2.6 Determine data security controls

  • Data states (in use, in transit, at rest)
  • Scoping and tailoring
  • Standards selection
  • Data protection methods (Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))

There are three data states

  • Data at Rest is data that is stored and not in use.  It includes data that is stored on hard drives, servers and tapes.  We should encrypt data that is at rest in case the data storage device is stolen.  We might use some of the following technology

    • TPM.  The TPM is a chip, and the purpose of the TPM is to ensure that a piece of computer hardware boots up using trusted hardware and software.  The TPM can also be used to store an encryption key for the data on the computer.

    • Self Encrypting Drive.  A Self Encrypting Drive contains hardware and firmware that automatically encrypts and decrypts the data that is on it.  The entire drive is encrypted with the same key.

    • File Level Encryption.  File Level Encryption allows us to encrypt each file with a separate key.  That means we can enforce file security at the file level.  A user can only open a file if they have a key to that file.

    • Field Level Encryption.  Field Level Encryption allows us to encrypt each field in a database with a separate key.  That means we can enforce security at the field level.  A user can only view the content of a field if they have a key to that field.

  • Data in Transit is data that is being transmitted over a network or being moved.  We should encrypt data in transit in case the communication is intercepted.

    • End to End Encryption.  End to End Encryption means that the sender and recipient agree on an encryption scheme.  If our data is transported over third-party connections, then we should use end to end encryption.

  • Data in Use is data that is in memory temporarily and being used by an application.  The application must decrypt the data in order to use it.  We can use secure computing technology to protect the unencrypted data.

We should label the data with its classification.  This ensures that users who are handling the data know its sensitivity and will take the appropriate care.  We label the data electronically and we also label the physical storage media.

We can use different controls to protect our data.

  • Technical Control – a technical control includes software to prevent unauthorized access.  The software decides whether you can access the data, based on your role and the type of data.  The software can also include encryption.

  • Administrative Control – an administrative control is a written policy that determines whether you can access the data.  By itself, an administrative control does not prevent an unauthorized user from accessing the data.  The administrative control can be used to develop technical controls that enforce access rules.

  • Physical Control – a physical control physically protects the devices that contain the data.  It is necessary to prevent theft of the devices.  But by itself, physical controls do not prevent people from hacking in and stealing the data.

Pseudonymization of data means that we replace the personal data in a data set.  For example, we replace the name “Bob Jones” in our customer database with the customer ID “4”.  Anywhere where we had “Bob Jones”, we now have “4”.  Our database is still accurate, but no longer contains “Bob Jones’” name.  We follow the same procedure for the other names in the database.

Anonymization of data means making all of the data random.  This is not always possible without destroying the meaning of the data.  We might be able to use the data for aggregate purposes.  For example, if we have a salary database that lists each employee by name and their corresponding salary, we can anonymize it by deleting all of their names.  It would still be possible to guess who has what salary (for example, the CEO might be the only person making millions of dollars).

A Security Control Baseline provides minimum security standards for protecting data and systems.  We should think about what kind of controls we should apply to each system or type of data

Scoping allows us to review a list of baseline controls and select the ones that apply to each system.  We don’t need to apply every control to every system because it would be too expensive.

Tailoring allows us to modify the security controls so that they align with the organization’s policy

We can use a framework for enforcing security.  Some popular frameworks include

  • National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) / Cybersecurity Framework (CSF).  The Risk Management Framework is a 7-step process that is used to implement security and privacy risk management. 

    The RMF was developed by NIST for the Department of Defense, but it can be used by private organizations.  It is encompassed y NIST SP 800-37, NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
    • Prepare – plan a risk management strategy

    • Categorize – group different types of information

    • Select – choose the required controls

    • Implement – implement the controls

    • Assess – validate whether the controls are working

    • Authorize – authorize the system to operate

    • Monitor – monitor and update the system

  • FIPS Publication 199.  Standards for Security Categorization of Federal Information and Information Systems. 
    • Provides guidelines for categorizing information based on confidentiality, integrity, and availability

    • Considers the impact on assets due to unauthorized access, use, disclosure, disruption, modification, or destruction

  • ISO 27001 provides requirements for an information security management system.  It is part of the ISO 27000 family.

  • ISO 27002 provides requirements for organizational information security standards and information security management practices and controls.

DRM, or Digital Rights Management, is a system that can prevent users from sharing, printing, or saving documents or files.  DRM is common in consumer products such as eBooks and digital videos.  DRM is never 100% effective because of the “analog hole”.  For example, if you are watching a video with DRM that prevents you from saving it, you could still record the playback with a smartphone.

A CASB or Cloud Access Security Broker is a gateway that sits between users and the cloud.  The CASB can enforce organizational policies and apply them to the cloud.  It can also authenticate users and provide them with access to the resources that they require.

DLP or Data Leak Prevention (also known as Data Loss Protection) is a technique used to prevent data from leaving an organization.  Data leaks can be accidental or deliberate.  Data leaves an organization in three ways

  • Electronically.

    • A user can attach sensitive data to an e-mail.  For example, a user can accidentally e-mail sensitive customer data to the wrong person.

    • A user can upload sensitive data to a file sharing website or blog.

    • Physically

      • A user can take physical copies of data (such as documents, blueprints, charts, etc.) from the organization.

      • A user can copy data onto a USB drive and take it out of the organization.

      • A user can photograph sensitive data with a cellular telephone.

    • Intellectually. 

      • Most of the data leaves the organization through the brains of the employees.  Data can include client lists, trade secrets, and other intellectual property.

A Data Leak Prevention appliance is a physical network device that scans outgoing network transmissions and prevents data leaks.

  • The appliance is designed to recognize patterns within the data such as credit card numbers (which have 16 digits) or phone numbers (which have 10 digits)

    • The appliance may have advanced heuristics to analyse the context of each data transmission, including the contents, the sender, and the recipient, to determine if the data can be sent.

    • The appliance may block the transmission, allow the transmission, or trigger a manual review.

    • When the data being transmitted is encrypted between the end user’s computer and an external network, then the DLP appliance will not be able to read the data.  An organization will typically have full, unencrypted access to the e-mail accounts of its users, but will not be able to filter encrypted traffic (such as GMAIL or file sharing websites).  These types of websites should be blocked.

    • When combined with an SIEM, we can use artificial intelligence to detect users who are accessing too much data or data that is not required for their role.