Why Does Security Matter?
A data warehouse combines data from many sources. More often than not, this data usually contains personal and/or financial information, which multiple departments rely on for reports and analysis.
Fusion, for example, is a data warehouse that unifies data from SaaS applications like HubSpot, Marketo, Salesforce, NetSuite, and others. The warehouse stores both raw data and data about contacts, companies, opportunities, campaigns, and other sensitive information.
How, then, would you know if your data warehouse, your single source of truth, is secure? Which stringent performance and scalability requirements define security? What are the industry best practices for maintaining security over time? And which certifications should your data warehouse so that you can trust its security has been tested?
In this post, we'll answer all of these questions and more. First, we'll discuss what makes a data warehouse secure. Then, we'll look at popular security measures for data warehousing, as well as official documents that attest to a secure status.
Let's get started!
What Makes a Data Warehouse Secure?
At the most basic level, a secure data warehouse prevents unauthorized users from accessing, modifying, stealing, and/or selling data. Due to their relative maturity, data warehouses are generally more secure than data lakes.
A secure data warehouse is thus only available to certain user roles. To be secure, it must keep a record of activities performed by each user and have multiple security checkpoints, built on a scalable technology stack, that trained employees may continuously monitor and patch to stay ahead of digital threats.
Above all, however, data warehouses are also only secure insofar as their security has been measured, certified, and tested on a regular basis.
Security Measures, Certifications, & Tests
Say you're on the phone with a potential data warehouse vendor. What questions should you ask to make sure their offering is secure? How can you tell if their security has been tested by a trusted authority? Below we've compiled a few questions as a springboard to your security conversation. If you have any additions, feel free to leave them in the comments below!
Do you encrypt, mask, & tokenize data?
When connecting to third party services on behalf of customers, you want to make sure there is encryption at rest, user authentication, data access history tracking and authorization. The best data warehouses use multiple techniques for "masking", or hiding original data with random characters, and data tokenization, the substitution of a sensitive data element with a non-sensitive equivalent.
Traffic between customers and Bedrock Data, for example, is protected with highly secure in-transit encryption using only the most secure TLS protocols and ciphers, along with 2048-bit encryption keys that rotate regularly. API endpoints are also protected by a valid SSL certificate.
How do you secure data in transit and at rest?
Data at rest should be encrypted at multiple levels, including on the physical disk and by the logical storage subsystem. At Bedrock, we use AES-128 and AES-256. Keys are randomly generated and encrypted asymmetrically, stored and protected by a proprietary key management service provided by a global leader in infrastructure security, and data in transit is secured with TLS 1.2 or higher. We also employ multi-factor authentication (MFA) in addition to IP whitelisting and blacklisting protocols.
What kind of vulnerability scans do you run? How often?
Every data company should scan their network for vulnerability, usually on a weekly, monthly, or quarterly basis. As part of your investigation, make sure your vendor can provide their scan results to you under suitable non‐disclosure arrangements.
Are you certified with SOC 2, Type II? For how long?
This question is especially important. If you're unfamiliar with SOC 2, Type II reports, they are one of the most comprehensive certifications. A data warehouse product that has SOC 2 Type II certifications has truly proven its system is designed to keep its clients' data secure.
In general, SOC 2 Type II reports looks at organizational oversight, vendor management, risk management, and regulatory oversight of a service provider. A SOC 2-certified service is particularly appropriate for businesses whose regulators, auditors, compliance officers, business partners and executives require documented standards. With this certification, you can be assured that the data warehouse's processing integrity, availability, privacy and confidentiality of personal information is of the highest pedigree.
What about ISO 27001 certifications?
This international standard describes best practices for an ISMS (information security management system). Any data warehouse that has achieved accredited certification to ISO 27001 exhibits further proof that data is protected and securely managed.
Do you comply with PCI?
PCI DSS (Payment Card Industry Data Security Standard) certifications were designed to protect account data. Specifically, PCI deals with payment card processing for merchants, acquirers, issuers, and service providers. It inspects firewall configuration; how cardholder data is protected, stored, and encrypted; the type of malware and anti-virus software used; and the nature of the security network as it relates to payments. Usually, a PCI test will tell you the number of unique components scanned, identified failing vulnerabilities (if any), and the date the scan was completed and will expire. Bedrock Data is compliant with PCI-DSS SAQ-A and has been certified by Trustwave.
What is your process for dealing with DDoS attacks?
Distributed Denial of Service (DDoS) protection software. A distributed denial-of-service (DDoS) attack is serious. Many compromised computer systems may attack a server, website or other network resource to cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems. Make sure your data warehouse can detect and thwart such DDoS attacks before they cause an outage.
Can you provide me with GDPR compliance documentation?
Are you HIPAA compliant?
As guardians of protected healthcare information (PHI), organizations must protect patient records. Fusion warehouses data using AWS, which is HIPAA compliant. However, this is still not a perfect safeguard, as HIPAA risks still exist. If you are a healthcare provider, always check for unprotected AWS S3 buckets and permissions using tools like this S3 Protector and others.
Can you provide evidence of your compliance records?
When doing you due diligence, feel free to ask your vendor for a copy of certificates and tests as proof that their data warehouse product is secure. If they comply with certain standards, this request should be a routine and easy for them to fulfill.
What is your triage system and timeline for incident response?
Any attempts to detect security violations depend on the threat's level of severity. Some incidents incur minimal impact on operations, users, or personal data. Whereas other violations may pose criminal threats, endanger staff, and suggest monetary fraud. Make sure your vendor has a clear system that delineates against the risk levels of such threats, along with a detailed plan for how to combat every type of incident.
Do you have a security team? If so, could you please elaborate on their backgrounds?
Monitor daily inbound IP traffic via standard monitoring software to look for anomalous activity. Bedrock shall monitor the logs of login activity for multiple failed logins to determine if there is any attempt to hack passwords through repeated or automated retries. The Server Security log shall be reviewed at least monthly.
Someone on the security team should already have experience helping clients obtain and maintain compliance with policies like PCI, GDPR, or even HIPAA.
Do you have an employee exit SOP?
When an employee leaves the company, regardless of reason, every company should follow a standard operating procedure to ensure electronic and physical security of assets. This question is just one way to make sure your vendor has dotted their i's and crossed their t's.
What is your uptime SLA?
Any data warehouse worth its salt will periodically run tests or deploy fixes to their production, development, and sandbox environments. Although security should be of utmost importance, make sure that your vendor's uptime SLA percentage meets to your standards (e.g. 99% or 99.5%).
While this article is by no means an exhaustive list, the above offers a helpful starting point as you research data warehouse products and look to ask more pointed questions about security.
Here at Bedrock, we're happy to answer any security-related questions you might have.
Want to get started automating your data pipeline? Fusion gets you from raw data to analysis in minutes and cuts data prep time by 80%? You can sign up for a free trial today or contact us here.