In January 2021, a Brazilian database of 30 terabytes of data was compromised, containing details of 104 million vehicles and about 40 million companies, with a possible 220 million people affected; in March 2021, 8 million nucleic acid test results were leaked in India, containing sensitive personal information such as name, age, marital status, time of testing, and address of residence. In March 2021, the IT systems of the U.S. insurance giant CNA Corporation were locked down by ransomware and the attackers also stole data, with the company paying a $40 million ransom.
A research institute statistics, the number of global data leaks in 2020 exceeds the sum of the past 15 years, these data security risks have gradually radiated from individuals and enterprises to industries and even countries.
Currently, the global digital transformation is developing rapidly at an explosive speed, and data, as the core of digitalization, has become one of the core factors of production in the new era. If data leakage occurs, then enterprises and even national economic operations, public health, agricultural production, transport logistics, etc. are affected, and may trigger serious consequences in various fields.
Data security is not limited to the security of the data itself, but is a comprehensive concept. In the process of data transmission from the client to the server, many risk factors are involved, such as whether the identity of the client access subject is true and reliable, whether the data is complete and tamper-proof during transmission, whether it is stored in plain files or encrypted upon arrival at the server, and which users use it, etc.
As a whole, there are three important concepts in each part of the data lifecycle, including data collection, storage, use, processing, transmission, provision, and disclosure: the data processing subject, the data itself, and the data processing behavior.
From the source of data, it is necessary to ensure that the identity of the data collection subject is true and trustworthy; for the data itself, it is necessary to ensure its authenticity (the data source is true and trustworthy), integrity (the data has not been tampered with by unauthorized persons), confidentiality (the data has not been obtained by unauthorized persons), availability (the data can be used normally by authorized persons), etc. in transmission; for the data processing behavior, it is necessary to ensure its sending or receiving behavior, point-in-time non-repudiation.
For enterprises, data security compliance work is the right thing to do, but there may indeed be some practical difficulties at the operational level, such as how to quickly and accurately identify current compliance gaps? How to complete the compliance work with minimum cost and impact? Here you can work on the following four aspects.
1. Technical construction
Technical construction category can be divided into technical measures construction and risk monitoring capacity building, technical measures according to the actual data activities, the corresponding technical measures can be taken, the more commonly used technical measures are dynamic desensitization technology, access control, electronic authentication technology, data encryption storage technology and sensitive data discovery technology.
2. Examine and rectify
The category of inspection and rectification mainly includes three aspects of reasonableness, business improvement and data cross-border. The work of this category is mainly to check whether there are illegal and irregular situations in their own business, and the main response means are business rectification and application function rectification. Automatic data asset discovery technology can quickly and accurately assist in identifying compliance risk points and save a lot of manpower investment. After the rectification work is completed, the use and changes of data can also be monitored in real time through data asset discovery technology, so that violations can be detected in time and the risk of violations can be reduced.
3. Mechanism construction
Normalized data security control requires relevant mechanisms as a guarantee, including four types of mechanisms: security training mechanism, security remediation mechanism, emergency disposal mechanism and risk assessment mechanism. The purpose of data security training is to strengthen the awareness of internal personnel and enhance the skill level of technical personnel, so as to realize the overall data security protection level improvement. Training should be planned, purposeful and assessed to ensure its effectiveness.
4. Data security operation and control construction
Data security assurance system needs long-term service because of its business continuity, and the establishment of a perfect data security operation team is an inevitable choice. Data security operation mainly includes the following contents.
Data security operation and maintenance: mainly the use, operation and maintenance of data security measures, resident or regular analysis of the use of data security products, and combined with management requirements, continuous optimization of control measures strategy and configuration, and regular output of data security operation and maintenance reports and strategy optimization recommendations, etc..
Emergency plans and drills: In accordance with the relevant requirements, develop emergency plans for data security events. And in accordance with the contingency plan formulated, according to the degree of harm and impact of security events to build a hierarchy of security events, and regularly conduct emergency plan exercises.
Monitoring and early warning: around the data security objectives, according to the relevant security standards, establish a data security monitoring and early warning and security event notification system, collect and analyze data security information, timely reporting of security risks, including the release of data security monitoring and early warning information on demand, etc.
Emergency disposal: relevant parties take emergency disposal measures in the event of security incidents in accordance with the emergency plan, report major security incidents to the competent authorities, and optimize and improve the emergency plan and disposal process on a regular basis.
Disaster recovery: After a data security incident, appropriate recovery measures are taken based on the impact and priority of the security incident to ensure that information system business processes are restored in accordance with the planned objectives.
How to select a cloud backup solution? Cloud backups are a low-cost way to safeguard an organization’s mission-critical data. They automate daily tasks and make data protection for large amounts of data easier. When properly configured, cloud backups are not only a necessity but also a business asset.
Vinchin Backup & Recovery allows you to restore the entire virtual machine and all of its data from any restore point (full, incremental, or differential backup) without affecting the original backup data. Backups that have been deduplicated or compressed can be restored. This is a great solution for ensuring business continuity and minimizing critical business interruptions caused by a disaster or system failure.
You can also quickly check the availability of backup data by instantly restoring a target VM to a remote location in minutes. Ensure that in the event of a true disaster, all VMs can be recovered and the data they contain won’t be lost or corrupted. Vinchin offers solutions such as VMware backup for the world’s most popular virtual environments, XenServer backup, XCP-ng backup, Hyper-V backup, RHV/oVirt backup, Oracle backup, etc.