Using Your Data Layer to Secure Financial Data
date: June 8, 2018
Let’s face it: Securing financial data in the 21st Century is a major headache. There are so many things you need to be thinking about today that you didn’t even have to worry about even five or 10 years ago, such as new compliance laws and regulations, and how to keep sophisticated fraudsters from exploiting all the new touchpoints your customers are using to use your services and/or buy your products.
The Equifax breach, which exposed the sensitive personal information of nearly 146 million Americans, is a great example. These types of data breaches not only result in the loss of sensitive, confidential data, but also cause huge financial losses and irreparable damage to brand reputation.
This new threat level and high risk exposure is forcing enterprises to rethink how they go about securing their financial data. Simple chip and pin methodologies are obviously no longer enough. You need to be thinking about financial data security from the level of your data layer, because it’s at the data layer where you will be able to launch your most effective and comprehensive defensive against cyber criminals and also most effectively comply with new laws.
But exactly does it work?
It’s hard enough to picture the “data layer”, let alone understand how this layer plays into financial data security.
It all comes down to your database, and here are the specific abilities your database must possess to protect your financial data and keep your enterprise from becoming the next Equifax.
1. Unified authentication and access control
Unified authentication and role-based access controls allow you to easily provision and manage the permissions of users across a variety of sources, including LDAP, Active Directory, and Kerberos. A good data management platform will allow you to utilize multiple sources of authentication and role assignments in the same cluster (e.g. Active Directory for administrators, and Kerberos for applications). You should also have granular access control at the row and column levels, as opposed to just at the table level. Also, if administrators have full access to operate the database but can revoke the access to the data itself, this provides an extra layer of security.
2. End-to-end encryption
There’s encryption “at rest” and encryption “in flight”, and end-to-end encryption means protecting against both. Data stored on persistent storage (i.e., disk drives) in an encrypted format is data at rest. Encryption at-rest protects against data exposure in the event of the physical theft of a device, or if an unauthorized party gains access to a system where data is stored but has not gained access to the database yet. Encryption at-rest also offers a degree of protection in environments where storage resources might be re-used, such as in public clouds.
The encryption of data as it moves over a network between nodes is encryption in-flight. In a distributed environment, network traffic is constant. If the network is not secure, the data moving between the nodes could be intercepted by an unauthorized party. Hence the need for encryption in-flight.
Again - a good data management platform protects you against BOTH.
3. User activity auditing
Your data management platform should have integrated user activity auditing in real time, which allows you to record and audit all or a sub-set of user activity, including login attempts, and thus allow you to discover any data breaches or unauthorized behavior almost as they happen.
Whether it’s GDPR, PSD2, SOX, or PCI-DSS, compliance has become a major issue for financial data protection. There are so many ways NOT to comply these days, and so many ways to end up with a major fine or even lawsuit, that handling compliance at the data layer is really your only chance of being totally secure, all the time.
A good data management platform can contextualize all data, making it not just possible but easy to discover all the touchpoints and activities of your customers, identify questionable transactions or suspicious behavior, resolve entities, and maintain comprehensive audit trails to meet the mandatory compliance requirements on time, on budget, and in real time.
5. Consumer fraud detection
Competent consumer fraud detection and prevention in this day and age requires reliable and quick access to large datasets built using a high volume of transactions or the relationships of data across multiple data silos.
Most enterprise do not have the capability to monitor or regulate user behavior across a range of products or business units. As a result, complex fraudulent behavior is often left unchecked, and audits typically require manual intervention across numerous lines of business.
A modern data platform will combine a scalable and reliable database with powerful search, analytical, and graph tools to allow you to quickly identify anomalies in user behavior and patterns in real time to detect any fraudulent activity, prevent potential security breaches, and protect financial privacy.
Combine all the above into one system
That’s the final key.
You want to be able to achieve all of the above capabilities with one vendor and not have to go to several different third parties to sew together a quilt of financial data protection that would probably have gaps and could then come easily apart if one of your third parties breaks away from you, or vice versa.
One other thing to keep in mind: a lot of data management solutions are built on open source technology, but open source technology, while innovative and leading edge, comes with its own dangers and responsibility. You need to take on internal experts, rely on the open source community for help, and, as evidenced by the Equifax example mentioned earlier, religiously update to stay head of security flaws. That’s why most major enterprises rely on commercial vendors for their data management solutions, even when they’re built on open source technology.
DataStax Enterprise offers a comprehensive, advanced data security solution built into our industry-leading data management platform — all with a consistent security model across database, search, and analytics. From compliance to identity management to fraud detection, we’ve got you covered at the data layer.