3.3 Compare and contrast concepts and strategies to protect data. Flashcards
- Data types
- Regulated
- Trade secret
- Intellectual property
- Legal information
- Financial information
- Human- and non-human - readable
Regulated Data
■ Controlled by laws, regulations, or industry standards
■ Compliance requirements
● General Data Protection Regulation (GDPR)
● Health Insurance Portability and Accountability Act (HIPAA)
PII (Personal Identification Information)
■ Information used to identify an individual (e.g., names, social security numbers,
addresses)
■ Targeted by cybercriminals and protected by privacy laws
○ PHI (Protected Health Information)
■ Information about health status, healthcare provision, or payment linked to a
specific individual
■ Protected under HIPAA
Trade Secrets
■ Confidential business information giving a competitive edge (e.g., manufacturing
processes, marketing strategies, proprietary software)
■ Legally protected; unauthorized disclosure results in penalties
Intellectual Property (IP)
■ Creations of the mind (e.g., inventions, literary works, designs)
■ Protected by patents, copyrights, trademarks to encourage innovation
■ Unauthorized use can lead to legal action
Legal Information
■ Data related to legal proceedings, contracts, regulatory compliance
Requires high-level protection for client confidentiality and legal privilege
○ Financial Information
■ Data related to financial transactions (e.g., sales records, tax documents, bank
statements)
■ Targeted by cybercriminals for fraud and identity theft
■ Subject to PCI DSS (Payment Card Industry Data Security Standard)
Human-Readable Data
■ Understandable directly by humans (e.g., text documents, spreadsheets)
Non-Human-Readable Data
■ Requires machine or software to interpret (e.g., binary code, machine language)
■ Contains sensitive information and requires protection
Data classifications
- Sensitive
- Confidential
- Public
- Restricted
- Private
- Critical
Restricted data
is highly confidential business or personal information. There are often general statutory, regulatory or contractual requirements
Sensitive Data
Information that, if accessed by unauthorized persons, can result in the loss of
security or competitive advantage for a company
○ Importance of Data Classification
■ Helps allocate appropriate protection resources
■ Prevents over-classification to avoid excessive costs
■ Requires proper policies to identify and classify data accurately
Public
● No impact if released; often publicly accessible data
Private
● Contains internal personnel or salary information
Confidential
● Holds trade secrets, intellectual property, source code, etc.
■ Critical
● Extremely valuable and restricted information
Commercial Business Data Classification Levels
Public: often publicly accessible data
Sensitive: Minimal impact if released, e.g., financial data
Private : Contains internal personnel or salary information
Confidential : Holds trade secrets, intellectual property, source code, etc.
Critical : Extremely valuable and restricted information
Government Classification Levels
■ Unclassified
● Generally releasable to the public
■ Sensitive but Unclassified
● Includes medical records, personnel files, etc.
■ Confidential
● Contains information that could affect the government
■ Secret
● Holds data like military deployment plans, defensive postures
■ Top Secret
● Highest level, includes highly sensitive national security information
General data considerations
- Data states
o Data at rest
o Data in transit
o Data in use - Data sovereignty
- Geolocation
Data Sovereignty
■ Information subject to laws and governance structures within the nation it is
collected
Data at Rest
■ Data stored in databases, file systems, or storage systems, not actively moving
Data in Transit (Data in Motion)
Data actively moving from one location to another, vulnerable to interception
Transport Encryption Methods
- SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
- VPN (Virtual Private Network)
- IPSec (Internet Protocol Security)
SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
○ Secure communication over networks, widely used in web
browsing and email
VPN (Virtual Private Network)
○ Creates secure connections over less secure networks like the
internet
IPSec (Internet Protocol Security)
○ Secures IP communications by authenticating and encrypting IP
packets
Data in Use
■ Data actively being created, retrieved, updated, or deleted
Data in Use Protection Measures
● Encryption at the Application Level
○ Encrypts data during processing
● Access Controls
○ Restricts access to data during processing
● Secure Enclaves
○ Isolated environments for processing sensitive data
● Mechanisms like INTEL Software Guard
○ Encrypts data in memory to prevent unauthorized access
- Methods to secure data
- Geographic restrictions
- Encryption
- Hashing
- Masking
- Tokenization
- Obfuscation
- Segmentation
- Permission restrictions
Geographic Restrictions (Geofencing)
■ Virtual boundaries to restrict data access based on location
■ Compliance with data sovereignty laws
■ Prevent unauthorized access from high-risk locations
Encryption
■ Transform plaintext into ciphertext using algorithms and keys
■ Protects data at rest and in transit
■ Requires decryption key for data recovery
Hashing
■ Converts data into fixed-size hash values
■ Irreversible one-way function
■ Commonly used for password storage
Masking
■ Replace some or all data with placeholders (e.g., “x”)
■ Partially retains metadata for analysis
■ Irreversible de-identification method
Tokenization
■ Replace sensitive data with non-sensitive tokens
■ Original data stored securely in a separate database
■ Often used in payment processing for credit card protection
Obfuscation
■ Make data unclear or unintelligible
■ Various techniques, including encryption, masking, and pseudonyms
■ Hinder unauthorized understanding
Segmentation
■ Divide network into separate segments with unique security controls
■ Prevent lateral movement in case of a breach
■ Limits potential damage
○ Permission Restrictions
■ Define data access and actions through ACLs or RBAC
■ Restrict access to authorized users
■ Reduce risk of internal data breaches
