1 / 31

Lecture 1: Data Security

Explaining Data, Types of Data, Why Data security?

Islahuddin
Download Presentation

Lecture 1: Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSC7 – DATA SECURITY Shaheed rabbaniEducation University Computer Science faculty Instructor: Islahuddin Jalal Master in Cyber Security Shaheed Rabbani Education University

  2. Outlines to be discussed………. Today • Security Unstructured Data • Data Security • Structured Data Vs Unstructured Data • At Res, in Transit and In Use • Approaches to Securing Unstructured data Shaheed Rabbani Education University

  3. Class Policy • A student must reach the class-room in time. Late comers may join the class but are not entitled to be marked present. • Attendance shall be marked at the start of the class and students failing to secure 75% attendance will not be allowed to sit in final exam. • The assignment submission deadline must be observed. In case of late submission, ten percent may be deducted from each day. • Those who are absent on the announcement date of the assignment/test. Must get the topic/chapter of test/assignment confirmed through their peers. • Mobile phones must be switched-off in the class-rooms. Shaheed Rabbani Education University

  4. Grading Evaluation for DATA Security Shaheed Rabbani Education University

  5. The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. —The Art of War, Sun Tzu Shaheed Rabbani Education University

  6. Why Data Security? • Organizations around the globe are investing heavily in information technology (IT) cyber security capabilities to protect their critical assets. • Enterprise needs to protect • a brand, • intellectual capital, • and customer information • or provide controls for critical infrastructure, the means for incident detection and response to protecting organizational interests have three common elements • People, • Processes, • Technology. Shaheed Rabbani Education University

  7. Overview of Data • Data • Raw facts and figure • State of Data • At storage • At Transit • In use • But • In the high-bandwidth, mobile and networked environments in which we work and live, information rarely stays in one place • In a matter of microseconds, information can be distributed to many locations and people around the world. • To Secure this kind of Data • we must look beyond the simple confines of where information can be stored and think more about how it is stored or, more accurately , how it is formatted. Shaheed Rabbani Education University

  8. Continued…. Data Unstructured Data Structured Data Shaheed Rabbani Education University

  9. Structured Data • structured data is data that conforms to some sort of strict data model and is confined by that model. • The model might define a business process that controls the flow of information across a range of service-oriented architecture (SOA) systems, • for example • how data is stored in an array in memory. • But for most IT and security professionals, structured data is the information that lives in the database and is organized based on the database schema and associated database rules. • Note: As a Security Professional • Databases reside within a data center that is surrounded by brick walls, metal cages, network firewalls, and other security mechanisms that allow you to control access to the data. • The data itself is structured in a manner that typically allows for easy classification of the data. For example, you can identify a specific person’s medical record in a database and apply security controls accordingly. Shaheed Rabbani Education University

  10. Continued… • Security controls are relatively easy to define and apply to structured data using either the built-in features of the structure or third-party tools designed for the specific structure. Shaheed Rabbani Education University

  11. Unstructured Data • unstructured data • Difficult to manage • Difficult to secure. • Live • anywhere, • any format, • on any device, • can move across any network. • Has no strict format • For Example • a patient record that is extracted from the database, displayed in a web page, copied from the web page into a spreadsheet, attached to an e-mail, and then e-mailed to another location. Simply describing the variety of networks, servers, storage, applications, and other methods that were used to move the information beyond the database could take an entire chapter. • As this information flows from one format to another, its original structure has been effectively changed. Shaheed Rabbani Education University

  12. Security of Structured vs Unstructured • structured data is relatively straightforward. • Unstructured data • In different file formats, • across networks • stored in places you can’t control • Many analysts say 80 percent or more of digital information in an organization is unstructured, and that the amount of unstructured data is growing at a rate 10 to 20 times the rate of structured data. • Also consider the constant stream of news articles highlighting theft of intellectual property, accidental loss of information, and malicious use of data, all with unstructured data at the core of the problem. • In 2010, the worldwide total of unstructured data was estimated at roughly 1 million petabytes (1,048,576,000,000 GB) and is considered to be increasing at a rate of 25 percent a year. • We clearly need to understand how we can secure unstructured data. Shaheed Rabbani Education University

  13. Approaches to secure unstructured data • The problem of unstructured data has not gone unnoticed by the security community; • We have access to an array of technologies that are designed to provide at least partial solutions to the problem of how to secure unstructured data. • The key areas where unstructured data can reside can be broken down into the following categories: • Databases • Applications • Networks • Computers • Storage • Physical world (printed documents) Shaheed Rabbani Education University

  14. DATABASE Shaheed Rabbani Education University

  15. Continued…. • Database • Center of the data • Majority of information you are trying to secure was either created and inserted into , lives in or has been retrieved. • Most Secure Database • No body could access • No keyboard attached • No network connected • No way to remove or add storage • Powered off • Located in a room without doors • Disconnected from any power source World’s most useless Database Shaheed Rabbani Education University

  16. Continued…….. • Practically • you have to secure the data within the database while also allowing legitimate users and applications to access it. Shaheed Rabbani Education University

  17. Information flows into and out of DB Shaheed Rabbani Education University

  18. Unstructured data protection • Encrypting unstructured Data at Rest in the Database • Encryption of the actual Data itself • Partial encryption of the database schema (specific rows, column) • Full encryption of the DB data files • Implementing Controls to Restrict Access to Unstructured Data • Approaches that are used by different DB vary • Simple Authentication • Complex set of rules that define for various levels of data classification • Who can access what, from where, at what time and using what application • These credentials can either be stored within the database platform or reside within an external identity directory. • Securing Data Exports Shaheed Rabbani Education University

  19. Applications Shaheed Rabbani Education University

  20. Applications • Unstructured data is typically created in either of two ways: • Through user activity on their workstations, • As applications access and manipulate structured data and reformat it into a document, e-mail, or image. • The number of applications is growing at an amazing rate. • With cloud development platforms, it is now a relatively trivial task to create a collection of data from a wide variety of sources and consolidate it into a new application. • Types of Applications • Office suite • Web-base application • Client /server applications • etc Shaheed Rabbani Education University

  21. Application Security • Categorized into the following groups • Application access control • Network and session security to ensure the connection between the database, application and user is secure (browser) • Auditing and Logging • Application code and configuration management • Configuration management systems provide a repository for storing previous versions of software, as well as controls for the workflow of reviews and approvals needed to enforce compliance with an organization’s security policies. Many large applications can also be configured to work with governance, risk management, and compliance (GRC) Shaheed Rabbani Education University

  22. Network Shaheed Rabbani Education University

  23. Network • Data moves from the protected realm of the database into the application and on to the end user. • Sometimes this communication occurs via a local process, but often the application and database reside on different servers connected via a network. • The end users are rarely on the same computer that the application and server reside on. • Therefore, the security of the network itself is another area that we must examine. Shaheed Rabbani Education University

  24. Security of Network • Network security technologies have developed into complex systems that are able to analyze traffic and detect threats. • Network intrusion prevention systems (NIPS) • Network intrusion detection systems (NIDS) • Network firewalls • Network Authentication systems • etc Shaheed Rabbani Education University

  25. Computer Shaheed Rabbani Education University

  26. Security of Computer • Ensuring that only legitimate users can access the computer • Controlling the flow of information over network interfaces and the connection points (USB, DVD etc • Securing data residing at rest on the computer Shaheed Rabbani Education University

  27. Storage Shaheed Rabbani Education University

  28. Security of storage • Encryption of storage • Disk encryption (either hardware based or software based) • File-system encryption Shaheed Rabbani Education University

  29. Data Printed into the Physical World Shaheed Rabbani Education University

  30. Security of Data Printed into the Physical World • Physically printed copies of documents can pose risks just as great as those posed by their digital counterparts. • A user could print a spreadsheet and send it via fax or mail to an unauthorized party. • Best practices • Restriction of the contents printed • Reliance on human vigilance • Confidential info should have a cover page and page numbers, watermarks • Confidential info should be printed on a private printer • Confidential info should be locked in secured container (desk drawer or file cabinet) • No longer needed document should be shredded or placed in a secure container for a shredding service to destroy • When faxing data, make the recipient aware that a fax is about to be sent • When sending mail, verify that the correct recipient received the delivery, make sure the envelope is opaque Shaheed Rabbani Education University

  31. Thank You For Your Patience Shaheed Rabbani Education University

More Related