This document discusses technological controls that can be implemented to help ensure data security. Some key controls mentioned include data encryption of disks, databases, files and removable media; hardware-based encryption using TPM, HSM, and encrypted storage devices; and file/folder permissions. Data policies around storage, retention, disposal and wiping are also recommended. Special data security considerations are outlined for storage area networks, cloud storage, and big data systems. Unique situations may require additional controls beyond normal practices.
2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certification
PC Hardware
Network Administration
IT Project Management
Network Design
User Training
IT Troubleshooting
Qualifications Summary
Education
M.B.A., IT Management, Western Governor’s University
B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.
3. Page 3
– Technological controls for data security.
– Unique data security situations.
PACE-IT.
5. Page 5
As the lifeblood of any
organization, data needs to
be kept safe and secure at all
times.
Any time unauthorized access to data occurs, it can be
considered a data breach. A data breach may cost the
organization in reputation, revenue, fines, or in loss of trade
secrets. Because of this, special emphasis is placed on controls
for keeping data secure.
Data may be in one of three states. It may be in transit, at rest, or
in use. In order to ensure the security and integrity of the data,
technology controls should be used for all three states.
Controls to ensure data security.
6. Page 6
– Data encryption.
» Whenever possible, data should be maintained in an encrypted
format. Encryption ensures that, even if a data breach happens,
no actual loss of data occurs. Data encryption can be
implemented at different places and levels.
• Full disk encryption: all of the contents of the storage drive
are encrypted; in order to access anything on the drive, the
proper key must be input.
• Database encryption: sensitive information contained in
databases (e.g., customer credit card numbers) should
always be kept in an encrypted format.
• Individual file encryption: if full disk encryption is not used,
then all sensitive files should be encrypted.
• Removable media encryption: when data is allowed onto
removable media, controls should be put in place that ensure
that it is always encrypted on that media.
• Mobile device encryption: because of their nature (highly
portable and prone to loss), all mobile devices that are
allowed to contain organizational data should also implement
device encryption.
Controls to ensure data security.
7. Page 7
– Hardware based encryption.
» In most cases, hardware based encryption (encryption
solutions built into the device) will outperform software based
encryption solutions—as the chipset in the device is optimized
to perform the necessary algorithmic calculation.
• TPM (Trusted Platform Module): a specialized chip is used on
the motherboard (which must be supported by the BIOS) to
contain the cryptographic keys and perform the encryption.
• HSM (Hardware Security Module): a specialized add-on card
is installed into the system to perform the hardware
encryption.
• USB and portable hard drive encryption: when data is
allowed onto portable media, only devices that support
encryption should be used (e.g., an IronKey flash drive).
– File and folder permissions.
» A method of specifying who can access files and folders
(through authentication) and what manipulations can be
performed on the data (through authorization) once it has been
accessed.
• Permissions are usually established through the use of a type
of ACL (access control list).
Controls to ensure data security.
8. Page 8
– Data policies.
» Policies (usually a form of administrative control) should be put
in place that outline the technological controls that detail how
data should be handled. The policies should outline at least the
following controls:
• Storage: controls put in place that determine where and how
data may be stored (including levels of encryption).
• Retention: controls put in place that determine specifically
how long data must be kept and maintained and when data
must be disposed of.
• Disposal: controls put in place that specify how data must be
disposed of; the controls cover both physical and electronic
data (e.g., the shredding of documents and hard drives).
• Wiping: controls put in place that specify how data on devices
that are no longer in use or are going to be repurposed must
be handled—usually through the use of a secure data wiping
process.
Controls to ensure data security.
10. Page 10
– The storage area network (SAN) situation.
» Many organizations will utilize SAN as method of storing and
accessing data.
• As most SANs reside on their own networks, controls must be
put in place to ensure the security of the communication
channel and keep data secure.
– The cloud storage situation.
» Cloud storage is another situation where special controls must
be put in place to keep data secure.
• In addition to that, in some cases, it is not appropriate to store
data on a third party cloud solution (e.g., personally
identifiable information should never be stored outside of the
organization’s control).
– The big data system situation.
» Big data storage and transmission methods should have
specific controls in place to ensure that communication
channels are secure and that sensitive data is maintained in a
secure manner at all times.
Controls to ensure data security.
11. Page 11
Controls to ensure data security.
Data is the lifeblood of any organization. As such, technological controls
should be put in place to help ensure the security of that data. Data controls
that can be put in place include: data encryption (full disk, database,
individual file, removable media, and mobile devices), hardware based
encryption (TPM, HSM, and USB and drive encryption), file and folder
permissions, and data policies (storage, retention, disposal, and wiping
policies).
Topic
Technological controls for
data security.
Summary
In some situations, more data security controls should be put in place than
would normally be in play. These situations may include: the
implementation of a SAN, the use of cloud storage, and the use of big data
systems.
Unique data security
situations.
13. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.