Friday, February 8, 2013

Defense in Depth Layer 7: Data Security

“Be careful and you will save many men from the sin of robbing you.” — Ed Howe

The final layer in the Defense in Depth security model protects the sensitive data itself.  Protecting this data is the end goal of almost all IT security measures.  Protection strategies at this layer should focus on stored data as well as data in transit.  As you can see from the image below, we will have covered all layers in the Defense in Depth security model.
Image retrieved from www.windowsecurity.com

1. Encryption
Encryption helps protect data where it resides and as it travels across a network by controlling access to it while verifying its authenticity and maintaining its availability.  To read an encrypted file, one must have access to a secret key or password that enables decryption. Unencrypted data is called plain text; encrypted data is called cipher text.  There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption.

Strong encryption like TLS (Transport Layer Security) and SSL (Secure Sockets Layer) will keep data private though they can't always ensure its security.  A website that uses these types of encryption may be verified with the procedure of checking the digital signature on its certificate that in turn must be validated by an approved Certificate Authority.  There are many types of data encryption software algorithms, but not all of them are equally reliable.

2. Access Control/Authentication
Like network-level, host-level, and application-level authentication, only authorized users should be given access to the data. Access control and transaction logging are implemented at this layer.  If data is changed, it is important to track by whom, and this especially true when dealing with sensitive information.
 
3. Data Loss/Leakage Prevention (DLP)
DLP is a strategy for making sure that end users do not send sensitive or confidential information outside of the company network.  DLP is also used to describe software products that help a company control what data end users can transfer.

4. Data Backup
Backing up is the copying and archiving of data so it may be used to restore the original after a data loss event.  Data should be backed up on a regular basis.  Backups should be created on reliable media, and they should be kept in a secure, off-site location.

So there you have it!  We’ve covered all layers of the Defense in Depth security model.  We’ve actually covered the layers within the layers.  As you can see, security measures can easily become very complex, and complexity typically equals more money.  Our next blog post will discuss how to balance security concerns with cost constraints.

Thanks for reading!

Jen

1 comment:

  1. Encryption helps protect data where it resides and as it travels across a network by controlling access to it while verifying its authenticity and maintaining its availability. To read an encrypted file, one must have access to a secret key or password that enables decryption.
    iDeals online data room providers

    ReplyDelete