Forget Everything You Thought You Knew About DevOps and Security
DevOps isn’t a new concept. The term was first coined around 2009 by Patrick Debois as a way to describe not only technology and standards, but also...
4 min read
Dex Tovin
:
Jul 5, 2022 7:11:28 AM
The principles of data security are pretty simple, although organizations have a tendency to short cut them in their SDLCs. Data security is defined as the protection of data from theft or loss by unauthorized access, use, disclosure, modification, or destruction. In this article, we’ll do a refresher of those key data security principles.
Data security is often paired with the terms data protection and data privacy. Oftentimes, data privacy and data protection are used interchangeably when they are actually two different things. Here’s the difference:
Data protection:
The act of creating duplicates of data as a method of ensuring that someone will always have access to the data, even in the case of a breach or other unforeseen corruption. Simply put, it’s making copies to make sure data is never lost.
Data privacy:
Refers to regulations and best practices around whose eyes have access to the data within an organization or as a third party. It’s a matter of how the data is handled and managed.
There are many different approaches to data security, but here are a few common methods and data security best practices that businesses can use to protect themselves:
Data security has always been a significant concern for companies. That includes concerns as it relates to sensitive data in your pre-production development environments.
Depending upon the type of data, a breach could result in many different unfortunate situations for your organization, including data falling into the hands of competitors, data integrity being compromised, a loss in reputation to the public, regulatory fines and penalties, or other types of financial loss.
Code and application data is no exception.
It’s more than just the intellectual property at stake, since source code, Infrastructure-as-Code, and test data can contain embedded secrets and passwords providing access to other critical resources, or contain sensitive Personally Identifiable Information (PII) and other private data that can result in regulatory fines and penalties if handled improperly.
Let’s revisit some data security best practices you can apply within your SDLC to make sure your code and application data is safe.
A data security strategy should guide your data security activities and includes:
Documenting the process your data should take from the moment it enters your organization until it's no longer needed.
An assessment of your company's data security risk and the threats that have happened or could happen in the future.
How your data will be recovered in case of an emergency.
Establishing the rules for who can read, update and delete certain information. That includes the principle of "least privilege", so that users have access rights required to do their job but nothing more.
The process of controlling, monitoring and accessing data storage resources and devices.
Specifying the tools used to ensure data security and to monitor for any unusual activity.
This describes how security controls and tools are to be deployed, what various stakeholders are allowed to do with company data, what they are not allowed to do, how to report suspicious activity, and how to respond to various security incidents.
This should be an up-to-date collection of any regulatory compliance requirements, as well as how your organization is expected to maintain compliance.
One of the easiest ways to enhance your data security is to only grant access to the data resources needed for each individual to do their work, and nothing more.
Granting broad access to data may at first appear more convenient, but it is asking for future data security abuse or an attack.
Many businesses do not reevaluate who needs access to data frequently enough.
Doing so helps address one of the primary causes of data breaches – internal threats.
It’s important to note that internal threats aren’t always intentional, in fact, most often they are unintentional. But by consistently reevaluating access levels, you’re protecting users from themselves since they don’t always understand or follow data security best practices.
A few things to think about when it comes to threats to data at rest and in motion are where data is stored, any entry points, exit points, and what data can be destroyed. Source code development within the SDLC and source code progression throughout CI/CD pipelines can absolutely benefit from this line of thinking.
Developer access to data should be actively monitored, and the cloning or forking of code to different repositories should be tracked, including monitoring the use of both private and public repositories of data. Additionally, when data is no longer needed or repositories are no longer being used they should be deleted.
Proactively identifying vulnerabilities and risks is a best practice for data security. Your data security policies should include running vulnerability and risk assessments at a defined intervals. The interval selected is going to be dependent upon several factors include the type of data and its sensitivity.
Source code and application data undergoes very frequent modification and change, so an automated approach to vulnerabilities assessment is necessary. Several security tools are available to automatically scan not just the code, but also the SDLC pipelines, systems and infrastructure used to handle application data for vulnerabilities and risks. By leveraging these automated security scanning tools, you can perform assessments continuously rather at lengthy defined intervals.
Chances are good that you might have sensitive data stored in a vulnerable location that you’re not aware of. Discovery efforts can be conducted manually but it is time-consuming and not scalable, particularly for CI/CD pipelines that change continually. That’s where automated discovery tools for the software supply chain come in. These tools discover code repositories, build servers, artifact repositories and more to help organizations spot hidden or unused data, among many other security purposes.
One important way to increase data security is to regularly monitor access activity. This can help you keep track of what’s going on with your data and flag any suspicious activity before it becomes a bigger problem. Security tools can be used to creates alerts and notify you if something out of the ordinary happens.
Your code and application data are one of your organization’s most valuable assets. If an unauthorized individual accesses it, you could be victim to unwanted data exposure, modification, corruption, or deletion.
By adhering to the tips and best practices in this article, you stand a greatly improved chance that your code and application data will remain safe within your SDLC.
Join the Legit Security Newsletter to stay up-to-date on the latest tips, tricks, and tech-industry news.
DevOps isn’t a new concept. The term was first coined around 2009 by Patrick Debois as a way to describe not only technology and standards, but also...
DevOps is a practice used to deliver software and services faster. As more businesses adopt DevOps, they are also adopting DevOps security tools to...
If you haven’t already been integrating security into DevOps, we've provided this 4-step guide to help smooth the transition as well as describe the...