While I was working on a defense-in-depth blog post, I realized that every defense layer, in one way or the other, is about data and data security. Remember the phrase; All roads lead to Rome. My version is, All security is data security.
Data security revolves around three basic principles: Data Confidentiality, Data Integrity, and Data Availability (also known as the CIA triad).
Confidentiality: Preventing unauthorized access (Read and Write)
Integrity: Protecting data from improper data modification or erasure (Update)
Availability: Making sure data is available anywhere that it’s needed
Depending upon the sensitivity of the data, one principle might be more important than others. For example, for financial finance and healthcare companies, confidentiality is more important than others. On the other hand, for an eCommerce company, the availability of product data is more critical than others.
IT infrastructure's sole function, including computing, network, and application, is to enable easy and reliable access to data from anywhere to improve productivity and efficiency. An Ecommerce portal allows customers to search and read the product data online and buy them. A banking application allows customers to check balance data and transfer funds (changing balance data). A healthcare application allows patients to check lab result data online and ask questions or schedule an appointment with the doctor. An online print business allows their users to upload print documents (data) securely and notify them when the printing is done. For example, the online content delivery platform delivers digital content (data) to their customers in the comfort of their homes, so they don't have to go to a movie theatre or a store to rent or buy a physical DVD. However, it increases the threat landscape. In the case of a physical DVD rent business, a bad actor in the store or around the store can damage the business. On the other hand, in the case of an online content delivery platform, someone sitting thousands of miles apart in a different country can damage the business or steal the content. Therefore, building solid security at every layer possible, known as defense in depth, is essential.
Every security layer we build, one way or the other, ensures one or more of the three data security principles mentioned above. I have captured some examples below.
Security/Defense Layer |
Primary Function |
TRIAD Principle |
Explanation |
DDOS Protection |
Ensures availability of a service or an application |
Availability |
Application is used to access data. Ensuring application availability ensures data availability. |
Web Application Firewall |
Security of the web Application or Interface |
Confidentiality Availability |
It prevents data exfiltration attempts It protects from layer 7 DDOS attacks |
Network Security |
Security and availability of the network |
Confidentiality |
Prevent a compromised application from accessing data Prevent unauthorized actors from connecting to the application |
Strong Authentication |
Only authenticated users have access to data |
Confidentiality |
Only authenticated users are allowed to read and write the data. |
Access Control |
Only authorized users can read and write the data |
Confidentiality Integrity |
Only authorized users are allowed to read, write, and update the data. |
Monitoring |
Detect unauthorized access to data |
Confidentiality Integrity |
Create an incident when unauthorized access is detected |
Cryptography |
Prevent unauthorized read from disk or from network tapping |
Confidentiality |
Encrypt the data at REST and in transit |
High Availability & Disaster Recovery |
Ensures availability of a service or an application |
Availability |
Application is used to access data. Ensuring application availability ensures data availability. |
Vulnerability Scanning |
Detect and fix any vulnerability in the Application or Infrastructure |
Confidentiality |
Prevent unauthorized access to data or data exfiltration due to application vulnerability |
IDS / IPS |
To prevent and detect unauthorized Intruder accessing data |
Confidentiality |
Detect and prevent an attempt to steal or gain access to data |
Physical Security |
To prevent unauthorized personnel from accessing data |
Confidentiality |
Prevent unauthorized access to physical infrastructure |
It, indeed, may not be a new discovery. However, it was fascinating to realize that it’s all about the crown jewel (Data). We (Oracle), the leading data platform provider, recognize the importance of every defense layer in how it can help protect the data. I am sharing some valuable documents about security implementation on Oracle Cloud Infrastructure.
Kiran Thakkar is an expert in Identity and Access Management with more than 10 years of experience in the space. He is also OCI certified Associate Architect and help customers on OCI use cases. He is believer in blockchain technology and follows that space as it grows.