Skip to main content

How is Data Management Strategy plays key role in Securing Financial database?

Image
By

Sensitivity of data

      Some database contains what is called sensitive data. As a working definition sensitive data are data which cannot be made public. Determining which field and entities are sensitive based on individual database and underlying meaning of data. There are two category of databases nothing sensitive and completely sensitive. Some of the example of nothing sensitive database is public library digest, Movies database and many more. However, there are very few databases completely sensitive such as financial database, defence database and partial co-operate databases.

      This Blog mainly focus on financial database so let’s investigate some simple entity relation diagram just related to customer account. Basic Customer account table entities carries name, Address, type of account, Account Number and many more sensitive fields. Which can be used to grant access to credit card or health details from authorized stakeholders.

ER Diagram of Simple Financial Database

 

Strategic Plan to Manage Financial Database


Data Life Cycle

 

Above display graphics is a standard data life cycle every industry should follow. Financial firm also follow similar data management cycle. Each stage has their own functionality and uniqueness. We will also discuss on security threats, strategy to avoid certain threats and possible outcomes on certain data life cycle stage.

Collect

Let’s starts with Collection of data, Collection of data starts right before you were not a member of any institute. Do you know how? When you schedule and appointment for opening bank account, they ask your name, email, phone number and purpose of appointment right. But every institute and province have their own law and regulations regarding the collection of information worldwide, especially on personal information (PII or PHI). But next question is how institute is going to use information you provided to institute is totally underlying on institute. But personal information must be collected fairly and accurately and used only for authorized purposed by the owner. Information owner need to be kept data private and destroyed after the completion of purpose.

Potential Security threats for Data capture stage are data breach on 3rd party software’s such as Appointment scheduler application used by financial branch to notify customer and adviser and local system webpages not hosted on secure connection such as HTTPS which allows external users to snip the traffic.

Preventions or strategy for Collection of data stage are in-person form filled up and data entry should be done within secure environment. Avoid taking appointment via emails, phones or voice mail system which may be tapped in between. System should be well pen tested before deploying on site.

Possible Outcome of Strategy we followed for collection of data is Significant drop on phishing attack and almost zero data tampering.

Store

            After Collection of data its pretty obvious it’s needs to store somewhere, most common data storages are hard drive but there are two different kind of hard drive such as SSD (Solid State Drives) and HDD (Hard Disk Drives). But SSD are remarkably faster than HDD. But the question is do we need to install all SSD’s over the network? Answer is NO, because we don’t need same kind of response rate for all the applications such as retrieving bank statement need to be quicker so probably we need SSD for such operation but Probably one can use HDD to store less responsive data such as Appointment scheduled entries. Next questions, do data storage network should be flat or modularized? Answer to this It should be hybrid-modularized means Transactions history of Car loans and home mortgages of each customer should be held in separate drive than the daily chequeing account transaction, because daily chequing account query are more frequent than home mortgages and car loans.

            Potential information stealing threats for this stage are SQL Injection or database injections, buffer overflow because of in-proper assigning of data types while defining schema and ransomware attack because it’s an important data so they will request for releasing the encrypted data.

            Preventions or strategy for storing data stage are don’t trust any form of string, don’t construct dynamic queries with user input, define sensitivity of data and accordingly take periodically backups of systems, construct solid firewalls which allows only internal network users, Modularize Network infrastructure.

        Possible outcome of Strategy we followed for storing data is decrease in DoS (Denial of Service), Maintain reliability and credibility of data and based on sensitivity of data optimization of backups which leads to reductions of redundancy.

Process

            Raw data is like a crude oil. To make use of that data and derive some insights from data, Data needs to refine or proceeds. Most import thing while processing the data is originality of data should not be lost. There should be Quality control to check internal standard and monitor data quality. Also, Quality Assurance is an external standard to assure the data presented meets the agreed quality standards. In Banking sector, Credit card is being used in different time zone by your family member than which transaction time should be posted under the transaction history. To mange this kind of situation developer need to show current time zone time on instance of page from where page is being accessed by converting original time from different time zone.

Potential Security threats for this stage are in-campus data breach means intentionally installation of bugs into system by current employees, Low Confidence means Impaired decision-making and planning as a result of low quality, inaccurate or incomplete data and not intentional Human Errors leads to data breach like compromise of private keys.

Preventions or strategy to avoid cyber threats of this stage are in-depth background check of employee before hiring, Whistleblowers should be promoted, should develop software with certain requirement and lastly, data quality improvement plans should be implemented within institute.

Possible outcome after implementing preventions are Decreases in-campus fraud, decreases in Human errors, Increase in Confidentiality and credibility of data and decrease in data tampering and outsourcing without agreement. 

Share

Data is Accessed, Used, Shared and published to the agreed 3rd party vendors. But it is important to identify the policy of data sharing between the stakeholder and 3rd party vendors. Questions comes how and on what medium data is being shared and what amount of data? Answer to this is data custodian is responsible for the data access, the data owner is the largest stakeholder of data and should have the ultimate sign-off on how data is shared. Stakeholder of data and 3rd party vendor mutually agrees on how and through what medium they need to share the data usual method is over the cloud by sharing keys and giving the access to instance or resource.

Potential security threats for this stage are loss of control over sensitive data, data leakage over cloud, loss or misplaced private key allows access to resource by unauthorized user who can install backdoor plugin and gain persistency over the resource.

Prevention or strategy to avoid security threats for this stage are always use secure protocols while sharing data along the side its always recommended to implement end-to-end encryptions connections while data shared over cloud or different medium. Another main strategy is implementing key management policy and periodic change of cloud credentials.

Potential outcome after implementing strategy mention above is it will decreases in probability of data loss over the cloud which leads to significant drop or almost zero data leakage guaranty. After successfully implementation of key management and periodically changing cloud services credentials its significantly decreases in access to resources from intruders.

Archive

            Most common and best practice all the co-operates generally does is backup and recovery of data if they have lost or data is being corrupted during the other process. But there is always backup policy and archive policy followed by all institutes. For example, financial firms usually keep the record of lost credit cards and broken magnetic card record but where does they store those data which is not frequently queried, so usually they store not frequently used details either in HDD instead of SSD’s which drop their recovery pricing. But Question here is for how long financial firm keeps the data under less expensive devices? Answer is The retention periods is the time frame after which the data is expired and will be of no use this period is regulated by firm and mentioned under their policy such as CRA carries last seven years of individual files after that Agency dump or destroy the past data.

            Potential Cyber threats during backing up and recovering data are Attacker may encrypt the backup drives using some encryption algorithm which won’t allow the admin to boot the system and access the important file system also known as ransomware attack. During those kinds of attack, Intruders may corrupt or delete the golden image of resource which impact the complete stop of services provided by compony.

            Preventions or Strategy implemented by malware analyst for this stage are define sensitivity of data and define periodic backup on different network cloud or services. moreover, it’s always recommended to keeps backup separate network or completely offline. Network admins should always keep multiple golden images stored at different locations.

            Potential outcome after strategy implemented by malware analyst are Don’t need to pay to Attacker who encrypted the backup data, Service never stopped for long time span because one can always get started with non-infected golden image. 

Destroy

            After Expiring of data, according to the company policy they need to destroy data such a way that there should be zero percentage (0%) data remanence. Data Remanence is the residual data that remains after data destruction. Because with certain amount of data remanence it is possible to extract and reconstruct a partial or full set of original data. So, the question is how to destroy the presence of data? Answer is There are certain 3rd party vendor provides certified services of destroying the fingerprints of original data on request. They usually used mechanical and software tools to destroy the hard drive (SSD/HDD).

            Potential data recovery threats are lost or misplacement of physical drive and Electronically retrieval of data from formatted hard drive.

            Preventions and strategy used by institute are they hire 3rd party vendor to destroy the presence of data. Technology used by them are robust data wiping by multiple pass and random array approach to sanitizing data. Physical on-site or off-site destruction of HDD/SDD. To maintain Count of Assets compony should also implement asset management tools which may use to track or log the events.

            Potential outcome of strategy implemented for destroy stage are No fingerprints of expired data and decreases in loss of physical assets.


  Even after Implementing solid data management strategy. Is there any probability to loss or compromise the data? Answer is Yes because there is no solid Guideline to prevent data from hackers.



Credit:

Charvik Patel

Comments

  1. SanyaMay 25, 2020 at 12:43 PM

    Great work!!

    ReplyDelete
  2. UnknownMay 26, 2020 at 4:40 PM

    Very useful

    ReplyDelete
  3. Mary JamesNovember 24, 2021 at 10:14 PM

    You've written a fantastic article about Secure Hard Drive Disposal. This article provided me with some useful knowledge. Thank you for providing this information.

    ReplyDelete
  4. John SteveFebruary 28, 2022 at 6:12 AM

    Digital transformation is the need of the hour. Additionally, organizations can leverage no-code Data Management Solution to seamlessly build innovative end-to-end enterprise solutions in minutes.

    ReplyDelete
  5. AnonymousOctober 14, 2022 at 1:08 PM

    slot deposit via dana, slot online, judi online, slot deposit dana, slot deposit dana 10000 tanpa potongan, slot deposit dana 10000

    ReplyDelete
  6. ZiyaMay 22, 2023 at 2:35 AM

    Nice. I absolutely appreciate how you explain everything. Thank you for sharing this article. erp customer service

    ReplyDelete

Post a Comment

Thanks

Popular posts from this blog

Emotional and Psychological Trauma

By
What is Emotional and psychological trauma ? Emotional and psychological trauma is any stressful event that occurs in a lifetime that makes you struggle with your emotions, memory,different activities and make you feel helpless and hopeless in this ruthless world. The event may not be objectively scaled it is a subjective sensation about a event and every individual respond differently to the event . For example a death in a family due to accident due to an pothole makes one dad react positively and he goes on to correct every pothole of the city and some other may react it negatively Emotional and psychological trauma can be caused by: In Indian scenarios emotional and psychological trauma can be caused by accident,disasters, sexual assault that may have occurred at any course of life Ongoing family issues, neighbourhood problems , continues rejection from various interviews , household violence , neglect, low performance at school or institution, contin...
15 comments
Read more

Are You Prepared Against Cyber Threats?

By
What is the worth of information Security in 21 st century? Imagine small or medium scale business having around 2500-4000 employees working. What if there is a data bridge of small or medium scale compony? Information carries by Venture are employees’ names, Address, Banking Forms, Tax forms which also includes Social incurrence Number and their dependents names and supporting information which may be sell or used for personal blackmails by intruders which was kind of storyline of Scotty’s Holdings data bridge [1] . Main base of this data bridge was email phishing which were send to all over compony employee pretending to be CEO. Which contains Employer identification number (EIN), Employer’s name, address, and ZIP code, Wages, tips, other compensation and many more fields. But it’s not the first or last compony to be a part of Email phishing Attack. Main purpose of Email Phishing scams is stealing banking credentials or any other form of credentials. Preventions Employer and Emp...
24 comments
Read more

Office of the Personnel Management (OPM) Data Breach: A Case Study

By
WHAT HAPPENED IN THE OPM DATA BREACH      As the relationship between humanity and technology develops, an emergent area of concern lies in the security of the information ferried over and handled by this technology. A myriad of information security and data breaches reported upon by news media in the recent past has had the simultaneously fortunate and unfortunate effect of bringing information and network security into the public consciousness. One such incident was the United States (US) Office of the Personnel Management (OPM) data breach.      While there are many aspects of the OPM data breach that are notable, chief among them is that the perpetrator of this data breach has been widely attributed to China. As China increases its economic clout and develops its technological capabilities, its international presence is becoming more and more pronounced—and not always in the best light. Sanger (2018) has noted that by 2009, Google executives...
5 comments
Read more