How Can We Help?
Section7 – Data Protection
CompTIA Data Protection
section 7
We cannot protect all data equally due to complexity of protection and resources available
Data Classifications
overclassifying data leads to protecting all data at a high level = expensive overhead
not usually necessary, so we classify the data first
2 diff classif schemes:
commercial biz
govt org
commercial
public = no impact if released, eg on website
sensitive = minimal impact if released eg some financial data perhaps
private = should only be used in the org, eg private staff records, or revenue or salaries etc
confidential = eg trade secrets IP data, source code perhaps for new projects etc, NDA material
critical = contains valuable info, viewing and access severely limited eg credit card nos.
Govt
unclassified = can be released, may be required to be open under a Freedom of Info Act
sensitive but unclassified = eg medical records, personal files, but no impact on national security but can impact individuals themselves
confidential = can seriously affect govt if unauth disclosure occurred
secret = eg damage to national security, eg military info or data..
top secret = eg blueprints for weapons systems, or defence plans
3 elements of data lifecycle: this means data should not be stored forever, else masses of data are also an overhead and cost…
depends on:
collection
retention = can be governed by laws
disposal
DATA OWNERSHIP
the person resp for the confidentiality, integrity, availability and privacy
The person who created the data is not necessarily the data owner!
Data owner = a senior exec role, has ultimate responsibility for confidentiality, integrity and availability of the data
NOT the person who created the data!
Data controller = decides on methods for storage, collection and usage, he/she resp for any breaches of confidentiality
Data processor = assists with collecting, storage and analysis of the data, is appointed by data controller
Data steward = focuesed on quality of data and assoc metadata
Data custodian = resp for handling management of the system on which the data is stored – eg sys admin
Data Privacy Officer = resp for oversights of any kinds of privacy related data which are subject to privacy by law and data breaches
above all have to ensure we are compliant with data regulations and laws
so who should own the data?
IT dept? – wrong answer, because the IT dept are custodians, they dont know about the data…it should be someone from the business side
eg accounting dept resp for their accounting data
sales data: sales dept
HR data: hr dept
DATA STATES
each state represents a different stage in the lifecycle of the data
data in rest = stored in databases, file systems, drive volumes etc : can be encryted:
eg
full disk encryption FDE – encrypts the entire hard drive
Partition Encryption – only specific partitions of hard drive
File Encryption – specific set of files or directories
Database Encryption
Record Encryption = specific fields in a DB only
data in transit = actively being moved via network or internet: is vulnerable to interception
can be encrypted using:
SSL/TLS – widely used for webbrowsing and email
VPNs – secure connection tunnel via internet
IPSec: authenticates and encrypts each IP packet
data in use = actively being created or processed
can be encrypted at the application level
access controls
secure enclaves
intel software guards
DATA TYPES
regulated data controlled by laws, ergs, industry standards
GDPR
HIPAA in US
PII: Personal ID info
info that can id an individual,
HIPAA similar to PII but health related/health insurance related
Trade secrets: confidential competitive info – protected by law
IP or Intellectual Property: creations of the mind: eg inventions, artistic works, content etc, course material
Legal Info: includes legal proceedings, info about them
Financial Info – sales records, invoices, bank statements, etc
PCI DSS for credit card regulation
Human readable data – eg spreadsheets
Non human readable data: binary code, executibles, machine code
but still needs protecting
DATA SOVEREIGNTY
refers to the concept:
digital data is subject to the laws of the country in which it is collected or processed.
eg GDPR General Data Protection Regulation for EU
Geographical Considerations
can have significant implications for businesses, EU has stringent GDPR regulations
China and Russia require businesses to store data in their countries if they are active in those countries.
must ensure info is not illegally transferred.
multi location data access eg with multinationals – is complex!
SECURING DATA
top prio for orgs
aspects:
geog restrictions
encryptions
hashing
masking
tokenization
obfuscations
segmentaton
permission restrictions
geog restrictions: geofencing
creating virtual boundaries to restrict requests from other geo locations
encryption – with algorithm and encryption key
hashing: adds a hashvalue, used to store senstiive data eg passwords, and integrity of files
masking, concealing some of the data fields eg with an asterisk ; datamasking – one way process
tokenization: replaces sensitive data with nonsensitive substitutes called tokens
often used for financial data esp credit cards
obfuscation: use of psuedonyms, encryption etc
segmentation: dividing network into separate segments each with own security controls
DATA LOSS PREVENTION DLP
monitors data while in use, transit or at rest to detect attempts to steal data
endpoint dlp system: usually piece of S/W installed on comoputer to monitor the data on that computer – can be detection or prevention mode configured.
network dlp system: placed at the perimeter of the entwork to detect data in transit.
storage dlp: installed on server in data center and inspets data while at rest on theserver
cloud-based dlp: as a SaaS part of cloud setorage.
these can help protect data being stolen
you need to install DLPS on all three areas – data in use, in transit, at rest
How to Configure a DLP System
for google cloud: have to have a paid for subscription, not available on free google cloud