PACE-IT, Security+ 4.5: Mitigating Risks in Alternative Environments

Controls to ensure data security.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certification PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3


– Technological controls for data security.

– Unique data security situations.

PACE-IT.

Page 4

Technological controls for data security.Controls to ensure data security.

Page 5

Technological controls for data security.

As the lifeblood of any organization, data needs to be kept safe and secure at all times.

Any time unauthorized access to data occurs, it can be considered a data breach. A data breach may cost the organization in reputation, revenue, fines, or in loss of trade secrets. Because of this, special emphasis is placed on controls for keeping data secure. Data may be in one of three states. It may be in transit, at rest, or in use. In order to ensure the security and integrity of the data, technology controls should be used for all three states.


Page 6


– Data encryption.» Whenever possible, data should be maintained in an

encrypted format. Encryption ensures that, even if a data breach happens, no actual loss of data occurs. Data encryption can be implemented at different places and levels.

• Full disk encryption: all of the contents of the storage drive are encrypted; in order to access anything on the drive, the proper key must be input.

• Database encryption: sensitive information contained in databases (e.g., customer credit card numbers) should always be kept in an encrypted format.

• Individual file encryption: if full disk encryption is not used, then all sensitive files should be encrypted.

• Removable media encryption: when data is allowed onto removable media, controls should be put in place that ensure that it is always encrypted on that media.

• Mobile device encryption: because of their nature (highly portable and prone to loss), all mobile devices that are allowed to contain organizational data should also implement device encryption.


Page 7


– Hardware based encryption.» In most cases, hardware based encryption (encryption

solutions built into the device) will outperform software based encryption solutions—as the chipset in the device is optimized to perform the necessary algorithmic calculation.

• TPM (Trusted Platform Module): a specialized chip is used on the motherboard (which must be supported by the BIOS) to contain the cryptographic keys and perform the encryption.

• HSM (Hardware Security Module): a specialized add-on card is installed into the system to perform the hardware encryption.

• USB and portable hard drive encryption: when data is allowed onto portable media, only devices that support encryption should be used (e.g., an IronKey flash drive).

– File and folder permissions.» A method of specifying who can access files and folders

(through authentication) and what manipulations can be performed on the data (through authorization) once it has been accessed.

• Permissions are usually established through the use of a type of ACL (access control list).


Page 8


– Data policies.» Policies (usually a form of administrative control)

should be put in place that outline the technological controls that detail how data should be handled. The policies should outline at least the following controls:

• Storage: controls put in place that determine where and how data may be stored (including levels of encryption).

• Retention: controls put in place that determine specifically how long data must be kept and maintained and when data must be disposed of.

• Disposal: controls put in place that specify how data must be disposed of; the controls cover both physical and electronic data (e.g., the shredding of documents and hard drives).

• Wiping: controls put in place that specify how data on devices that are no longer in use or are going to be repurposed must be handled—usually through the use of a secure data wiping process.


Page 9

Unique data security situations.Controls to ensure data security.

Page 10

Unique data security situations.

– The storage area network (SAN) situation.

» Many organizations will utilize SAN as method of storing and accessing data.

• As most SANs reside on their own networks, controls must be put in place to ensure the security of the communication channel and keep data secure.

– The cloud storage situation.» Cloud storage is another situation where special

controls must be put in place to keep data secure. • In addition to that, in some cases, it is not appropriate

to store data on a third party cloud solution (e.g., personally identifiable information should never be stored outside of the organization’s control).

– The big data system situation.» Big data storage and transmission methods should

have specific controls in place to ensure that communication channels are secure and that sensitive data is maintained in a secure manner at all times.


Page 11

What was covered.Controls to ensure data security.

Data is the lifeblood of any organization. As such, technological controls should be put in place to help ensure the security of that data. Data controls that can be put in place include: data encryption (full disk, database, individual file, removable media, and mobile devices), hardware based encryption (TPM, HSM, and USB and drive encryption), file and folder permissions, and data policies (storage, retention, disposal, and wiping policies).

Topic


Summary

In some situations, more data security controls should be put in place than would normally be in play. These situations may include: the implementation of a SAN, the use of cloud storage, and the use of big data systems.

Unique data security situations.

Page 12

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.