From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Understanding data security

From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Start my 1-month free trial Buy for my team

Understanding data security

- [Instructor] Data is often an organization's most valuable asset. As such, it's appropriate that information security professionals spend a large amount of their time ensuring the confidentiality, integrity, and availability of information assets. When security professionals think about data security, they normally begin by thinking about the security controls used to protect data in three different states, data at rest, data in transit, and data in use. Data at rest is data stored somewhere for later use. This might be on a hard drive or USB stick, in a cloud service, or on a magnetic tape as part of a backup or archival solution. Data at rest is vulnerable to theft. If an attacker gains either physical or logical access to the storage media, this might be by stealing a hard drive or hacking into an operating system that has the drive mounted. Either method can be an effective way to steal data, and information security professionals must protect against both approaches. Data in transit is data that's moving around a network between two systems. It might be data that's moving from a storage location to a user's computer, or data that's simply being transmitted between two systems, such as a user entering their credit card number into a website. Data in transit must be protected against eavesdropping attacks because this data often travels over public networks, such as the internet. Data in use is data that is actively being used by a computer system, such as data stored in memory and being actively processed. This data must be protected against attacks that seek to access data belonging to other applications and processes. There are several things that you could do to protect your organization's data. First, you should have clear policy and procedures surrounding the appropriate use of data and the security controls that must be in place for sensitive information. Second, you should use encryption to protect sensitive information when it is either at rest or in transit. Different types of encryption are appropriate for different environments. You might use file encryption to protect the data stored on a device while transport layer security, TLS, might protect information being exchanged between two systems over a network. Finally, you should use access controls to restrict access to information while it's stored on devices. You can use file system access control lists to specify who may view, modify, or delete information stored on a device. One final note on data security. Many organizations have programs focusing on the acquisition and analysis of big data. Simply defined, big data is the use of data sets that are much larger than those used by conventional data processing and analytic techniques. For example, big data rarely uses relational databases because of the significant overhead involved. Instead, big data storage and analysis uses specialized technology like the key value stores of NoSQL databases. Big data storage and analysis introduces unique security concerns. Administrators must think about how this data is secured and the appropriate access to sensitive information, especially that concerning personally identifiable information.

Contents