9 min read

A Banker’s Primer on Secure Data Storage Strategies

It’s 1 am on Monday morning. You’ve just received a frantic call from your IT incident response team indicating that the internal network at the bank you work for shows signs of a compromise that includes your banking core system, which contains all your customers’ intimate financial details. You start to panic about all the potential repercussions: financial losses, a damaged reputation, loss of customer trust, and exposing your customers to further financial and reputational damage. The future of your bank depends on how well you have protected your data in the event of a compromise such as this. Are you prepared?

 

No one in the industry wants to receive that phone call even once in their career. But in today’s rapidly evolving threat landscape, it's crucial to be proactive in protecting one of your bank's most valuable assets – your customers’ information.

As a CISO, I adhere to the principle of "defense in depth" throughout the system design process. This layered security approach ensures that even if one security layer is breached or fails, subsequent layers continue to provide protection, reducing the overall likelihood of a successful attack. Firewalls, IDS/IPS systems, strong encryption, endpoint security, security awareness training, and a well-designed incident response plan are all vital components of this strategy.

But what happens if an attacker can evade or avoid all of your carefully designed protections and countermeasures and is able to gain access to the crown jewels of your information technology system – your customers’ private data? Are you still protected? Or will you and your bank make the newspaper's front page? It all depends on how you have extended your defense-in-depth strategy to data storage.

This article provides a brief overview of the major strategies that you could be using to safeguard your customer data and the pros and cons associated with each.

 

Strategy - Encryption

Let’s be honest. You probably don’t get excited learning about the mathematical foundations underpinning encryption. But you generally know what it is. The computer takes your data, does some complicated math, and spits out something that not even the most powerful governments in the world can decode in the next few centuries. You know that modern encryption algorithms are extremely well-tested and battle-hardened. And that you are almost certainly leveraging them to protect your data. However, where and how encryption is used is just as important as ensuring that good encryption is used. And encryption often does not provide nearly the level of protection you may think.

Let’s take a quick look at the three most common encryption techniques used and their strengths and weaknesses.

 

Encryption at Rest

Encryption at Rest has quickly become the de-facto standard for data protection in almost every modern technology system. This means that before data is written to the storage medium of a system, it is first encrypted such that if the physical storage medium itself were compromised, no data would be recoverable by an unauthorized party.

Chances are good that the device you are reading this on is protected by a level of encryption at rest that is so good that future civilizations with technology thousands of years more advanced would still likely be unable to recover data from it. We’ve come a long way with encryption in the last century, and I don’t ever want to use the term ‘unbreakable’, but for practical purposes, a disk protected using modern encryption-at-rest technologies without the corresponding encryption key is unreadable either now or long into the future.

This includes technologies like Bitlocker for Windows, FileVault for MacOS, and VeraCrypt for open-source operating systems.

I often hear something along these lines: “My technology team assures me that 100% of our systems are protected with encryption-at-rest, so we’re safe from data compromise”.

Nothing could be further from the truth. Protecting every important data asset with encryption-at-rest should be the default. But that only protects against physical theft. How often do you hear about a heist involving criminals stealing all the hard drives from a company’s data center?

The core issue with encryption at rest is that in order to use your data, your disk has to be in an ‘unlocked’ state such that your systems can read or write to it. Almost always, your employees, software, or systems require access to that data while it is in an unlocked state, which means there is a good chance an attacker can too.

Encryption at Rest should absolutely be used for every critical bit of data. But for almost every scenario besides physical theft, it offers limited protection.

 

Pros

  • Available on almost every device and platform
  • Transparent usage and low cost
  • Extremely effective at preventing data loss from physical theft

Cons

  • Storage must be unlocked to use
  • Typically in an unlocked state when the system is in operation
  • Does not protect against malicious remote data access

 

Encryption in Transit

Encryption in Transit safeguards data as it moves between systems or across networks. It is the backbone of secure communication channels, typically using technologies such as TLS and HTTPS. By encrypting data during transmission, it prevents unauthorized third parties from intercepting and accessing sensitive information.

Think of Encryption in Transit as a fleet of armored cars carrying your precious data. As your data travels between systems, it is carried inside encryption, much like cash deposits being transported in an armored vehicle.

The problem with encryption in transit is that because modern encryption is practically unbreakable, it is almost never a modern attack vector for someone attempting to gain access to your confidential data. Attackers are much more likely to attack a softer target that doesn’t involve attempting to break encryption.

 

Pros

  • Protects data being transferred between systems being accessed by an unauthorized third party.
  • Used almost everywhere (TLS, HTTPS)
  • Excellent encryption (usually)

Cons

  • Rarely a modern attack vector

 

Encryption in Place

Encryption in Place refers to the practice of encrypting specific fields or subsets of data with an additional layer of encryption. For example, when storing credit card numbers, you can use reversible encryption to protect this sensitive information without affecting other data in the system.

For example, you may protect a table or specific columns in a database that contain sensitive information with an additional layer of encryption, with the encryption key stored in a separate system.

If a security vulnerability exposes your data and it is retrieved en-masse by an attacker, the sensitive information still requires access to an additional encryption key before it can be read.

 

Pros

  • Can still protect customer data even if encryption at rest is broken

Cons

  • Difficult to implement, often with custom code or software
  • Few standards can lead to data interoperability issues
  • Must manage another set of encryption keys separate from encryption at rest
  • Secondary encryption keys should be stored outside of the ‘blast radius’ of the system

 

Strategy - Secure Hashing

Secure Hashing is very similar to Encryption in Place, but instead of using an encryption key that can be used to decrypt the data in the future, it uses a cryptographic algorithm to ‘hash’ the input data such that it is theoretically impossible to deduce the original data from the resulting hash.

The inability to retrieve the original data under any circumstances severely limits the usefulness of secure hashing in the real world. However, one of the properties of most modern hashing algorithms is what is called ‘strong collision resistance’ - meaning that it is extremely difficult to nearly impossible to find two unique inputs that produce the same hash.

Given this property, Secure Hashing, when it can be used, is very useful for verifying if a given input matches a stored hash. When storing passwords in a database, it is considered extremely poor form to store the password values directly. Instead, a hashed value of the password is stored. When performing a password verification, the entered password is first passed through the secure hash function, then that value is compared with the stored hash value in the system. If they match, chances are (astronomically good) that the password entered is correct, even though the system itself has no ability to retrieve the original password value.

 

Pros

  • Nearly impossible for an attacker to retrieve protected data that has been stored as a hash
  • Hash values can often be used as ‘unique’ identifiers in lieu of more confidential data like a password

Cons

  • The destructive one-way process limits usefulness. Original data can never be retrieved once passed through a secure hashing algorithm.

 

Strategy - Data Masking

Data Masking, in the context of protecting confidential data, is a technique used to conceal sensitive information by replacing it with fictitious or scrambled data and is sometimes referred to as redaction. The primary goal of data masking is to maintain the confidentiality of sensitive data while still allowing it to be used in various scenarios, such as testing, development, and analytics, without exposing the underlying confidential information. Think of a legal document that has confidential sections marked out with a black Sharpie.

By implementing data masking, organizations can reduce the risk of data breaches, comply with data protection regulations, and ensure that sensitive information remains confidential even when accessed by unauthorized individuals or used in non-secure environments. This technique is particularly useful when sharing data with third parties or working with sensitive information in development and testing environments, where data exposure risks are often higher.

The primary disadvantage of using data masking for protecting confidential data is that, like secure hashing, it is a ‘destructive’ process. Once the data has been masked and stored, no one, including the data owner, should be able to determine what the original data contained.

Another concern when utilizing data masking is that confidential data may be ‘leaked’ into the system if it is entered in an unexpected format or in an unprotected field. For example, a data masking algorithm that searches for a Social Security number may not recognize and redact it if the dashes are absent. Or if an employee types confidential information in a generic notes field that is never masked when stored.

 

Pros

  • Completely redacts confidential data
  • Data that is properly masked cannot be lost

Cons

  • Confidential data could accidentally be stored in unmasked fields
  • Redacted data cannot be unredacted at a later date

Strategy - Tokenization

Tokenization, in the context of protecting confidential data, is a process that replaces sensitive data with non-sensitive placeholders, known as tokens. These tokens often retain the essential structure and format of the original data but hold no inherent value, making them useless to malicious actors. Tokenization is commonly used to protect sensitive information such as credit card numbers, Social Security numbers, and personally identifiable information (PII).

In a tokenization system, the original sensitive data is securely stored in a separate, centralized, and highly protected database called a token vault. Each token generated corresponds to a unique record within the token vault. When a tokenized data element is required for processing, it can be securely exchanged for the original data by accessing the token vault through a secure, authenticated connection.

Tokenization significantly reduces the risk of data breaches and ensures compliance with data protection regulations, as the tokens can be safely used in various applications and environments without exposing the sensitive data they represent. This method is especially popular in payment processing, where it helps protect sensitive payment information throughout the transaction lifecycle.

 

Pros

  • Confidential data is not stored in the system at all
  • Only a ‘meaningless’ token is stored
  • A token could be exchanged for the confidential data it represents at a later point
  • Used extensively by the payment card industry (PCI)

Cons

  • Requires a second data store for mapping tokens back to confidential data
  • The second data store is susceptible to attack as well and should be completely isolated from the tokenized data
  • Typically requires expensive vendor solutions for storing pre-tokenized data

 

Strategy - Access Control

Access Control is a crucial security strategy that involves managing and regulating who has permission to access, view, or modify sensitive information within an organization. By implementing robust access control measures, organizations can limit the risk of unauthorized access to confidential data and maintain compliance with data protection regulations.

Think of access control like the bouncer at an exclusive private event. If your name isn’t on their list or your ID card doesn’t match your face, you aren’t getting in.

Implementing a robust Access Control strategy is essential for organizations to protect confidential data, ensure regulatory compliance, and maintain a secure environment that minimizes the risk of unauthorized access or data breaches.

 

Pros

  • Well-understood protection mechanism that is easy to build procedures around
  • Can authorize data access based on roles or responsibilities
  • Audit friendly

Cons

  • Should never be used as a sole protection mechanism

 

Strategy - Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is like a vigilant security guard for your organization's most valuable digital assets, tirelessly working to protect sensitive information from falling into the wrong hands. By keeping a watchful eye on potential threats both inside and outside your network, DLP solutions help prevent the unauthorized access, disclosure, or theft of critical data, ensuring your organization remains in the clear.

Imagine a scenario where an employee unwittingly sends confidential customer information to a personal email account, putting the company at risk of a data breach. A well-implemented DLP solution springs into action, detecting the sensitive data in transit and promptly blocking the email from leaving the company's network. Simultaneously, the DLP system alerts the IT security team to this potentially hazardous event, allowing them to address the issue and educate employees about proper data handling practices.

In an ideal world, a DLP solution would proactively block every unauthorized access of data in your system. However, what may happen instead is some data may be accessed by unauthorized users until it meets the threshold of activity for the DLP system to take action. In addition, if the data being protected wasn’t explicitly marked for protection, it may never trigger the DLP system at all.

 

Pros

  • Can protect against unknown and future threats
  • Analyzes data flows and can flag indications of compromise in advance of full data loss

Cons

  • Reactive instead of proactive
  • May lose some data before DLP system enforcement actions are taken
  • May block authorized data access (false positives)
  • Can require extensive training or classification of existing data
  • Often an expensive, company-wide deployment of a solution from a proprietary security vendor

 

Conclusion

The rapidly evolving digital landscape and increasing cyber threats make it imperative for banks to adopt a comprehensive approach to data protection. As a banker, understanding and implementing a variety of strategies, such as encryption, secure hashing, data masking, tokenization, access control, and data loss prevention, can help you create a robust defense-in-depth system tailored to your organization's unique needs.

While no single strategy can guarantee complete protection, a well-planned combination of these approaches can significantly reduce the risk of data breaches and unauthorized access to your customers' sensitive information. By proactively investing in proven and comprehensive data protection measures, you not only protect your bank's reputation and maintain customer trust but also ensure compliance with evolving data protection regulations. The future of your bank relies on your ability to navigate these challenges and secure the valuable assets that drive your business – your customers' information.

Think Your Clients Aren't Sending International Payments? Think Again.

Many community bankers underestimate the demand for FX wire transfer services among their clients and members, however, the reality is that clients...

Read More

Top 3 Reasons We Loved the Janney Bank CEO Forum

Introduction While there were many reasons why I enjoyed attending the Janney CEO Forum I am narrowing it down to my top 3. An Event Full of...

Read More