Data integrity, or the certainty that data has not been modified, is important in many cases – from communication protocols, through low-level data storage systems, to business-critical databases. Due to our reliance on the data we have, we need to guarantee it hasn’t been tampered with before we use it to take any decision.
Unfortunately, too often data integrity is ignored with the assumption that only the lower levels of software need it – the TCP stack needs to check the integrity of a packet, file systems need to check the integrity of the data stored in them, encryption schemes need to check if the messages have not been tampered with when in transit.
But data integrity is crucial in the higher levels of software, typically the database where business-relevant data resides. And while database software takes care of some of the integrity requirements – whether the data is legible at all or not – they don’t take care of the logical and business-relevant integrity of the data. In other words, an SQL database will report if the binary representation of data is modified, but it won’t report changes that amend the business meaning of the data.
So here are three reasons why no business should ignore data integrity:
- Incorrect data can disrupt business – regardless of the reason for data integrity failures, if the data is not correct according to the underlying business logic it can disrupt the business. Whether it’s transaction data, reporting data or personal data, having the wrong data while believing it is correct may directly lead to revenue losses.
- Cyber attacks – “Data Integrity Is the Biggest Threat in Cyberspace” according to a high-level security expert. And whether it’s an external or internal attack, the risk is there, and if you don’t get to know that the integrity of your data is compromised, you may not know there was an attack in the first place.
- Compliance – numerous regulations cover each business and require reporting. If the data reported is incorrect, the business is liable. That includes accounting, medical, banking, pharmaceutical, personal data, and other regulations. As a specific example, GDPR has an explicit principle for the integrity of personal data. If you don’t have the mechanisms to guarantee the integrity of the data, you may have a compliance breach.
As with anything in information security, it’s easier said than done. Businesses have many systems interacting with each other, exchanging and modifying data, that what constitutes “data integrity” may not be immediately obvious.
This is why Sentinel Trails is agnostic to the specific business case and can collect all modifications to data. Then periodic comparisons can be performed by utilizing our APIs to make sure that the data in the database is indeed what it is expected to be, and neither accidental nor malicious modifications were performed. Not only that, but you’ll be able to prove to 3rd parties, e.g. auditors, that the integrity of your data is sound. And that’s cryptographically guaranteed, so you don’t have to take our word for it, you can check the hashes and proofs yourself.
Data integrity is an often ignored problem, but undetected data manipulation is a serious risk and we believe the proper way to solving it is through a tamper-evident audit trail solution and automated integrity checks against the audit trail history.
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.