information security

Most companies use massive databases that store financial, customer and other confidential information. Today, task of ensuring their safety is most acute.
The main means of data protection include the following:

• password entry or via Digital Signature, smart card, token;
• differentiation of access rights to database objects;
• protection of fields and rows of database tables;
• data encryption.

It is possible to encrypt information in the database itself, the file / database files itself, as well as disk partitions and entire disks.

Among the advantages of these technologies, protection of user data that are actually located on centralized server equipment can be highlighted. Thanks to this, user work environment is more manageable than in case of traditional workstations.

VDI (Virtual Desktop Infrastructure) is the virtualization of the workplace and its placement in the data center with the provision of flexible and centralized management.
Unlike terminal services, in such infrastructure, each user gets access to personal desktop PC from any authorized device, thereby increasing the flexibility of the desktop system. IT departments can take advantage of the full range of centralization benefits, including centralized desktop workload management and business continuity.
VDI also provides easier backups. Administrators can lock the image and block the use of external devices. With images and data stored in the server infrastructure, backups can be centralized on servers or storage devices, rather than on client machines.
Process of distributing patches and updates is simplified, since you only need to update the image, and not every physical computer. In addition, you can use desktops on various platforms and devices: from desktop PCs to thin clients and mobile devices.

VPS / VDS (Virtual Private / Dedicated Server) - hosting technology due to which several virtual machines are isolated on one physical server. Each of them is virtual analogue of physical (dedicated server). When ordering VPS server, tenant gets full access to its management (at the administrator / root-user level).
According to the principle of operation and operational features, virtual dedicated server is not much different from physical server. It has no restrictions on the number of hosted sites, databases, domain zones, ssh-, ftp-, email users, and its owner-administrator has the right to work with files, install applications and perform other operations, like on real full-fledged server. Each virtual server has its own IP-address, which is not shared with anyone else.

DS (Dedicated serve) is service which gives the client opportunity to store their data on separate physical server.
Service "dedicated server" involves renting one physical server from single client. You choose the parameters, calculating possible load in future, and hosting provider places the server in rack Cabinet at the data center. There for the duration of the rental period, provider provides uninterrupted supply of electricity and Internet to your server, and supports the functioning of the server itself, that is, constantly monitors its technical state - would not fail any of the components: hard disk, processor, power supply...

Cloud server (Cloud server) - this is the type of hosting that all major Internet projects are gradually moving to, because the cost of this type of hosting is lower than dedicated server and it is much more convenient.
Cloud server gives opportunity to increase its capacity at any time if the project is developing and requires more resources.
The difference between Cloud and Dedicated servers is that at any time you can increase capacity of your server and you will not need to stop working and transfer all data to new server, or wait until the configuration of your dedicated server is expanded.
The difference between Cloud and VPS servers is that many VPS offers don't guarantee you resources that are provided, that is, other users with larger projects can slow down work of your project. But with Cloud, you are guaranteed to get the resources for which you pay.

The main methods of protection against mobile threats:

• Data encryption on device. You can encrypt individual folders (if the system allows), application data, or entire device. If possible, it is necessary to use hardware boards for encryption and storage of key information.
• Network traffic protection: data channel encryption, the use of external filtering solutions to clear traffic. Using corporate gateway that scans web and email traffic, or using cloud solutions to clear traffic from malware.
• Zeroing data on compromised device (wipe). Destruction of all data or data of separate corporate application in case of loss or theft of mobile device. Zeroing can be done by remote command or after several unsuccessful authentication attempts.
• Implementation of the "sandbox": using an application with isolated container for storing data, which usually encrypts data, controls its integrity, isolates application data in RAM, prohibits copying data (up to ban on taking screenshots), remote data destruction.
• Monitoring installed applications, up to compiling "white" list of allowed applications, monitoring their integrity. Application integrity control when the device is turned on.
• Using two-factor authentication: it is desirable to use additional means of authentication, in particular, fingerprint scanning. It must be borne in mind that some biometric authentication methods are not very reliable, for example, face recognition. Authentication by entering SMS code in modern conditions is also recognized by many experts as insufficiently unreliable.
• Timely regular installation of OS updates, applications, drivers. It is important to use official software sources.
• Antivirus protection: regular scanning of the system, files, applications. Scan applications before installing them.

Generally applicable guidelines for the safe use of both personal and corporate mobile devices are:

• Use only trusted official firmware and applications.
• Personal mobile hygiene in the use of devices: do not install unknown programs from untrusted sources, do not give applications excessive permissions (for example, the Flashlight application does not need access to photos).
• Compliance with the physical and logical security of the device: do not hand the device to strangers and unofficial experts, do not provide remote access to the device to an untrusted source, for example, an unverified bank employee by phone.
• Periodic monitoring of system parameters: battery consumption, network activity. If the application creates an inadequate consumption of resources, this is the reason for checking or even deleting the application, since it may create malicious activity.
• Disabling the paid content function of the telecom operator will protect against illegitimate withdrawals from your mobile account.
• In case of problems with the application - sending reports to the manufacturer using the application's means or through the official store - this will help developers to detect and neutralize possible infections in time.

Identification is the procedure for recognizing subject by its identifier. In the process of registration, subject presents the system with its identifier and it checks its presence in its database. Subjects with identifiers known to the system are considered legal (legal), remaining subjects are illegal.
Authentication is a subject's authentication procedure that can reliably verify that the subject that presented its identifier is actually the subject whose identifier it uses. To do this, he must confirm the fact of possession of some information that may be available only to him (password, key, etc.).
Authorization - procedure for granting subject certain access rights to system resources after passing through an authentication procedure. For each subject in the system, set of rights is determined that he can use when referring to its resources.
Existing user authentication systems:

• Password systems (the easiest and most common way)
• PKI systems (cryptographic certificates)
• One-Time Password Systems
• Biometric systems

Most user authentication mechanisms are based on passwords, therefore this method is the most common. Due to its "openness", as well as toughening the requirements for password length, large number of password cracking software, this system is the most vulnerable.

Backup is the copy creation of files on another device or in the cloud in case of loss / theft or damage of the main device. Actually, its essence is that if there are problems with information on the main computer / smartphone / tablet, the copy will not be affected. In addition, making copy is much easier than recovering your deleted / lost / stolen data.
In principle, there is no general solution for backing up data for all clients; number of recommendations on this subsystem can be distinguished. For example, the organization of multi-level storage of backup copies (tape libraries, VTL, cloud), using of service local accounts of backup systems or two-factor LDAP authentication, support for current versions of software and hardware complex and periodic testing of backups. In addition, it is important to remember that the goal of creating backups is not successful backups, but successful data recovery.

Email remains one of the main channels for spreading viruses. At the same time, not only phishing, but the so-called spearfishing, that is, targeted fishing, has recently been used. With this type of fraud, viruses are not sent to anyone. They are carefully compiled, thought out and sent to specific individuals in the company. As a rule, accounting departments and lawyers are most exposed to such attacks - all those who receive a lot of official letters and can automatically open the infected machine.
Unfortunately, one reliable way to protect your email doesn't exist. The security of e-mail systems can only be ensured by set of measures, which include:

• Server location selection, network security
• Using a firewall or specialized Email Security Appliance
• Access control to corporate mail, determination of privileges for each category of users on mail and other provisioning servers
• Using encryption to protect e-mail messages - even if they are intercepted, their contents will be impossible to read
• Using specialized antiviruses
• Email Protection Tools For Spam Filtering
• Training employees in the basics of information security