Adapting data flow security to changing business needs

- [Instructor] Over the life of your business, your data needs will constantly be changing. As security professionals, it is our responsibility to determine how these changes will affect our business processes and security. Each time a change is proposed, we should consider how it can affect the confidentiality, integrity, and availability of our networks. We should also ensure that we're utilizing proper defense in depth techniques in order to protect our organization's data. To determine the best methods to use, you should begin by mapping out the process or service that is going to be affected.

This will allow you to determine what applications, services, and users might require access to the data that you're trying to protect. Then you have to determine where the data is currently being stored and what security controls have already been put in place. Should authentication be required prior to accessing the data? If so, you have to determine how the users' credentials or authentication tickets are going to be protected during transmission? If authentication is not required, then how will you determine who is authorized to access a given piece of data? Next, you should consider the enterprise security policies that may affect the data for this process or service.

For example, if you're going to use password protection, what's the strength of the password that you're going to require? In addition to considering the data at rest, it's also important to consider the security of the data while it's in transit. Will encryption of the data during transmission be required? And if so, what strength is necessary? Additionally, if encryption will be utilized, how will you protect the encryption key to ensure the communication remains confidential? Whenever a new process or service is being proposed to meet an organization's business needs, you have to think of each and every one of these questions.

Every change to the enterprise network can have a cascading effect on its overall security. Therefore, it's really important to consider the specific security requirements for the data change as well as the overall effect that they can have to the overall system.