Jump to content

Data security

From Wikipedia, the free encyclopedia
Not to be confused with Data privacy.

Data security or data protection is the process of securing digital information to protect it from online threats. Data security or protection means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users,[1] such as a cyberattack or a data breach.[2] Data security protects computer hardware, software, storage devices, and the data of user devices. Data security also protects the data of organizations, companies and administrative controls.

Data security guarantees the protection of individual data, such as identity documents and bank data, and protects against unauthorized access, theft and loss of individual data. Data security also protects data breaches that occurs in companies and industries. Good security measures in industries reduce the probability of data breaches, and employees can rely on the company with their data and private information to be kept secured while companies can continue to maintain a stable reputation.[3]

The CIA Triad (Confidentiality, Integrity, and Availability) is what is used to practice what an information security is required to follow. Confidentiality, protects information from being accessed unauthorized; Integrity, makes sure data is trustworthy; and Availability, meaning that data can be accessed by approved users when it is needed; are three goals for data security.[4] Non-repudiation in data security definition, is a device/service that shows where the data originated from and the proof of integrity.[5]

Technologies

[edit]

Disk encryption

[edit]
Main article: Disk encryption

Disk encryption refers to encryption technology that encrypts data on a hard disk drive. It takes data from a storage device and coverts it into an unreadable format. Disk encryption typically takes form in either software (see disk encryption software) or hardware (see disk encryption hardware) which can be used together. Disk encryption is often referred to as on-the-fly encryption (OTFE) or transparent encryption. Full disk encryption encrypts each individual sector of a disk volume. Files and user data are encrypted to hinder unauthorized users from accessing without a decryption key. A diversifier permits a plaintext of a specific disk sector to be encrypted into different ciphertexts, which does not require additional storage, such as an initialization vector (IV) or message authentication code (MAC).[6]

Software versus hardware-based mechanisms for protecting data

[edit]

Software-based security solutions encrypt the data to protect it from theft. However, a malicious program or a hacker could corrupt the data to make it unrecoverable, making the system unusable. Hardware-based security solutions prevent read and write access to data, which provides very strong protection against tampering and unauthorized access.[7]

Hardware-based security or assisted computer security offers an alternative to software-only computer security. Security tokens such as those using PKCS#11 or a mobile phone may be more secure due to the physical access required in order to be compromised.[8] Access is enabled only when the token is connected and the correct PIN is entered (see two-factor authentication). However, dongles can be used by anyone who can gain physical access to it. Newer technologies in hardware-based security solve this problem by offering full proof of security for data.[9]

Working off hardware-based security: A hardware device allows a user to log in, log out and set different levels through manual actions. Many devices use biometric technology to prevent malicious users from logging in, logging out, and changing privilege levels. The current state of a user of the device is read by controllers in peripheral devices such as hard disks. Illegal access by a malicious user or a malicious program is interrupted based on the current state of a user by hard disk and DVD controllers making illegal access to data impossible.[10] Hardware-based access control is more secure than the protection provided by the operating systems as operating systems are vulnerable to malicious attacks by viruses and hackers. The data on hard disks can be corrupted after malicious access is obtained. With hardware-based protection, the software cannot manipulate the user privilege levels. A hacker or a malicious program cannot gain access to secure data protected by hardware or perform unauthorized privileged operations. This assumption is broken only if the hardware itself is malicious or contains a backdoor.[11] The hardware protects the operating system image and file system privileges from being tampered with. Therefore, a completely secure system can be created using a combination of hardware-based security and secure system administration policies.

Backups

[edit]
Main article: Backup

Backup is the process of reproducing copies of essential data and storing in a separate, secured place. It is used to ensure data that is lost can be recovered from another source. Backups contains a minimum of one copy of the data that requires preservation.[12] It is considered essential to keep a backup of any data in most industries and the process is recommended for any files of importance to a user.[13]

There are 3 types of backups; full backups, incremental backups, and differential backups. Full backups secure all data from a production system, such as a server, database, or other connected data source. It is impossible to lose all data in a full backup if a breach or corruption were to occur. Full backups require a significantly large amount of time to back up and may be time-consuming taking hours to days to complete.[14] Incremental backups only secures changed data since last backup. While all backups are done in full backups, incremental backups only save data that is recently or frequently changed. Incremental backups require lower storage costs making it a prominent solution for growing datasets.[15]

Data Privacy

[edit]
Main article: Data privacy

Data privacy (or information privacy) is the right for individual's data to be secured to obstruct the use of unauthorized access. It gives individuals control over their data and how it can be shared to thrid parties. The U.S Privacy Protection Law (see Privacy laws of the United States) requires organizations to inform individuals of how their data is collected and when a data breach occurs.[16] By implementing an encryption, it ensures that private data is unreadable to cybercriminals.[17]

Data masking

[edit]
Main article: Data masking

Data masking of structured data is the process of obscuring (masking) specific data within a database table or cell to ensure that data security is maintained and sensitive information is not exposed to unauthorized personnel.[18] This may include masking the data from users (for example so banking customer representatives can only see the last four digits of a customer's national identity number), developers (who need real production data to test new software releases but should not be able to see sensitive financial data), outsourcing vendors, etc.[19] Data masking is a form of encryption, as it obscures data by modifying particular letters and numbers to keep data concealed and protected from potential hackers. The individual that has access to the code that decrypts the replaced characters are the only ones that can uncover the data. [20]

Data erasure

[edit]
Main article: Data erasure

Data erasure (or data deletion, data destruction) is a method of software-based overwriting that permanently clears all electronic data residing on a hard drive or other digital media to ensure that no sensitive data is lost when an asset is retired or reused. [21] Article 17: Right to be Forgotten states that users have the right to permanently remove all of their private information from their old devices/services to give people more control over their data. Users are able to switch between devices efficiently.[22]

Threats

[edit]

Malware

[edit]

Malware (or malicious software) is designed to destroy, corrupt or gain unauthroized access to a computer for the purpose of stealing, or destroying data.[23] Hackers who use malware typically utilize many types of malware, which includes computer virus, computer worms, ransomware, spyware and Trojan horse to create a vast system of desruption and cause easy data theft.[24] One of the victims of the vast system of desruption includes healthcare workers, who are targeted by compromised systems by infections and then having their data attacked. [25]

Phishing

[edit]

Phishing is a type of scam that allows hackers to hoax people using psychological and social engineering (using human emotions such as their trust and fear) tactics into giving personal data through emails and messages, and install computer viruses if the individual were to click on a malicious link unknowingly. Attackers are able to create websites that are very similar to original webistes, which makes it dificult to detect a fake website, causing individuals to fall for giving in information. [26] Phishing attackers use human emotion to exploit them, such as making them feel fear, urgency, sympathy with the message being sent by the sender. [27] Emails (Or Email spoofing) with impersonated companies and fake websites copying the original are ways to exploit people. Email spoofing show false names and emails of the original ones to copy several banks, comanies and agencies, using warnings to manipulate people into feeling urgent about the email. [28]

International laws and standards

[edit]

International laws

[edit]

In the UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies.[29] This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared. Data Privacy Day is an international holiday started by the Council of Europe that occurs every January 28. [30]

Since the General Data Protection Regulation (GDPR) of the European Union (EU) became law on May 25, 2018, organizations may face significant penalties of up to €20 million or 4% of their annual revenue if they do not comply with the regulation.[31] It is intended that GDPR will force organizations to understand their data privacy risks and take the appropriate measures to reduce the risk of unauthorized disclosure of consumers’ private information. [32]

International standards

[edit]

The international standards ISO/IEC 27001:2013 and ISO/IEC 27002:2013 cover data security under the topic of information security, and one of its cardinal principles is that all stored information, i.e. data, should be owned so that it is clear whose responsibility it is to protect and control access to that data.[33][34] The following are examples of organizations that help strengthen and standardize computing security:

The Trusted Computing Group is an organization that helps standardize computing security technologies.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary international information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, automated teller machines, and point of sale cards.[35]

The General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the EU, whilst addressing the export of personal data outside the EU.

Safeguards

[edit]

The four types of technical safeguards are access controls, flow controls, inference controls, and data encryption. Access controls manage user entry and data manipulation, while flow controls regulate data dissemination. Inference controls prevent deduction of confidential information from statistical databases and data encryption prevents unauthorized access to confidential information.[36] Health Insurance Portability and Accountability Act (HIPPA) is a law that requires entities such as healthcare providers to keep patient confidentiality for three reuired safeguards: administrative, physical, and technical.[37]

See also

[edit]

References

[edit]
  1. ^ Summers, G. (2004). Data and databases. In: Koehne, H Developing Databases with Access: Nelson Australia Pty Limited. p4-5.
  2. ^ "Knowing Your Data to Protect Your Data". IT Business Edge. 2017-09-25. Retrieved 2022-11-03.
  3. ^ "Data Security: Definition, Importance, and Types". Fortinet. Retrieved 2025-10-26.
  4. ^ "Home - International Journal Of Engineering And Advanced Technology (IJEAT)". Retrieved 2025-12-01.
  5. ^ Mohammed, Noor Sabah; Dawood, Omar Abdulrahman; Sagheer, Ali Makki; Nafea, Ahmed Adil (2024-01-01). "Secure Smart Contract Based on Blockchain to Prevent the Non-Repudiation Phenomenon". مجلة بغداد للعلوم. 21 (1). doi:10.21123/bsj.2023.8164. ISSN 2078-8665.
  6. ^ Rupp, Eduard; Syrmoudis, Emmanuel; Grossklags, Jens (2022). "Leave No Data Behind – Empirical Insights into Data Erasure from Online Services". Proceedings on Privacy Enhancing Technologies. ISSN 2299-0984.
  7. ^ Bars, Nils; Bernhard, Lukas; Schloegel, Moritz; Holz, Thorsten (2025-09-10), Empirical Security Analysis of Software-based Fault Isolation through Controlled Fault Injection, arXiv, doi:10.48550/arXiv.2509.07757, arXiv:2509.07757, retrieved 2025-12-01
  8. ^ Thanh, Do van; Jorstad, Ivar; Jonvik, Tore; Thuan, Do van (2009). "Strong authentication with mobile phone as security token". 2009 IEEE 6th International Conference on Mobile Adhoc and Sensor Systems. pp. 777–782. doi:10.1109/MOBHOC.2009.5336918. ISBN 978-1-4244-5114-2. S2CID 5470548.
  9. ^ Stubbs, Rob (Sep 10, 2019). "Why the World is Moving to Hardware-Based Security". Fortanix. Retrieved 30 September 2022.
  10. ^ Chatterjee, Durba; Maitra, Shuvodip; Mishra, Nimish; Shukla, Shubhi; Mukhopadhyay, Debdeep (2025-09). "Hardware Security in the Connected World". WIREs Data Mining and Knowledge Discovery. 15 (3). doi:10.1002/widm.70034. ISSN 1942-4787. {{cite journal}}: Check date values in: |date= (help)
  11. ^ Waksman, Adam; Sethumadhavan, Simha (2011), "Silencing Hardware Backdoors" (PDF), Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, archived (PDF) from the original on 2013-09-28
  12. ^ "What is Backup and Recovery? | Learn Data Backup Solutions". Cohesity. Retrieved 2025-10-26.
  13. ^ "Back-ups | Stay Smart Online". Archived from the original on 2017-07-07.
  14. ^ "What is Backup and Recovery? | Learn Data Backup Solutions". Cohesity. Retrieved 2025-10-26.
  15. ^ Jackson, Kevin (2024-04-08). "Incremental vs. Differential Backup: Balancing Speed and Storage". Trilio. Retrieved 2025-10-26.
  16. ^ "What Is Data Privacy? Definition & Protection | Proofpoint US". Proofpoint. 2021-06-29. Retrieved 2025-10-27.
  17. ^ "Data Privacy and Security: How to Safeguard Information in the Digital Age | Ironhack Blog". www.ironhack.com. Retrieved 2025-10-27.
  18. ^ "Data Masking Definition". Archived from the original on 2017-02-27. Retrieved 1 March 2016.
  19. ^ "data masking". Archived from the original on 5 January 2018. Retrieved 29 July 2016.
  20. ^ "Data Security: Definition, Importance, and Types". Fortinet. Retrieved 2025-10-26.
  21. ^ Michael Wei; Laura M. Grupp; Frederick E. Spada; Steven Swanson (2011). "Reliably Erasing Data From Flash-Based Solid State Drives". FAST'11: Proceedings of the 9th USENIX conference on File and storage technologies. Wikidata Q115346857. Retrieved 2022-11-22.
  22. ^ Rupp, Eduard; Syrmoudis, Emmanuel; Grossklags, Jens (2022). "Leave No Data Behind – Empirical Insights into Data Erasure from Online Services". Proceedings on Privacy Enhancing Technologies. ISSN 2299-0984.
  23. ^ Babulak, Eduard, ed. (2023). Malware : Detection and Defense. IntechOpen.
  24. ^ "Procedia Computer Science | Journal | ScienceDirect.com by Elsevier". www.sciencedirect.com. Retrieved 2025-12-01.
  25. ^ Sharmeen, Shaila; Huda, Shamsul; Abawajy, Jemal H.; Ismail, Walaa Nagy; Hassan, Mohammad Mehedi (2018). "Malware Threats and Detection for Industrial Mobile-IoT Networks". IEEE Access. 6: 15941–15957. doi:10.1109/ACCESS.2018.2815660. ISSN 2169-3536.
  26. ^ Zhang, Penghui; Oest, Adam; Cho, Haehyun; Sun, Zhibo; Johnson, RC; Wardman, Brad; Sarker, Shaown; Kapravelos, Alexandros; Bao, Tiffany; Wang, Ruoyu; Shoshitaishvili, Yan; Doupé, Adam; Ahn, Gail-Joon (2021-05). "CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing". 2021 IEEE Symposium on Security and Privacy (SP): 1109–1124. doi:10.1109/SP40001.2021.00021. {{cite journal}}: Check date values in: |date= (help)
  27. ^ "What Is Phishing: Understand Cyber Threats and Prevention | ACC Newsroom | Austin Community College District". 2025-10-16. Retrieved 2025-12-01.
  28. ^ Lee, Jaeil; Lee, Yongjoon; Lee, Donghwan; Kwon, Hyukjin; Shin, Dongkyoo (2021). "Classification of Attack Types and Analysis of Attack Methods for Profiling Phishing Mail Attack Groups". IEEE Access. 9: 80866–80872. doi:10.1109/ACCESS.2021.3084897. ISSN 2169-3536.
  29. ^ "data protection act". Archived from the original on 13 April 2016. Retrieved 29 July 2016.
  30. ^ Peter Fleischer, Jane Horvath, Shuman Ghosemajumder (2008). "Celebrating data privacy". Google Blog. Archived from the original on 20 May 2011. Retrieved 12 August 2011.{{cite web}}: CS1 maint: multiple names: authors list (link)
  31. ^ "GDPR Penalties". Archived from the original on 2018-03-31.
  32. ^ "Detect and Protect for Digital Transformation". Informatica. Retrieved 27 April 2018.
  33. ^ "ISO/IEC 27001:2013". ISO. 16 December 2020. Retrieved 2022-11-03.
  34. ^ "ISO/IEC 27002:2013". ISO. 15 April 2021. Retrieved 2022-11-03.
  35. ^ "PCI DSS Definition". Archived from the original on 2 March 2016. Retrieved 1 March 2016.
  36. ^ Denning, Dorothy E., and Peter J. Denning. "Data security." ACM computing surveys (CSUR) 11.3 (1979): 227-249.
  37. ^ Security, Stephen Cavey Blog Post Cybersecurity Data. "Three Safeguards You Need For the HIPAA Security Rule | Ground Labs". www.groundlabs.com. Retrieved 2025-10-27.
[edit]
Wikimedia Commons has media related to Data security.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Data_security&oldid=1325103594"