User:Torcross/Data-centric Security

Data owners identify subsets of their Sensitive data that require protection, including circumstances that are not controlled by the owner. Data-centric security refers to protecting sensitive data itemsA data item stands for an atomic unit of data that has precise meaning and format. This similar to, but without the attributes of a Data element. Examples: PID, date, postal address, e-mail address. A data item may be kept as the sole content of a data base entry, or it may be loosely imbedded in a document or data stream. independently of their stateData is considered, generally, to be at any single time in  one of the following states: at rest, in use, in motion. , of the containerA data container stands for a technical or logical entity that can be addressed by standard procedures or software, and that contains non-atomic information kept in multiple data items, meta-data, and embedded data containers. Examples: documents, messages, streams, files, data base rows/columns/tables, personally held devices like tokens and ID cards. they are kept or transported with, and of their location, by controlling what actors and in what way can accessIdentity and Access Management (IAM) — definitions: ,,  ;  Wikipedia provides a list of the components of IAM. each individual sensitive data item. Data-centric security approaches may involve data life-cycleWikipedia concepts related to data life-cycle — definitions: information life-cycle, system life-cycle; applications: Data management, Data administration, Cybermethodology. control and options to dynamically adjust parameters and policies pertaining to data access and life-cycle.

Sensitive data
The notion of data-centric security relies on that of sensitive data. These are data items which immediately contain sensitive information, or which can be combined with other data to yield such information.

The most commonly known kinds of sensitive data are related to data privacy. A distinction can be made between private data, such as credit card dataWikipedia: PCI DSS , where the knowledge of the data is controlled by the subject, and the broader set of personal data , such as any Personally identifiable information , in particular any Personal identifier .

There are regulations concerning data protection in generalExamples of general regulations on data protection — USA: FISMA; EU: , , as well as normative documents concerning specific branches, such as healthcare Examples of data protection regulations on healthcare — USA: HIPAA; EU: , name=HCDP:EU.ie> or finance (e.g. psyment cards, or corporate compliance).

Sensitive data detection
Determining what and where sensitive data are, in an organization, involves steps that need to be repeated, at different time intervals depending on the step: First, the scope of data protection is defined, by identifying what kinds of regulations are applicable and which systems at that organization are concerned. Next, policies and technical procedures are defined, for the purpose of identifying the actually present sensitive data items. The set of these items is usually too large to allow manual identification. Therefore, an automated processes for detecting these items is run regularly, following the specified policies and procedures, and using specialized Data loss prevention software.

As an example of what data are being detected, consider the following excerpt from a blog post covering SSD in the context of Microsoft Server 2012 and FCIMicrosoft Server "File Classification Infrastructure": , ;  involved a "Data Classification Toolkit" . : ... people think of "documents" as Microsoft Office documents, IT admins know well that's not all that it's out there. PDF files, CAD drawings and other types of files account for a significant portion of the sensitive data ... There are lot of classification criteria including file path, extension, size, date of creation, author, specific content, etc. The most interesting one is analyzing the content of a file for matches against custom regex-filters allowing you to search for example for: * certain words or word combinations, or base of word, neglecting word forms, suffixes or prefixes * specifically formatted data, for example credit card numbers, phone numbers, SSNs, PII, contract numbers, etc. * amount of data above threshold such as more than 10 credit card numbers in one file Basically, you can identify anything that can be expressed with a regular expression, which can go from an easy Social Security Number to formatted or unformatted credit card numbers from all the most common providers ...

Masking
Data Masking

Vendors
=More content ...=

name=pdf:CSA:v3.0> name=pdf:EUP:MaSvlc.2> 
 * Cloud Security Alliance guidanceWikipedia: Information sensitivity Wikipedia: Digital security
 * classification of security issues
 * infrastructure and data security  <ref name=NSDN:IAM:2004>
 * identity and access management (IAM)<ref

Sensitive data

 * sensitive information

name=LDP:EU.2> <ref name=LDP:EU:1995> , USA<ref name=LDP:US.2>Wikipedia: FISMA
 * general regulations: EU<ref

name=PDP:PCIDSS>Wikipedia: PCI DSS
 * private data: credit card data<ref

name=UKDP1998.2> , PII/SPI<ref name=Wiki:PII>Wikipedia: Personally identifiable information PID<ref name=Wiki:PID>Wikipedia: Personal identifier
 * personal data: UK <ref

name=HCDP:US:HIPAA>Wikipedia: HIPAA , EU<ref name=HCDP:EU.2> <ref name=HCDP:EU.ie>
 * healthcare: USA<ref

data item
Definition: an atomic unit of data that has precise meaning and format. (Thus similar to, but without the attributes of a Data element.)

Examples: PID, date, postal address, e-mail address. A data item may be kept as the sole content of a data base entry, or it may be loosely imbedded in a document or data stream.

data container
Definition: a technical or logical entity that can be addressed by standard procedures or software, and that contains non-atomic information kept in multiple data items, meta-data, embedded data containers.

Examples: documents, messages, streams, files, data base rows/columns/tables, personally held devices like tokens and ID cards.

state of data

 * Data at Rest
 * Data in Use
 * Data in Motion

dynamic data masking
Definition of DDM: sensitive data masking applied to the data items returned as result to a query, i.e. triggered by commands generating data in use and in motion.

static data masking
Definition of SDM: sensitive data masking applied to copies of the data containers holding the original information to be protected. This obfuscation is applied prior to, and not being triggered by commands to set the state of produced copies to data in use or in motion.

personally identifiable information
Definition of PII : information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

personal identifier
Definition of PID : a subset of PII data elements that identify a unique individual and permit other individuals to deduce that individual’s identity even without that individual’s knowledge or consent.

sensitive data detection
Definition of SDD: automated processes for detecting data items that present sensitive data, by means of specialized Data loss prevention software.

Example — an excerpt from a blog post covering SSD in the context of Microsoft Server 2012 and FCI: ... people think of "documents" as Microsoft Office documents, IT admins know well that's not all that it's out there. PDF files, CAD drawings and other types of files account for a significant portion of the sensitive data ... There are lot of classification criteria including file path, extension, size, date of creation, author, specific content, etc. The most interesting one is analyzing the content of a file for matches against custom regex-filters allowing you to search for example for: * certain words or word combinations, or base of word, neglecting word forms, suffixes or prefixes * specifically formatted data, for example credit card numbers, phone numbers, SSNs, PII, contract numbers, etc. * amount of data above threshold such as more than 10 credit card numbers in one file Basically, you can identify anything that can be expressed with a regular expression, which can go from an easy Social Security Number to formatted or unformatted credit card numbers from all the most common providers ...

data life-cycle
name=notes:lifecycle:defs>Definitions related to data life-cycle — Wikipedia: information life-cycle, system life-cycle name=notes:lifecycle:usage>Application of data life-cycle concepts — Wikipedia: Data management, Data administration, Cybermethodology
 * definitions<ref
 * usage<ref

FCI
Microsoft Server "File Classification Infrastructure" <ref name=MS:FCI:Azure> <ref name=MS:FCI:Azure> <ref name=SDD:MSS:blog.1> and "Data Classification Toolkit" <ref name=MS:FCI:DCT>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -->

RMS viewer
name=RMSviewer.com> — only mobile, multi-platform: (iTunes) AppStore, Google Play (Android), Windows Store, (Blackberry) App World
 * rmsviewer.com (free)<ref

name=MS:AD-RMSviewer> — only mobile and OS X: ... You can download the Active Directory Rights Management Services (AD RMS) mobile device extension from the Microsoft Download Center and install this extension on top of an existing AD RMS deployment. This lets users who have mobile devices and Mac computers protect and consume sensitive data when their device supports the latest RMS client and uses RMS-enlightened apps. ...
 * Microsoft (download, free)<ref

name=Apple:RMSviewer> — only OS X 10.6 or later
 * Apple (iTunes, free)<ref

Information-centric security
name=IBM:Policy:2013>
 * policies<ref

name=Wiki:DataMasking>Wikipedia: Data masking , FPE<ref name=Wiki:FPE>Wikipedia: Format-preserving encryption <ref name=Voltage:FPE.1> <ref name=DataGuise:FPE.1>
 * data obfuscation<ref

DCS for data bases
name=MS:CLS:2012>
 * cell-level access<ref

DCS for e-mails

 * standard e-mail encryption e.g. using STARTTLS technology

name=Wiki:IBE>Wikipedia: ID-based encryption e.g. using HP Voltage technology<ref name=Voltage:HP.2015> <ref name=Voltage:white.2006>
 * identity-based encryption (IBE) <ref

DCS for documents
name=MS:AD-RMS> , Adobe<ref name=Adobe:ES4> <ref name=Adobe:LC:RM:UG>
 * on premise: Microsoft<ref

name=MS:RMS:2013> <ref name="MS:RMS:2014">
 * clouds: Microsoft Azure RMS<ref

Category:Security Category:Data security Category:Data protection Category:Information privacy Category:Information sensitivity Category:Regulatory compliance