS
- Sensitive Data Sharing (encryption)
- Hash comparison after downloading the files.
Personally Identifiable Information (PII)
Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
NIST Special Publication 800-122[5] defines PII as “any information about an individual maintained by an agency, including
- any information that can be used to distinguish or trace an individual’s identity, such as name, AADHAR, social security number, date and place of birth, mother’s maiden name, or bio-metric records; and
- any other information that is linked or link-able to an individual, such as medical, educational, financial, and employment information.”
So, for example, a user’s IP address is not classed as PII on its own, but is classified as linked PII.
Refer – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
Following are the key concepts associated with Data Protection.
- Data Discovery
- Data Classification
- Data Retention
- Data Erasure
- Data Roles
- Data Security Vs. Data Protection
- Encoding
- Encryption
- Hashing
- Symmetric Encryption
- Asymmetric Encryption
- Key Management