Learning Topics

We'll send you updates from the blog and monthly release notes.

Learning Center

Data Security Best Practices For Companies

Your company will collect, store, and process a variety of different data, from your customers, third parties, and your in-house processes. This data is often both valuable and highly sensitive, and, in the case of customer data, highly regulated. The consequences of data security issues for companies are detrimental and the frequency of attacks is increasing. To counter the new cybersecurity risks, companies must invest in data security.

In this article, you’ll learn about best practices in data security, including the concepts that you should know about and the measures you should take to protect your company’s digital assets.

Key data security challenges

The core concerns when addressing data security are preventing data breach, avoiding data loss, and remaining compliant with legislation. Both data breach and data loss are damaging to your business, and can be caused by internal or external threats.

Data breaches: A data breach occurs when data leaves your control involuntarily. This can be unintentional — due to the negligence of your staff or vulnerabilities in your infrastructure causing accidental disclosure, or intentional — caused by the malicious actions of an attacker who has compromised your data infrastructure, or a disgruntled employee looking to profit or cause damage to your business.
Data loss: Data loss means that you can no longer access data that was intended to be retained. Data loss can happen due to hardware failure, loss of access to cloud resources, or accidental or purposeful deletion of the data.
Ransomware: Ransomware combines the threats of data breach and data loss. Often, attackers will infiltrate a network and both steal and encrypt data. They will then threaten to disclose any sensitive information that they have collected, while withholding access to the data itself from the business, unless the ransom is paid.
Compliance: Data breaches and data loss negatively impact not just your business, but the subjects of the data themselves. Sensitive data leaks can enable identity theft, fraud, and harassment, so the collection and use of data has become heavily regulated.

How to secure data: data security best practices

Protecting your infrastructure and the data on it requires an informed, dedicated, and ongoing effort. You should implement security policies from the earliest stages of your projects, and regularly review them, making sure that they remain functional and relevant to emerging threats.

The practices below will assist in this – helping you to uncover and mitigate potential security vulnerabilities in your organization, as well as protecting against more general threats.

Be privacy conscious

Data privacy defines what data you’re obtaining from consenting users, and how the data can be used. User data is heavily regulated, and fines can be levied if this data is mishandled. Therefore, adequate investment in data privacy is not just in the interest of your clients; it’s necessary for protecting your bottom line from government sanctions.

As an example of this, in 2021 Amazon reported an $877 million fine, for violations of the European Union’s General Data Protection Regulation (GDPR), believed by many to have been imposed over Amazon’s cookie policy.

Protecting data from improper access and use also protects it from leaks — the fewer hands on the data, the lower the chance of accidental disclosure. Data privacy can be improved through the use of data loss prevention (DLP) software, which monitors and prevents the sharing of sensitive data outside the domain where it is intended to be stored or used.

Maintain awareness of vulnerabilities

Staff must always be on the lookout for potential security vulnerabilities

Data security experts, software engineers, and tech teams involved in all aspects of your IT infrastructure must remain vigilant for new vulnerabilities. End-user applications such as operating systems and desktop software, cloud hosting solutions and SaaS platforms, and development dependencies from repositories such as NPM and PyPI should be regularly checked for new exploitable vulnerabilities.

Complacency cannot be allowed to creep in. Monitoring must be maintained and all new technology decisions must be vetted for their security implications. Just because you have not yet been attacked does not mean that you will not be in the future. You may even have been attacked already: many attackers prefer to surreptitiously infiltrate a network and stealthily extract data over long periods of time, aiming to evade detection and steal as much valuable information as they can.

All software in your toolchain should be regularly updated, and network infrastructure should be audited through automated breach and attack simulations. If you are developing software, use automated testing to ensure that the software operates as intended. New tools are also emerging for the vetting of third-party development dependencies against known security risks.

Keep an up-to-date asset inventory

An asset inventory is necessary to identify devices that require software patches, track high-risk assets that can be compromised, and keep track of user devices that may contain sensitive information — for example, if a user laptop is misplaced, it can be remotely wiped.

Asset management is implemented through the manual and digital identification of assets. Implementing an asset inventory involves keeping accurate digital records of these assets as well as who is responsible for them.

Implement authentication and authorization

Authentication and authorization policies protect your data by only allowing access to identified and designated parties.

Authentication is the process of confirming who the person trying to access a system is. It usually consists of a username and password (ideally with additional multi-factor authentication), or an API key for authenticating programmatic access.
Authorization checks whether an authenticated user has permission to view or edit a given resource. An authenticated user’s login is compared with your access policies to determine which resources they are allowed (and not allowed) to access.

Implementation of authorization typically leverages user role-based access control (RBAC) or attribute-based access control (ABAC) to enforce access and to ensure data security risk is reduced.

Data should be categorized based on both its sensitivity and how it is intended to be used (for example, by which department), to decide who will have access. You can then apply the principle of least privilege (PoLP) only granting users access to the resources they require. This reduces the chance of accidental disclosure due to human error, and means that if an employee is compromised, the amount of data they can access is limited.

PoLP can also act as a failsafe for your business processes, acting as a set of checks and balances for user actions, making sure they cannot interfere with data owned by others. Major changes can then be safely approved, and employees held accountable for the resources they have permissions for.

The use of virtual private cloud (VPC) and virtual private network (VPN) infrastructure allows you to extend the protection offered through your authentication and authorization policies to your remote employees. Rather than users keeping copies of data on their own devices, it can be centrally stored and kept in a controlled environment, no matter where your staff are physically located.

Mask your data

Not every data use case requires all the details from the data. By masking sensitive information in these cases, you remove the risks associated with it. A common example of data masking is redacting all by the last characters in a customer’s credit card number. The transaction itself is handled by an external processor, so there is no value in storing this information in full on your own systems, and by not doing so you cannot be the cause of any fraudulent activity resulting from the leaking of that information.

Data masking can be implemented through the use of software solutions such as RudderStack’s Transformations feature, which handles data masking, attribute removal, and event filtering. This allows you to prevent the storage of users' private data on your systems, as well as redacting it during transfer or while exposing resources to third parties.

Encrypt your data

Encryption alters your data in a way that makes it unusable unless you have the key to decrypt it. Data can be encrypted both at rest (while stored on disk or in the cloud), and while in transit (being transferred over a network connection).

Information transferred unencrypted over the internet is readable to all intermediate parties, including any spyware that may be present on that infrastructure. Attackers may also attempt to access your internal systems to pilfer stored data. Encryption will protect against this — if encrypted data is stolen or intercepted, it cannot be used unless the attacker is also able to steal the key.

The downside to this is the potential loss of your own keys. Encryption keys must be stored securely, because if they are lost, so is access to the data that they protect. Hardware and software key management solutions exist to help you keep your keys readily available only to those who require them.

Install network firewalls

Firewalls protect your network infrastructure by blocking or allowing traffic based on a set of predetermined rules and the state and context of the connections, including their source, destination, ports, and history.

Firewalls should be installed between all public and private infrastructure. They should be configured to allow only secure connections to isolated and well protected resources from the outside world, while blocking outgoing connections that may be attempting to exfiltrate sensitive data or connect to malicious servers.

Log and monitor

Thorough logging should be implemented at all stages of your data processes so that in the event of a breach you know exactly what was stolen, how it was stolen and, potentially, who is responsible.

Monitoring of data infrastructure will alert you to potential attack vectors, and can also alert you to attacks in progress. Tools like AWS GuardDuty and AWS Inspector can monitor for spot security vulnerabilities in data at rest and in motion while providing suggestions to plug holes in your security.

Most networking, authentication/authorization, firewall, and data pipeline tools all support logging and monitoring, out of the box. Logs should be stored securely, so that they cannot be tampered with, while monitoring alerts should be configured to alert the responsible parties in the event of suspicious activity, without flooding them with alarmist notifications that they may start to ignore.

Follow OWASP recommendations

OWASP, or the Open Web Application Security Project, is the closest thing cybersecurity experts have to a constitution.

Though security is never 100% assured, addressing the OWASP top ten cybersecurity concerns will help to prevent popularly exploited cybersecurity threats. Keeping up with OWASP recommendations leverages the shared knowledge of experts all over the world, and forms the foundation of good security practices.

Data security and customer data platforms

The strategies and tools used by attackers are constantly evolving, and exploitable vulnerabilities in software are uncovered every day. In addition to monitoring for vulnerabilities in your existing software, and regularly patching, you should ensure that any new tools that you adopt have a reputation for good security practices, and include robust security functionality.

When choosing a customer data platform (CDP), ensure that it includes strong authentication and authorization features to protect access to your data and can log all interactions for accountability. Your data tools should also allow you to flag potentially sensitive data so that it can be correctly handled according to regulation, and support data encryption to protect data at rest.