Think of all the confidential and personal information your company works with in a day, a week, or a month. Now, think of what would happen if that content got lost, erased, or stolen. You’d be left scrambling for protection.
As content (and every company’s dependence on content) increases, protecting your employee, customer, and partner data has become critical. Data protection safeguards your company's content, minimizing the risk of loss or theft. Read on to get the basics of data protection and security and learn more about what you can do to protect your company's valuable information.
Data protection is the process of securing content and information. It takes two forms:
- Shielding content from potential bad actors and preventing the loss of data
- Ensuring the restoration of any compromised data
Restricting data access
Some of the goals of data protection might be to limit access to certain information. For example, healthcare companies keep patient files confidential to comply with the Health Insurance Portability and Accountability Act (HIPAA). A third party shouldn't be able to get their hands on a patient's medical file easily, if at all.
With data protection, you can restrict who can open or view specific files. You can also set up passwords to protect the content or limit access to it only to authorized users.
Data protection sometimes includes data erasure or deletion. There might come a time when your company no longer has use for a particular piece of content. Keeping it on file could put confidential information at risk, so the best option is to delete or destroy it.
Depending on the type of content and any compliance regulations in place, simply pressing delete might not be sufficient. You might need to go through a process to ensure the content is entirely erased and can't be recovered or accessed by anyone else.
Protecting and restoring data
Another component of data protection is restoring data after a loss or preventing the loss from occurring in the first place. Older methods of protecting data might have included storing paper files in a fire-proof cabinet or making multiple backups of digital files. Modern ways of protecting data include using a cloud-based system that keeps your information online rather than on a physical server or computer.
If the content should get lost, data protection also makes it possible to quickly restore it, limiting downtime and minimizing frustration. For example, having a backup copy of all your information means you can access it even if a server or computer goes down. Having both physical and digital copies of your content minimizes the risk of loss.
3 categories of data protection
You can sort data protection into three categories based on the type of data in question and the methods used to protect it.
1. Traditional data protection
Traditional data protection focuses on preserving, retaining, restoring, and duplicating data. Data backup is perhaps the cornerstone of conventional protection methods. A backup can take the form of:
- A hard drive or flash drive containing all of your files
- A cloud storage system
- Physical copies of digital content
Replication is a component of data backup. It's the process of constantly duplicating data to ensure a backup copy always exists. The replicated data can live in the cloud or on a physical server. With data replication, it becomes easy to access data in the event of a loss or system failure.
Let's say your entire system goes down. You can't afford to stop operations for the day and wait for the system to come back online. With replication, you can regain access to your content. Replication can be synchronous, meaning it gets updated while the original content gets updated. It can also be asynchronous, meaning the replication occurs after the primary content gets saved or at a scheduled time, such as overnight.
Synchronous replication is ideal for critical pieces of content when you absolutely can't lose any information. Asynchronous replication can be appropriate when some data loss might be acceptable.
Erasure coding and redundant array of independent disks (RAID) are two other components of traditional data protection. Depending on the mechanism used, RAID mirrors the data, storing copies of it on multiple discs, or it “stripes” the data, storing pieces of it on several disks. Erasure coding breaks up data and stores fragments of it on several discs. If the original content is corrupted or lost, it's possible to restore it from the mirrored or fragmented data.
At some point, your company might no longer need certain pieces of content, but you might not be ready to delete or dispose of the data. Data archiving is part of traditional data protection, as it provides a secure way to store data you no longer need easy access to.
2. Data security
While traditional data protection measures focus on safeguarding the content through duplicates and backups, data security focuses on securing the data from outside threats, such as bad actors, breaches, and malware. Data security measures aim to protect the integrity of your data.
A critical component of data security is encryption. When you encrypt content, you scramble it. If someone opens an encrypted file, they are likely to discover what looks like nonsense. To figure out what the content contains, they need a decryption key. Data can be encrypted when it is at rest, such as when it's just sitting on a cloud server, and when it's in transit, such as when you send it over email or from one computer to another.
Access control is another vital part of data security. You don't want bad actors or unauthorized users to get their hands on confidential data. One way to protect against that is to set up access controls. For example, you might restrict access to a piece of content only to specific individuals at your company, such as managers.
Authentication goes hand in hand with access control. To ensure data doesn't fall into the wrong hands, you can require users to verify their identity before accessing it.
Security measures can also focus on limiting threats and preventing data loss. You might set up audit controls to see who's accessing what data and when. The audits can help you detect any unusual activity.
3. Data privacy
Data privacy is the area of data protection that focuses on how data gets handled and who gets access to it. It often involves protecting personal data, such as health records, financial information, and contact information. Depending on the type of content your company works with, you might need to meet specific regulations to maintain data privacy. Some of those regulations include:
- Global Data Protection Regulation (GDPR)
- Financial Industry Regulatory Authority (FINRA)
- International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR)
Data privacy also concerns itself with how you store content. To ensure privacy, you'll need to follow best practices, often outlined by the various regulations you might be subject to.
Data protection vs. data privacy
While data privacy falls under the umbrella of data protection, it's essential to understand that the two aren't synonymous. One way to understand the difference between the two is to remember that having one doesn't exactly mean you have the other.
You can ensure the privacy of your content by setting up access controls and limiting who can view or edit it. Limiting access to data protects its privacy but doesn't necessarily protect the information itself. Without backup, replication, and retention measures, the data can be corrupted or lost.
Similarly, setting up backup systems and retention plans for data doesn't restrict who can access it. Without the necessary controls, a bad actor or unauthorized user can stumble upon data that should be confidential.
Another way to understand the distinction between data privacy and data protection is to look at what's behind them. Data privacy is mainly concerned with regulations. Depending on your industry and the type of data you handle, a particular set of standards and rules can dictate how you keep it private and what you do with the data in the event of a breach.
Data protection focuses on how you keep data safe and secure. Traditional data protection measures are tool-based, such as creating a backup system or finding a way to replicate data for easy restoration.
Data protection technologies and practices
Speaking of using tools and methods to protect data, let's take a closer look at some of the options available to you.
Data loss prevention (DLP)
Data loss prevention (DLP) is a strategy for preventing unauthorized users from getting access to your company's content and controlling how authorized users share content. DLP can take multiple forms. It can be a software program or a set of techniques a company uses to protect information. It can also be a combination of the two.
Primarily, DLP works by keeping an eye out for sensitive data attached to an email or uploaded by an employee. If an employee sends an email with a patient's records attached, for example, a DLP system will flag the email and might prevent the person from sending it with the attachment. If someone tries to upload a piece of confidential content to an unsecured program, such as a website or storage system, a DLP system can prevent the upload from occurring.
DLP also works by limiting access to confidential or personal content. The platform verifies users' identities and makes sure they have permission to access specific pieces of content. If there's a breach and data gets into the wrong hands, DLP can keep tabs on it.
Storage with built-in data protection
Storing your content in the cloud means you can access it from anywhere and on any device, as long as you have an internet connection. At the same time, cloud storage can also help you protect your content and — as an added bonus — you collaborate easier with your coworkers from a single place. Box Shield is a frictionless security solution that protects the flow of your content and has several features that help keep your data safe:
- Content classification
- Access controls
- Anomaly detection
- Malware detection
- Alert system
- Last-mile security measures for online editors
Think of a firewall as the gatekeeper to your computer — it keeps certain types of traffic away from your device. A firewall knows what kind of traffic to allow and what to reject based on the rules you set up. You can program a firewall to deny all traffic from a particular country or a specific IP address.
Firewalls can be hardware- or software-based. A hardware-based firewall usually consists of a router, while a software-based firewall is a program you install on a device. Beyond that, firewalls can take several different forms.
As an example, a proxy firewall works by filtering traffic from a network to a device. A stateful multilayer inspection (SMLI) firewall can block traffic based on protocol, state, or port. You can also set up your own rules for an SMLI firewall. Next-generation firewalls go a step beyond proxy or SMLI firewalls and combine filtering with antivirus and malware protection.
Authentication and authorization
Only authorized users should be able to access certain content. To ensure only those people can view or alter specific data, you need to set up access controls. You also need a way to authenticate users to verify they are who they claim to be.
Identity and access management (IAM) processes allow you to control who can view and access data. IAM measures include multi-factor authentication, password protection, and device certification.
Multi-factor authentication requires a user to provide two methods of identification. They might enter a username and password first. Once that’s verified, they'll be asked to provide a second piece of information, such as a code sent by email (or by text message) or a secret code that appears on a special app. Once the second piece of information is provided, the user can access the content.
Device certification is similar in that it requires user identity verification. For example, if a person tries to log onto a website for the first time using a tablet instead of their work laptop, they might be asked a secret question or sent a code to input.
IAM measures often go hand in hand with role-based access control (RBAC) methods. RBAC limits the information a person can access based on their role with a company. You might decide only to allow managers or executives to access specific pieces of content, for instance.
Encryption protects information by making it impossible to decipher without the appropriate key, also known as a cipher. If you ever made secret codes with your friends when you were a child, you're familiar with how encryption works.
The encryption used to protect data is much stronger than any secret code you could create for yourself. Today's gold standard encryption is 256 bit. The "256" refers to how long the encryption key is. To break into a message with 256-bit encryption, a bad actor must try 2256 (or 1.15 followed by 77 zeros) different combinations.
Endpoint protection guards devices such as laptops, desktops, and smartphones from attacks. A bad actor might try to get access to a device, such as a laptop, to break into a network and steal its data. Endpoint protection monitors activity to and from a device and takes action swiftly if anything suspicious occurs.
Properly disposing of data is just as important as properly storing it. When content reaches the end of its lifecycle, data protection and privacy regulations are still likely to apply, especially if you’re in a regulated industry.
You need to erase or dispose of data so it doesn't fall into the wrong hands. For physical content, that might mean shredding documents or formatting a hard drive. For information stored on the cloud, you need to ensure there are methods in place that allow for permanent deletion.
In addition to ensuring data gets destroyed or erased at the right time, you also want to make sure data doesn't get accidentally deleted before its time. Just as you can limit who can access certain pieces of content, you can also set up restrictions on who can delete content. Should a piece of data get accidentally deleted, you need to have a process in place to restore it.
Best practices for ensuring data privacy
Having certain rules and "best practices" in place helps keep personal and sensitive data private. One way to ensure data privacy is to limit the amount of data you collect. If you work with customers or patients, consider what information you need from them. Less can be more when it comes to protecting privacy.
Another rule of thumb to follow is to always check in with people when you collect their information. Some regulations require you to inform customers or patients of the information you're collecting, how you'll use it, and what their rights are.
Privacy policies are another legal requirement. Your policy should describe the information you collect, how long you'll keep it, and what options users have.
How Box provides end-to-end protection
Box gives you frictionless security and features that allow you to comply with industry regulations easily. The Content Cloud has several security and compliance features designed to protect your data.
Every piece of content you upload to the Content Cloud is encrypted with 256-bit encryption. Your content is protected when it's at rest or in transit, and you can manage your encryption keys using Box KeySafe.
You also get granular user controls with Box. You can assign permissions to users based on their role with the company and how much access you want them to have to content. Multi-factor authentication and verification tools help ensure only authorized individuals access your data.
Box also uses machine learning to keep your data safe. Our platform can detect threats and take action in real time, helping you avoid a data breach.
Learn more about Box today
Box Shield helps your business stay agile while reducing risks. It's part of the Content Cloud, a secure platform that empowers you to streamline collaboration and content management. No matter your industry, if you want to secure your content and protect your customers' data, Box can help. Learn more about the Content Cloud today.
Learn how Box Shield protects your content
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.