Our two cents on Data protection

Our two cents on Data protection

Protecting your data_Colour change


Hosting applications accessible over the internet is no longer as complex as it used to be few years back. With a plethora of hosting providers, procuring new servers is just like buying products online. There is no further need for setting up an infrastructure of your own; just login to any of the infrastructure providers and within a few minutes you are ready with your configuration of the servers.

With this ease, comes additional risks that are most often than not, ignored. The servers are no longer within your own direct control; they are never physically accessible to you; you might never even have seen or know where it is located. That is not the biggest problem, the bigger problem is that it is somewhere out there and can be accessed by others as you access it from your computer. There are also others who have much easy physical access to the servers than you do.

What does all this really mean to us? Simply put, the data that now resides on these servers are no longer as safe as they used to be. These servers are vulnerable to attack and data might fall into wrong hands.

Also, with the entire world moving online, everything about you is there somewhere on the internet. All that a fraudster needs to do is mimic you and get access to all your data.

There are different ways of handling this issue. What I will address here are two specific cases that we have started using for our client applications with some great results

Data protection

As I said above, data is now less secure and much easily available. Not all data might be critical, but there definitely is information that we would never want to be compromised, be it financial details, Personally Identifiable Information (PII), health data etc.
If the server falls into wrong hands, all the data on the server is now available to someone who is free to use it how he/she wants.

What we have done is make it difficult for the hacker to get to the server. However if the hacker still finally gets to the server, we want him/her to view nothing more than just garbage. The data will still not of much use to the hacker. This we achieved by simple encrypting all critical data using encryption algorithms and the keys stored on a totally different system. We use key vaults to help us secure the keys used to encrypt the data. Thus all critical data in the DB is always encrypted. Any files stored on the file structure too are no longer simply available; the entire folder is encrypted and impossible to access without the right set of keys.

Well it might be simple to copy the folders/files or even the DB to a new location and use techniques to decrypt the information. The technologies used help us secure data such that they will no longer be able to decrypt on any of the other servers. The data needs to be on the same server where it was initially encrypted.

Is this completely fool-proof; well it surely makes life tougher for hackers. There will be someone who might find a way out of this as well, but till then you can rest assured that your data is in safe hands.

Fraudulent Access

The other big issue I talked about was someone mimicking you and using your credentials to view and play with your data. Again, we have implemented mechanisms such that it becomes more and more difficult for users to mimic others.

For critical flows, we capture the image of user’s passport or driving license. These document images are then taken through a series of tests to check if the document is authentic. Most of the fraudulent documents get caught during these tests, making it easy to identify a hacker.

Well there are scenarios where the user might have actually stolen a document and this makes things a bit complicated. To tackle scenarios like this we add another step where we capture the live image of the user and compare that with the image in the document. This is a foolproof way of identifying if the user is the same as what he says he is. There are facial recognition algorithms that we have been using to identify these fraudsters and these algorithms do a splendid job in comparing facial images taken over a huge length of time.

The solution we have might not be a silver bullet to end all hacks and mimics, but at least this is an attempt to ensure you sleep well, knowing that your data is in safe hands and not easily accessible to all.

1 Comments

  1. Raushan Kuamr Jha says:

    thanks Girish for sharing your experience and insight over cloud data protection.

    Within Data protection you’ve discussed “Thus all critical data in the DB is always encrypted” …. “The technologies used help us secure data such that they will no longer be able to decipher on any of the other servers.”
    It means, in future if we want to move our data to another server “Server_2″, we can’t do it, because all data are encrypted on “Server_1″ using “Server_1″ machine keys.
    if we are in development phase, are utilizing these sort of encryption policy it’s going to be very tedious work, because in development phase we are frequently moving & refining our data, schema from one server to another server.
    Now question arises when to go for data protection using encryption, (in Dev, QAT, UAT, Production).

    Coming to Fraudulent Access
    If any user got your credential…..(hacker or even our ex-employee or any disgruntled employee) and tried to access your server.
    how can we make sure that authorized users are accessing our data within our defined policies.

Leave a Comment

Your email address will not be published. Required fields are marked *

*
= 5 + 0