CISSP Training Series – Data States
CISSP Training Series – Data States
In domain 2 of the CISSP training official textbook, there is a discussion of data states and security controls that addresses learning objective 2.6 of the CISSP exam. Of note, this material is also learning objectives for both the CCSP and CCSK certification exams.
In this entry, we’ll cover off security controls that can be used to protect data at rest, in transit and in use. ISC2 refers to these as “data states”. We’ll also look at the most important facts for each of the states covered in the official textbook.
We’ll delve into control types in an upcoming blog entry to wrap up all the content found in learning objective 2.6.
Protecting Data at Rest
Understanding Data at Rest
The security of stored data, often referred to as “data at rest,” is paramount for organizations. Whether it’s customer information, financial records, or trade secrets, ensuring the safety of this dormant data is essential for business integrity and reputation.
Data at rest refers to inactive data stored in databases, backups, off-site storage, password files, and other similar sources. While it might seem that inactive data would be safe from threats, the reality is different. Its stationary nature can sometimes make it a lucrative target for malicious actors.
It should be noted that cryptographic tools can also condense or compress data, optimizing storage and transmission space – a win-win in terms of security and efficiency.
Risks Associated with Data at Rest
The primary threat with data at rest is that malevolent users might attempt to:
- Gain unauthorized physical or logical access to a device.
- Transfer valuable information from the device to their system.
- Commit other acts that compromise the confidentiality and integrity of the information stored.
In essence, while the data may be “at rest,” threats against it never sleep.
Best Practices for Protecting Data at Rest
- Encrypt Removable Media and Mobile Devices: Any device that can be easily moved or stolen, such as USB drives, laptops, tablets, smartphones, and wearable tech, poses a risk. It’s imperative to encrypt these devices when they’re used to store valuable data.
- Implement Proper Access Controls: Ensure that only authorized personnel can access the data. This may involve multi-factor authentication, stringent password policies, and regular audits of access logs.
- Redundancy Controls: Keeping multiple backups of essential data ensures that in the event of a breach or data loss, there’s a fallback. Ensure these backups are also encrypted and stored securely.
Key Exam Points to Remember
- Data at Rest can be protected with encryption.
- Access controls are very important to protect the CIA triad (Confidentiality, Integrity, Availability).
- Redundancy is also listed to protect data at rest from intentional or accidental deletion.
- Anything used to store data is subject to data at rest controls. This includes portable USB drives.
Protecting Data in Transit
Understanding Data in Transit
In the digital age, data security is paramount. As cyber threats increase in frequency and sophistication, protecting our valuable data while it’s in transit has become more critical than ever. When we mention “data in transit,” we refer to data that is being transferred from one location, device, or user to another—over the Internet or any network. So, how can we ensure this data remains secure while it’s on the move?
Risks Associated with Data in Transit
- Interception or eavesdropping by unauthorized users during transmission across any network.
- Potential vulnerabilities with using SSL encryption, especially SSLv3, which is considered breakable and deprecated.
- Transmission of sensitive data over email without proper encryption.
These risks emphasize the importance of ensuring that data, while in transit, is properly encrypted and sent over secure protocols to prevent unauthorized access or compromise.
Best Practices for Protecting Data in Transit
- Always Encrypt Valuable Data
Whether it’s traveling across the hostile internet or simply between devices in the same subnet, encryption is non-negotiable. By encrypting this data, you can prevent unauthorized users from intercepting or eavesdropping on your information.
Even within a protected subnet, don’t take chances. Encrypt the data.
- Email Transmission: Handle with Care
Traditional email systems are not inherently secure. Avoid transmitting sensitive data via email unless you’re utilizing additional encryption tools.
When sending sensitive data through email, consider tools like Pretty Good Privacy (PGP) or Secure/Multipurpose Internet Mail Extensions (S/MIME). These tools offer a cryptographically strong method for securing email data.
Alternatively, use file encryption tools compliant with security standards, then attach the encrypted file to your email.
- Web Interfaces and Secure Protocols
When transmitting data to and from sensitive devices via web interfaces, use secure protocols. The go-to here is Transport Layer Security (TLS) encryption. Note: They don’t mention which version of TLS is recommended, but you should know that TLS 1.3 is generally recommended as there are significant performance and security improvements over TLS 1.2.
Remember, Secure Socket Layers (SSL) encryption, including its variant SSLv3, is now considered vulnerable and outdated. Avoid using it.
- Secure Application to Database Connections
If your application’s database is separate from its server, ensure all connections between them are encrypted. This encryption should use Federal Information Processing Standards (FIPS)-compliant cryptographic algorithms for maximum security.
- Non-web Valuable Data Transmission
For non-web sensitive data traffic, always opt for application-level encryption if available.
If application-level encryption isn’t an option, implement network-level encryption. Protocols like Internet Protocol Security (IPSec) or Secure Shell Protocol (SSH) tunneling are highly recommended.
- Intra-subnet Transmissions
When sending valuable data between devices within protected subnets that already have robust firewall controls, encryption remains crucial. Remember, the cyber world is heading to a zero trust model.
Key Exam Points to Remember
- Protecting data in transit is more than internet traffic. Internal network traffic must be protected.
- TLS 1.3 over SSL (which is no longer considered secure).
- Beyond TLS 1.3, don’t forget SSH and IPSec VPNs.
- VPNs can serve as a end-to-end encryption solution implemented by the end user.
- Protecting email can include encrypting attachments.
Protecting Data in Use
The digital age has brought an immense wealth of information at our fingertips, but with it comes a myriad of security challenges. Among the most pressing of these is the protection of ‘data in use’. Unlike data in motion or data at rest, which can be safeguarded with encryption and access controls, data in use presents unique vulnerabilities. Let’s dive deeper into understanding these challenges and the groundbreaking solutions being proposed.
Understanding Data in Use
Simply put, data in use refers to data that is currently being processed or consumed by applications. For instance, when you’re entering information into a spreadsheet or accessing a database, that’s data in use. Since this data has to be in plaintext form for the system to understand and process it, it’s inherently exposed and at risk.
Pervasive Encryption: The Future?
Some leading tech entities, like IBM, are venturing into the realm of pervasive encryption. The idea here is groundbreaking: keep the data encrypted even while it’s being processed. While the feasibility and specifics (like whether both datasets need the same session key) are still under research, the potential implications for data security are immense.
Risks Associated with Data in Use
Data in use is prone to several risks:
Unexpected Alterations: These could either be innocent mistakes or deliberate tampering by malicious users.
Unauthorized Exposure: A classic example is the ‘over-the-shoulder’ attack where someone can simply glance over another person’s screen and gain unauthorized access to sensitive information.
Best Practices for Protecting Data in Use
Envisioning Secure Enclaves
One of the promising solutions being explored is the concept of ‘secure enclaves’. Picture an isolated, fortified territory within a larger landscape, safeguarded against external threats. In the digital realm, this translates to a sectioned-off environment where data can be processed in its vulnerable plaintext form, but with a buffer against external risks.
The philosophy behind an enclave is its isolation. It and its contents are separate from the broader architecture, keeping it shielded from potential vulnerabilities or malware that may plague the main system.
However, as any seasoned security professional will acknowledge, there’s no such thing as a perfect defense. While enclaves are promising, they may also present their own set of vulnerabilities, especially concerning their implementation.
If you’re looking to understand more about enclaves to protect data in use, check out AWS Nitro Enclaves and Microsoft Azure Confidential Computing offerings. Just remember, knowledge of these offerings is not required for your CISSP exam.
Key Exam Points to Remember
- Integrity of data is a key risk for Data in Use. Either accidentally or maliciously, data may be altered.
- Shoulder surfing (reading a screen over someone’s shoulder) is a loss of confidentiality while data is in use.
- Enclaves and “pervasive encryption” can be used to protect data in use.
- Of all three states, protecting Data in Use is the hardest to protect.
The journey to securing data in use is akin to an ever-evolving game of cat and mouse between security professionals and malicious actors. While challenges persist, the industry’s proactive stance in exploring solutions like pervasive encryption and secure enclaves offers hope. But, as always, with innovation comes the need for rigorous testing, adaptation, and continuous learning. As we stride into the future, the need to protect data in use will only grow more pressing, and our strategies to safeguard it more sophisticated.
For more information about our CISSP training offerings, check out https://intrinsecsecurity.com/product/cissp-training-cbk-certification/