Security+: Data Security Controls (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
Data security is the process of protecting digital data, such as databases, from intentional or accidental but unauthorized destruction, disclosure, or modification. More precisely, data security ensures the confidentiality, integrity, and availability of data. Data is essential and more valuable (and harder to replace if destroyed) than an enterprise’s hardware and software. Since data is recognized as corporate’s most mission-critical asset, its protection is essential. The Security+ exam requires proficiency with a various data security measures, which will be discussed in the subsequent sections.
Which Data Security Controls Do I Need to Know for the Security+ Exam?
Data security controls are used to protect sensitive and confidential information from being accessed or compromised outside the secure environment. The following data security controls are imperative for security+ exam and, therefore, you must grasp these concepts to pass the exam:
Cloud computing is a revolutionary technology that has made the digital world more like a place of dynamic storage. Today, many hosting companies offer cloud storage services that involve multiple cloud servers and often locations where the users can store their electronic data. Cloud storage providers have the responsibility to ensure confidentiality, integrity, and availability of data. Individuals and organizations buy storage capacity from these companies to store applications or corporate data. Common examples of cloud storage include Dropbox, Mega, and iCloud. Since clouds are complex distributed systems, the best security practice and model for them is IAM (identity access management). Amazon Web Services (AWS) and various other cloud providers use the IAM security model. Moreover, encryption schemes are also imperative.
Storage Area Network (SAN)
A SAN is a high-speed, dedicated network of storage devices that interconnect those devices with multiple servers. It provides block-level storage that can be accessed by the application programs running on any networked server. SANs are frequently used to improve networked storage devices, including disk arrays, optical jukeboxes, hard drives, and tape libraries. Since a SAN offers ample storage isolation through the use of a dedicated network, direct access to stored data is difficult and all access attempts are forced to operate against the server’s restricted applications.
Handling Big Data
Big data comprises data sets that are so complex and voluminous that traditional means of processing or analysis are ineffective and inadequate. Big data involves myriad challenges, including data storage, capture, search, analysis, querying, visualization, transfer, share, update, and privacy. Big data processing requires well-organized analytics running on enormously distributed or parallel processing systems. The data security analysts can thwart big data breaches by employing some popular encryption solutions, including Hadoop encryption solution and NoSQL database encryption solution.
What Types of Data Encryption Do I Need to Know?
Data encryption is used to protect data on storage devices. The following sections discuss several aspects of data encryption that you need to know in order to pass your Security+ exam.
Full disk or whole disk is an encryption technique that is often employed to protect an operating system (OS), its locally stored data, and installed applications. Full-disk encryption ensures reasonable protection only if the system is powered off. However, if the system is active, it can be vulnerable to some sophisticated attacks, such as a FireWire direct memory access (DMA) attack. To enhance the security of full-disk encryption, you must use a long and complex passphrase to unlock your system while booting up.
Database encryption utilizes a DBMS (database management system) product that involves native encryption features in order to integrate the cryptography functions directly into the database application. Today, many enterprise-grade or commercial databases offer this feature, such as Microsoft SQL Server and Oracle.
Individual-file encryption is less effective than full-disk encryption. It randomly generates a symmetric encryption key for each file and then stores that key in the encrypted form by employing the user’s public key on the encrypted file in question. Doing so allow the user to return with his/her private key, unlock a stored symmetric key, and finally unlock the file. However, individual-file encryption involves some issues. For example, if the private key is corrupted or lost, the user will not be able to unlock the files.
Removable media, also known as removable storage, include eSATA devices, USB devices, optical devices, smart cards, flash cards, and even floppy disks in some circumstances. Removable media can be used to steal sensitive information from outside the secure environment. In addition, removable media can involve several other issues, such as malware infection, hardware failures, and copyright infringement. However, the network administrator can block access to removable storage from within OS policies and within the BIOS.
Unfortunately, data on smartphones and tablets, as well as various other mobile devices, can be vulnerable to cyberattacks. Mobile-device encryption, both hardware and software components, is the best way to protect data on mobile devices. The Ponemon Institute, which conducts independent research on data protection, privacy, and information security, has recently revealed that two out of three lost mobile devices contained sensitive business data, which made smartphone encryption more important.
What Types of Hardware-Based Encryption Devices Do I Need to Know?
Hardware-based encryption devices are hardware solutions that provide encryption and related services instead of employing software-only solutions. The underlying hardware-based encryption devices are imperative for the Security+ exam, hence you need to know about them.
Trusted platform module (TPM)
A TPM is an international standard both for a chip in a motherboard supporting this function and for a cryptoprocessor that is a dedicated microcontroller, especially designed for carrying out cryptographic operations on devices. In fact, a TPM generates cryptographic keys for encrypting the entire disk, as in full-disk encryption. Along with PCs, a TPM can also be used to protect smartphones and devices supporting this function.
Hardware security module (HSM)
An HSM is a cryptoprocessor designed to manage or store digital encryption keys, expedite crypto operations, support speedy digital signatures, and enhance authentication mechanisms. The HSM can be a TCP/IP network device, a peripheral, or an add-on adapter. The HSM also includes tamper protection to prevent its misuse even if a hacker acquires a physical access. Today, POS bank and ATM terminals use proprietary HSMs. Most certificate authority systems also employ HSMs to store certificates.
USB encryption involves not only USB thumb drives but also the hard drives connected through the USB cable. In some circumstances, the USB manufactures add encryption features in their USB products. If your USB doesn’t include a built-in encryption feature, you can use some open source or commercial solutions, such as VeraCrypt, to add encryption to your USB device.
Hard-drive encryption can be applied both through hardware and software solutions. Today, hard-drive encryption is provided by many vendors, including iStorage Limited, Toshiba, Samsung, Western Digital, Hitachi, and Seagate Technology. However, employing a trusted software-encryption solution may be a secure choice and cost-effective.
What Types of Data Do I Need to Know About?
Data can exist in one of three possible states: data at rest, in motion, or in use.
Data at rest
Data at rest is the data that resides statically on auxiliary or external storage devices, such as solid-state drives (SSDs), hard disk drives (HDDs), and optical discs (CD/DVD). For the protection of data at rest, data security analysts highly recommend storage encryption, such as whole-drive encryption or file encryption.
Data in transit
Data in transit is data that is moving between the computing nodes over a data network, such as the Internet. Data security analysts use transport layer security (TLS), which is the single best protection for data while it is in transit.
Data in use
Data in use is data that resides on primary storage devices, such as RAM, CPU registers, and memory caches. Active and open data can be secure only if the physical and logical environment is secure. For this purpose, security experts must employ a physical access control and a well-established security baseline.
What Data Policies Do I Need to Know for the Security+ Exam?
Data policies are used to ensure confidentiality, integrity, and availability of data. The underlying elements of data policies are important for the Security+ exam and therefore you need to understand them to pass this exam.
Data wiping or erasure (also known as purging or sanitization) is the process of overwriting the data aiming at completely destroying all electronic data residing on a hard drive or any other digital medium. Wiping uses 0s and 1s to overwrite data on all the sectors of the storage device.
Disposal is the physical destruction of the storage device if it has no further use. Disposal can be done through incineration, crushing, and acid bath.
A retention policy defines the purpose of retaining data for a specific period. It also explains what data should be maintained and what should be the security measures to protect that data.
A data storage policy defines the means and mechanisms for long-term housing of data storage devices. The data storage environment must be secure in terms of light, heat, vibration, humidity, temperature, and so forth. Reliable security should also be applied.
InfoSec Security+ Boot Camp
The InfoSec Institute offers a Security+ Boot Camp that teaches you information theory and reinforces that theory with hands-on exercises that help you learn by doing.
InfoSec Institute also offers thousands of articles on all manner of security topics.