Maximizing C-I-A
Identifying security controls to protect data can be confusing. As with other domains, one effective way to ensure you have the right controls in place is to review how well you are maximizing the C-I-A properties of data security. If you can demonstrate that your controls are addressing the needs for data confidentiality, integrity, and availability, you have addressed the basic needs for data security.
Access Controls
Access controls play an important part in the System/Application Domain. Earlier in this chapter, you learned how an attacker could compromise your web server and attempt to access System/Application Domain components directly. If an attacker is able to compromise a computer in your DMZ and exploit a vulnerability that provides access into another domain, solid access controls can limit the damage that attack can do. Many attackers will attempt to escalate user privileges to establish a connection to another computer or another domain to alter or access data.
In addition to NAC devices limiting connections to System/Application Domain components and operating system access controls for user logons, all applications should implement access controls. Application access controls can limit access to specific data elements. In a database environment, applications can employ access controls at the record or row level. For even more fine-tuned control, some applications and databases support access control at the field or column level. Application controls can limit which users can read data and which users can write data. Proper use of access controls at all levels can protect the confidentiality and integrity of your data. As long as you employ strong authentication techniques, user identity and access controls help keep your data secure.
Database and Drive Encryption
Access controls protect the confidentiality and integrity of data as long as the operating system enforces the controls. If an attacker is able to acquire a copy of data outside the scope of the operating system, access control cannot protect the data’s security. There are two main ways to acquire data outside the scope of the operating system.
The first attack method is to boot the computer that contains the data using removable media. Removable media, such as a CD, DVD, or USB drive, can contain an alternative operating system that allows the attacker to access any file with no access controls. A successful attack such as this allows an attacker to copy any desired data, regardless of how confidential it is. There are two main defenses to this type of attack. The first defense is to limit physical access to critical servers. Most data centers employ physical controls such as locked access doors that only a select few people can open. If an attacker cannot physically access a computer, this type of attack fails. The second defense is to employ operating system–level encryption.
A second type of attack can result in accessing large amounts of confidential data. This second type of attack involves acquiring a copy of a backup image. Many organizations make the mistake of not securing backups once they are created. You should transport backup media to another physical location to protect it from a physical disaster. The purpose of creating backup images is to provide a redundant copy of your data if a disaster destroys the primary copy. Suppose a flood destroys your entire data center. If your backup images were stored in the data center, they could be destroyed as well. Transporting backups to remote locations for storage increases the likelihood they’ll be usable even after a disaster at the main data center. If an attacker can steal a copy of your backup media as it is being transported from the data center to the storage location, all of your data could be revealed. Data on backup media is easy to access.
There are at least two controls to stop this type of attack. The first control is to secure all backup media during transport. Treat backups with care. Investing in a method of secure transportation is far less expensive than one security breach. Many companies provide secure transportation and storage for backup media. Consider using such a service to ensure your backups don’t fall into the wrong hands. The second control to protect backups is to use data-protection methods such as encryption or tokenization. Several types of encryption and tokenization solutions are available for different needs. Some protect entire backup media or files on a disk, while others protect individual data elements. Table 14-2 compares the six most common options for data protection.
TABLE 14-2 Common options to protect data.
| Protection Type | Description | What It Protects |
|---|---|---|
| File encryption | Encrypts individual files. If the file encryption is part of the operating system, such as Windows Encrypting File System (EFS), the encryption key is derived from the user password and files are not readable when the user is not logged on. | Alternate boot attacks or any attack that bypasses operating system access controls |
| Folder/directory encryption | Encrypts entire folders/directories. An example is Windows EFS in folder encryption mode. | Alternate boot attacks or any attack that bypasses system access controls |
| Volume/drive encryption | Encrypts entire volume or drive, such as Windows BitLocker or TruCrypt. | Alternate boot attacks or any attack that bypasses system access controls |
| Application encryption | Encrypts individual pieces of data based on the application’s requirements. | Any attack that bypasses the application access controls; also protects backups from attack |
| Database encryption | Encrypts the entire database. If implemented by the database management system, this is often called Transparent Data Encryption (TDE). | Any attack that bypasses the database management system access controls; also protects backups from attack |
| Backup encryption | Encrypts backup media as you create the backup image. | Protects backups from attack |
| Tokenization | A different approach from encryption. Replaces sensitive values with fake data that looks and behaves like the real data element. This helps to maintain business processes and the usability of the data. | Protects individual data elements from a wide range of threats |
Protecting data by such means can help ensure only authorized users can access the data. This type of control assists you in protecting the confidentiality and integrity of your data.