Data security

The policies that govern the ways in which data is stored, encrypted, mirrored, deleted, and manipulated have never been more important. Data security begins with encryption and redundancy: if hackers are able to break through a company’s defenses and grab hold of data sets, encryption can prevent such an intrusion from becoming a major meltdown. Although total encryption has been associated with reductions in network speed, advancements in encryption solutions and processing power mean that none of a company’s data should exist in a non-encrypted format.

There are dozens of disk-encryption solutions on the market with varying capabilities. Telecom-specific solutions are available from large vendors such as IBM and Cisco in addition to newer market entrants like Integra Telecom and FishNet Security. The latest generation of data-security solutions offers advanced options such as preboot authentication, two-factor authentication and hidden container support, which greatly diminish the ability of cybercriminals to gain access to sensitive data.

Mirroring data in more than one location to create redundancy is also essential. Even if certain data is useless in its encrypted form, some hackers who want to bring down services will delete or damage the supporting databases. It’s extremely dangerous for data to fly solo.

How data is deleted is critical as well. Secure deletion programs like Eraser overwrite random data in empty or deleted sectors so that potentially valuable digital detritus is unrecoverable. Hard drives that are decommissioned or succumb to mechanical failure must be fully destroyed.

With the rising popularity of cloud-based solutions it’s critical, from both a business standpoint and a legal one, to understand the data-security policies of any cloud providers that may be in the service chain. The same goes for third-party partners: if an app, for instance, doesn’t have strong data-security policies but leverages direct-carrier billing APIs to process payments, a security hole exists.

Verizon took steps to bolster its data-encryption standards related to point-to-point transactions after discovering that “too many businesses struggle to comply with payment-card security standards, putting consumers’ confidential information at risk,” according to Rodolphe Simonetti, the CSP’s managing director of payment-card industry services.

Process security

How do your company’s systems, applications and devices react to unexpected or malformed process requests? Very often, cybercriminals are able to gain access or visibility into processes by sending requests that cause systems to fail. With the growing complexity of networks, services, applications, devices, and third-party partners, attaining end-to-end visibility of process security can be very difficult.

Fuzz testing, or fuzzing, is a valuable, automated tool that can help address this concern. As I outlined in another article in this month’s issue, “What Will They Hack Next?” fuzz testing enables CSPs to expose any and all security holes related to processes that exist in their ecosystems. Fuzzing can reveal vulnerabilities in hundreds of protocols, including Bluetooth, VoIP, LTE, IMS, metro Ethernet, and XML before they’re up and running on the network. Currently available from companies such as Codenomicon, QualiTest and P1 Security, fuzz testing is truly one of the best security solutions for next-generation service providers.