Technical Controls for Securing Data

  • Access Control

    • Access Control Lists (ACLs) with Access Control Entries (ACEs)

    • Network: routers, switches, firewalls

    • Files and folders: implemented in the filesystem

    • Least privilege

    • Context based ACLs

  • Windows:

    • Full control

    • Modify

    • Read and Execute

    • List folder contents

    • Read

    • Write

  • Windows Command Line: icacls

    • N – No access

    • F – Full access

    • R – Read only access

    • RX – Read and execute access

    • M – Modify access

    • W – Write access

    • D – Delete access

  • Linux permissions:

    • R – read

    • W – write

    • E – execute

  • Apply to 3 entities:

    • U – user or owner

    • G – group

    • O – others/rest of the world

  • Linux commands:

    • Chmod – changer permissions

    • Chown – Change Owner

  • Encryption Controls

    • Data at rest

    • Data in transit

    • Data in use

    • Encryption strength

    • Legal requirements

  • DLP – Data Loss Prevention

    • Classify data

    • Email

    • Web uploads

    • Personal mail

    • Instant message

    • Social Media

    • USB devices

  • De-identification Controls – Slightly altering data so that it can be shared safely, with no risks to privacy.

    • Data masking replacing patterns with XXX-XX-1234

    • Tokenization – replace data with random tokens

    • Aggregation/Banding – Replacing data with a broader range.

    • De-identification attacks – correlate incomplete sets of data to determine original data.

  • DRM – Digital Rights Management

    • Method for controlling distribution of data

    • Authorized players

    • Authorized viewers

    • Social DRM (Watermarking)

    • Online Checks

Last updated