Data security: components
In our private and professional lives as individuals, and for public and private sectors as organizations, data security is critical. It is not only about the willingness to protect our own, our customers’ or our citizens’ data, as want to keep our reputations and trustability in our offerings. There are specific regulations that are mandatory to comply to for different sectors. From PCI DSS regarding the payment industry to HIPAA for the health sector or GDPR for the management of personal information regardless of sector.
What do we mean by “protect” the data or data security? There is a complete set of processes and practices created to protect the data for all the types of data security: Typically AAA (Authentication, Authorization and Accounting) systems define, restrict, grants and records, including automatic processes as artificial intelligence, and for who can obtain access to the data. Data Resiliency assures that the access to the data will be available when needed. Data Backup and Recovery provide mechanisms to protect and recover the data in case of failure or disaster. This occurs where the data is stored. Data Immutability and Erasure grants that the data is not modified and that is correctly and effectively eliminated when requested by the authorized processes. Finally Data Encryption grants that only the persons and systems that should access the information will have this access granted, not by any other. All the aforementioned types of data security apply to the three core components of data security:
To guarantee that the data is protected in all the types of data security and for all the components of data security, several controls have being developed in the industry. Firstly, auditing all the policies, systems and processes that are related to the protection and audit of the data itself. Monitoring the reliability, status and quality of these processes and alerting on any incident or breach whilst assessing all related risks.
All these types and components of data security are key, there is however, one that is extremely relevant. Namely, when data is obtained by unwarranted actors, we need to be sure that they will not be able to access the content to read or modify it. This applies to the data that is stored “at rest” or that is transmitted usually making use of electronic means via public or private networks for “in transit” data. The subject matter here is cryptography.
The basis of all cryptosystem is the generation of quality random numbers for the creation of keys, nonces, digital signatures, etc. High quality unpredictable random numbers generation are the basic source of entropy for all this cryptographic material, it creates the keys and certificates. It is useful for encryption purposes so that they cannot be uncovered by a third party and therefore protect the data both when stored at rest or while it is in transit. On the contrary, bad quality predictable random number sequences are easy for a malicious actor to obtain the keys used to encrypt our data and therefore be able to decrypt it and obtain access to the data that must be protected. An example is by listening the to Internet public channels.
Moreover, random number generation has to produce the randomness at a sufficient high rate to be able to protect the amount of data produced. Also, to cope with the requirements of the cryptographic protocols that are being adapted to be resistant against the new threats that arise from the use of new computing paradigms that can be used by the attackers to try to obtain access to the data (personal sensitive information or government or company secrets, for example).
From the previous paragraphs it is clear that it is an important task not only to be able to create high-quality high-speed randomness but to monitor and be aware of the quality and rate of the entropy produced. In order to generate the cryptographic material and expose this information to the teams responsible for its security.
At Quside our mission is to deliver the highest performance quantum random number generators (QRNGs) to empower the transition to a more powerful data security vectors. This protects from the known and unknown threats including the added value of providing full visibility on the quality and status of this fundamental element to the audit and monitoring into the Network Operation Centers and Security Operating Centers.
The three core components of data security are: Confidentiality, Integrity and Availability
Confidentiality: because it guarantees that the data is accessible only to the right actors and it is not disclosed to unnecessary or malicious actors.
AAA stands for Authentication, Authorization and Accounting and AAA systems implement the mechanisms required to grant the access to the data to the right actors, be that actor a person a program or a system, by identifying the actor, to authorize (or not) the access to specific data for a specific usage (read, write, delete) to that actor based in the identity and to track and register all the actions that the actor executes on the data.
Fernando de la Iglesia
VP – Cloud
Leads the cloud product development and strategy for the company. The last 10+ years lead innovation proposals related to Cloud Computing both at national and European level and finally working as main infrastructure and solution architect in the most relevant Cloud computing projects in Telefónica. Fernando holds a PhD in theoretical physics from the Autónoma University in Madrid.
Want to hear more about the quantum side?