Data Security: Trust No One
Group 3: Safely Using Data
Zero Trust Architecture Let's do that. Let's make a new directory called colab v2 and move the older colabs into the colab v1 directory in the colabs directory. That way we have the prior stuff and all the new stuff we're going to make in this. Ideally all those would end up having the same kind of structure. Does that make sense?
The Zero Trust Reality: Whether it's a sprawling ELT pipeline or a modest Postgres setup, the risk is the same: one slip—a password, a PII column (personally identifiable information like SSNs, names, IP addresses) column—and your company could be history. The network? Unreliable. The client? Suspect.
The Big 3: Data Security Disasters That Exposed America
The Big 3: Data Security Disasters That Exposed America
When trust failed, millions paid the price
1. EQUIFAX (2017)
The Identity Theft Catastrophe
148M
Americans' SSNs exposed
What they stole:
• Social Security Numbers
• Birth dates, addresses
• Driver's license numbers
The damage:
• Data still sold on dark web
• Victims got ~$125 each
• Identity theft for decades
2. NATIONAL PUBLIC DATA (2024)
The Data Broker Disaster
170M
People across US/UK/Canada
What they stole:
• 2.9 billion records total
• SSNs, phone numbers
• Current & past addresses
The damage:
• Company went bankrupt
• No help for victims
• Half of US population hit
3. CHANGE HEALTHCARE (2024)
The Medical Records Nightmare
193M
Americans' medical data
What they stole:
• Medical records, SSNs
• Diagnoses, prescriptions
• Insurance information
The damage:
• Paid $22M, data still leaked
• Pharmacies couldn't operate
• Medical fraud risk forever
490%
increase from 2023→2024
3-4x
per year your data is exposed
$4.88M
average breach cost (IBM 2024)
Your Database Could Be Next
Unless you implement Zero Trust Security — where nothing and no one is trusted by default
Zero Trust, Always Verify: The 5 Attack Vectors
The Uncomfortable Truth
These 5 things WILL betray you. Plan accordingly.
Don't Trust the Network
Assume: Already compromised
• Man-in-the-middle attacks
Don't Trust Users
Assume: Already phished
• Credential theft
Don't Trust Admins
Assume: Insider threat
• Disgruntled employees
Don't Trust Code
Assume: Injection attempts
• SQL injection
Don't Trust Backups
Assume: Will be deleted
• Ransomware targets
Zero Trust DB Checklist (Starter)
Priority Time Zero Trust Action
CRITICAL 5 min Secure Password Management CRITICAL 1 hour Secure Network Configuration CRITICAL 10 min Least Privilege Access HIGH 5 min Enable audit logging HIGH 45 min Complete 3-2-1 Backup Strategy 3 copies : Primary + Secondary + Offsite2 storage types : Local disk + Cloud (S3)1 offsite : Different region/locationTest restores : Verify backups actually workImmutable backups : Protect from ransomware
Zero Trust DB App Checklist (Starter)
Example: SQL Injection Defense
Demonstrates: Verify Everything (validate all inputs) • Layer Defenses (parameterized queries)
The Bobby Tables Attack (Still Works in 2025!)
How a simple quote mark can destroy your database
VULNERABLE CODE (What NOT to do)
# Python - String concatenation (BAD!)
def
get_user
(username):
query =
f"SELECT * FROM users
WHERE name = '
{username}
'"
# User input directly in query!
cursor.execute(query)
return
cursor.fetchall()
Attacker Input:
Robert'; DROP TABLE users; --
Resulting Query:
SELECT
* FROM users WHERE name = '
Robert'; DROP TABLE users;
--'
↑ Query ends ↑ New command! ↑ Comment
SECURE CODE (Always use prepared statements)
# Python - Prepared statement (GOOD!)
def
get_user
(username):
query =
"SELECT * FROM users
WHERE name = %s"
# Placeholder, not string!
cursor.execute(query,
(username,)
)
return
cursor.fetchall()
Same Attack Input:
Robert'; DROP TABLE users; --
Resulting Query:
SELECT
* FROM users WHERE name =
'Robert''; DROP TABLE users; --'
↑ Entire string treated as data, not code!