Welcome back! Today we’ll continue with our Data Protection Security series by talking more in-depth about the different ways to protect data. If you haven’t had the opportunity to read the first part of the series, Data Protection Security, take a few minutes to check it out when you can.
There are a lot of different methods to protect your data, others’ data, or a whole organization’s data. The biggest thing to keep in mind is that you’re not only protecting data from threats outside of your organization or your home, but you should also think about people you work with or workaround. There are a few different methods that you will see at your job or can implement at home or for your own business. Those methods are encryption, data erasure, data masking, data resiliency, access control, authentication, and backup & recovery. Each one can be used individually, or multiples can be used. Each method serves a specific purpose to data security, we will discuss each method individually so you can better understand each method.
Encryption is a way to scramble data so only an authorized person(s) can understand the information. When a word(s) or phrase is encrypted, it is turned into unreadable data or ciphertext.
Encryption requires the use of a cryptographic key or a set of mathematical values that both the sender and the recipient of an encrypted message agree on. The decryption key and encryption key must match, or the encrypted information will not be decrypted back to its readable form. A truly secure encryption process will use keys that are complex enough, so a third party is highly unlikely to decrypt or break the ciphertext with brute force. In case you don’t know what brute force is in cybersecurity, it is the continuous attempt to guess the correct answer to gain access or crack the code of something. One of the best benefits of encryption is that data can be encrypted "at rest," when it is stored, or "in transit," while it is being transmitted somewhere else. There are two main types of encryption, symmetric encryption, and asymmetric encryption. Symmetric encryption has only one key, and all communicating parties will use the same key for both encryption and decryption. Asymmetric, or public key, encryption, will have two keys, a public key, and a private key. The public key is used for encryption, and the private key is used for decryption.
Commonly used symmetric encryption algorithms include:
Commonly used asymmetric encryption algorithms include:
Elliptic curve cryptography
Data erasures are done using software such as Active KillDisk, WipeDrive, and BitRaser to name a few. Data erasure involves overwriting existing data on a storage sector with a binary pattern like ‘1s’ and ‘0s’ or a meaningless pseudo-random pattern with the purpose to make it unrecoverable. The overwriting methods used to perform a data erasure on a storage media will differ in terms of the pattern(s) used and the number of passes used. Once a data erasure method has completed its task on the storage media, the storage media can be reused or repurposed for something else. Once the data has been erased, it is no longer present on the storage media and cannot be retrieved or recovered.
Data Erasure Methods:
U.S. Department of Defense (DoD 5220.22-M)
DoD 5220.22-M (ECE) – Overwrites data 7 times (7passes)
DoD 5220.22-M (E) – Overwrites data 3 times (3 passes)
DoD 5220.28-M -STD – Overwrites data 7 times (7 passes)
US Army AR 380-19
US Air Force AFSSI-5020
Canadian RCMP TSSIT OPS-II
British HMG IS5
Russian Standard – GOST-R-50739-95
Data masking is a method to create a fake, but a realistic version of your organizational data. The goal of this method is to protect sensitive information while providing a functional alternative when real data is not needed. Organizations will tend to do this to use organizational data for training, demos, or software testing. The goal of data masking is to create a version of the original data that cannot be deciphered or reverse engineered.
The following are reasons why data masking is important:
Data masking solves several critical threats – data loss, data exfiltration, insider threats or account compromise, and insecure interfaces with third party systems.
Reduces data risks associated with cloud adoption.
Makes data useless to an attacker, while maintaining many of its inherent functional properties.
Allows sharing data with authorized users, such as testers and developers, without exposing production data.
Can be used for data sanitization – normal file deletion still leaves traces of data in storage media, while sanitization replaces the old values with masked ones.
Types of Data Masking
Static Data Masking - Helps create a sanitized copy of the database
Deterministic Data Masking - Involves mapping two sets of data that have the same type of data, in such a way that one value is always replaced by another value
On-the-Fly Data Masking - Masking data while it is transferred from production systems to test or development systems before the data is saved to disk
Dynamic Data Masking - Data is not stored in a secondary data store in the dev/test environment after being transferred from production systems to test or development systems
Data resiliency is the ability for a network, storage system, server, or data center to recover quickly for operations to continue. Even when there has been an equipment failure, power outage, or other disruption, the quicker the recovery the better. Data center resiliency plans are typically associated, or a part of an organization’s disaster plan(s) in case of natural or unnatural disaster occurs. Data center resiliency is often achieved using redundant components, subsystems, or facilities in case the main component goes down the secondary is ready to take over. The resiliency techniques used in a data center can vary due to the importance of the workloads. An organization’s with mission-critical workloads will tend to utilize more resiliency techniques because the cost of not preserving a critical computing service(s) is more costly during a prolonged service outage.
Access control is a fundamental component of data security that dictates who is or is not allowed to access and use company information and resources. Access control policies ensure that users are whom they say they are and that they have appropriate access to company data using authentication and authorization. We will discuss more authentication and authorization later on in this blog. However, access control does not only apply to users, it can also be applied to physical access to buildings, rooms, and other workspaces.
Access control identifies users by verifying various login credentials, such as username and passwords, (Personal Identification Number) PINs, biometric scans, and security tokens. Many access control systems also include multifactor authentication which is a method that requires multiple authentication methods to verify a user’s identity. There are four common types of access control that and organization will choose the method that makes the most sense based on their unique security and compliance requirements.
Access Control Types
Discretionary access control (DAC) – Policies are set by an admin or owner of the data or system
Mandatory access control (MAC) - People are granted access based on an information clearance (mostly seen in government or military environments)
Role-based access control (RBAC) - Grants access based on defined business functions rather than the individual user’s identity
Attribute-based access control (ABAC) - Access is based on a set of attributes and environmental conditions, such as time of day and location, assigned to both users and resources
Physical access control systems (PACS) are a type of physical security designed to restrict or allow access to a certain area or building. Physical access control is used to prevent unauthorized people into a specific location to prevent things like vandalism, theft, and trespassing. Some types of physical security are:
Access points - Entrance point where the barrier is needed, examples are gates, turnstiles, and door locks.
Personal credentials – Form of identification such as a badge, key fob, passwords, and PINs.
Readers and/or keypads - Send data from credentials to a control panel to authenticate the credential and request access authorization
Control panel - Receives the credential data from the reader and verifies if the credential is valid
Access control server - Stores user data, access privileges, and audit logs
Authentication and authorization have been used as the same word or meaning. They are two different words and have two different meanings. However, you can’t have one without the other because if you're wanting to be authorized into a building or to specific information, you must first authenticate yourself.
Authentication is the act of validating that users are who they claim to be. This is the first step in any security process. There are a few ways a person can authenticate themselves, as it was mentioned in access control, with a password, PIN, authentication app (OKTA Verify or Microsoft Authenticator), or biometric. Authorization is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege. Insecure environments, authorization must always follow the authentication.
Backups & Recovery
Backup and recovery are the process of duplicating data and storing it in a secure place in case of loss or damage and then restoring that data to a location. Backup copies, also known as snapshots, are immutable. This means that it cannot be altered after it is created to protect against ransomware and other cyber-attacks.
Three types of backups
Full backup - Protects all data from a single server, database, virtual machine (VM), or data source connected to the network. This is the slowest backup method.
Incremental backups - Captures only new data since the last full incremental was performed. This is the fastest backup method
Differential backups – Similar to incremental backups, however, backs up only the files that changed since the last full back. This method varies depending on the types of files selected to be backed up.
Recovery is the process whereby you retrieve and restore that backup data to your production systems to avoid downtime.
Types of data recovery
Granular recovery of files, folders, and objects - Process of quickly getting back one or just a few specific data sets from among many volumes
Instant mass restores - Allows for the recovery of not only files but hundreds of virtual machines (VMs) instantly, at scale, to any point in time, saving time and resources
Volume recovery - To recover an unlimited number of VMs at the same time
Virtual Machine Disk (VMDK) recovery – Restore of all data and apps on a VM
Bare machine recovery - Restoring an entire operating system (software, apps, and data) in one process
Instant volume mounts - Restore an entire volume to a Windows VM
Instant restores of VMs - Restores a large number of VMs to any previous recovery point with backup copies fully hydrated and available immediately
A backup and recovery plan is typically found in an organization's disaster recovery plan with details about what systems need to be restored first based on operational needs. Having an up-to-date backup cycle will ensure a faster and reliable recovery time with the loss of little to no data. A solution that supports data recovery is Dell’s PowerProtect Data Manager (PPDM). This Dell solution provides software-defined data protection, automated discovery, deduplication, self-service, operational agility, and IT governance for virtual, physical, and cloud environments. With Dell’s latest PPDM update, PowerProtect Data Manager 19.9, it introduced Transparent Snapshot. Transparent Snapshot simplifies and automates VM image-level backups and allows backing up VMs without any need to pause your VM during the backup process. These snapshots can be retrieved from a storage location like Dell’s PowerProtect Data Domain, from the PPDM UI whenever it is needed.
The solutions mentioned in this blog are just a couple of solutions that Dell has to offer. If you want more information about other Dell solutions or the solutions mentioned in this blog, check out the links below for more details. I hope you gained some new knowledge and insight into data protection and some solutions that are out there that you can implement into your current or future environments. Stay tuned for the next topic in our data protection journey. If there is something specific that you would like me to cover or talk about, leave a comment below and I will do my best to answer those questions. Until next time, stay cyber safe.