If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of implementing identity and access management controls.
For example, can you answer this practice test question?
Q. Your organization hosts a web site with a back-end database. The database stores customer data, including credit card numbers. Which of the following is the BEST way to protect the credit card data?
A. Full database encryption
B. Whole disk encryption
C. Database column encryption
D. File-level encryption
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Data is one of the most valuable resources any organization manages, second only to its people. If you ever tune into the news, you’ve likely heard about data breaches at organizations such as Arby’s, Edmodo, OkCupid, St. Mark’s Surgery Center, Uber, Verizon, Washington State University, and Yahoo!. Unfortunately, data breaches are frequent and they affect millions of people. In the worst-case scenarios, thieves use the stolen data to empty bank accounts, rack up fraudulent charges on credit cards, and steal individuals’ identities.
Losing control of data directly affects the reputation, and often the bottom line, of an organization. The importance of taking steps to protect valuable data cannot be overstated.
The security policy helps an organization classify and label its data. This blogs presents many of the security controls an organization can use to protect data based on the requirements set within a data security policy.
Confidentiality is primarily protected through encryption and strong access controls.
Protecting Confidentiality with Encryption
One of the primary ways you can prevent the loss of confidentiality is by encrypting data. This includes encrypting data-at-rest no matter what type of device it is stored on and encrypting data-in-transit no matter what type of transmission media is used. It is much more difficult for an attacker to view encrypted data than it is to view unencrypted data.
You can use other tools to restrict access to data, but this isn’t always effective. For example, consider the Microsoft New Technology File System (NTFS), which allows you to configure permissions within access control lists (ACLs). You can use NTFS to set permissions on files and folders to restrict access. However, if a thief steals a laptop with NTFS-protected files, it’s a simple matter to access them. The thief simply moves the drive to another system as an extra drive, logs on as the administrator, and takes ownership of the files. Encryption isn’t as easy to bypass.
Database Security
Another form of software-based encryption is with databases. For example, many database applications such as Oracle Database or Microsoft SQL Server include the ability to encrypt data held within a database. Although it’s possible to encrypt the entire database, it’s more common to encrypt specific data elements.
As an example, imagine a database includes a table named Customers. Each record within the table has multiple columns, including customer number, last name, first name, credit card number, and security code. Instead of encrypting the entire table, administrators can choose to encrypt only the credit card number and security code fields within each record. This protects the sensitive data, but doesn’t waste valuable processing power encrypting data that isn’t sensitive.
Remember this
The primary methods of protecting the confidentiality of data are with encryption and strong access controls. Database column encryption protects individual fields within a database.
File System Security
Many operating systems support file- and folder-level encryption. Linux systems support GNU Privacy Guard (GnuPG or GPG), which is a command-line tool used to encrypt and decrypt files with a password. Microsoft NTFS includes the Encrypting File System (EFS), available in most Windows operating systems. An attacker will have a more difficult time accessing these encrypted files.
A benefit of file- and folder-level encryption is that you can encrypt individual files without encrypting an entire disk. For example, a server may store files accessed by users throughout the company. Access controls provide a first level of protection for these files, but administrators may be able to bypass the access controls. Imagine that a company stores payroll data on the server and wants to ensure that a malicious insider with administrative privileges can’t access the data. Using file encryption provides an additional level of protection.
Q. Your organization hosts a web site with a back-end database. The database stores customer data, including credit card numbers. Which of the following is the BEST way to protect the credit card data?
A. Full database encryption
B. Whole disk encryption
C. Database column encryption
D. File-level encryption
Answer is C. Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields that don’t need to be encrypted.
Full database encryption and whole disk encryption aren’t appropriate because everything doesn’t need to be encrypted to protect the credit card data.
File-level encryption isn’t appropriate on a database and will often make it inaccessible to the database application.
See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on protecting data.