Data-in-Use covers data being processed (i.e., updated, processed, erased, accessed or read) by a system. Data-In-Use is not passively stored, but is actively moving through parts of a Computing Platform (i.e., Central Processing Unit (CPU), Dynamic Random Access Memory (DRAM), Data Bus, etc). Data-In-Use is one of three states of digital data – the other states are Data-at-Rest and Data-in-Motion.
Data States identify Endpoints where data should be encrypted. In addition to encryption, some important ways that Data-In-Use is protected include user authentication at all stages, strong identity management and well-maintained permissions for profiles within an organization.
Examples of Data-In-Use include data stored or processed in Random Access Memory (RAM), Datastores, CPUs or Buses. Requesting access to transaction history on a banking website or authorizing user login input are examples of Data-In-Use.
Many problems occurring during Data-In-Use operations are traceable to Runtime Errors or Logic Errors. Although Runtime Errors can cause crashes to the Application or even the system they run on, Logic Errors are pernicious in that often they can go undetected for a long time and leave a system Vulnerable to attacks. See Common Weakness Enumeration (CWE) for more details. At this time, there are 900+ weakness that can lead to Vulnerabilities.
Logic Errors typically have no externally visible issues, such as a program or system crash, but the errors might only occur when the conditions are right. For example, what happens when values are zero, or at the min or max of their data ranges? What happens if a very large string is passed into the software? So, it is not just important to perform Black Box Testing but also White Box Testing where the internals of the Application along with its limits are known in order to design tests for both its normal and marginal areas.
Given that Data-In-Use is directly accessible by one or more users, data in this state is vulnerable to attacks and exploits. Additionally, security risks become greater as permissions and devices increase. Oftentimes, Data-In-Use can contain digital certificates, Encryption keys, and Intellectual Property (IP), which make it crucial for businesses to monitor data in this state. Common practices for protecting Data-In-Use are defined under Securability and include:
Physical Security | Physical Security is essential while data is being processed. Often, the Cipher Data is decrypted to Plaintext during processing. The decrypted data can leave residues behind in on-line and off-line storage, as well as in memory after the processing is complete. Therefore, when it is not possible to guarantee physical security, steps be taken to prevent: |
---|---|
Data Security | Data Security is the process of protecting data from unauthorized access and data corruption by using a Encryption Algorithm to encrypt data throughout its lifecycle especially while the data is in use. Encryption can be any combination of Hashing, tokenization, and Key Management practices that protect data across all Applications and Platforms. With the rise of Decentralized and Distributed systems, it is no longer possible to trust all the parts of a Software Stack and Solution Stack especially devices such as: Network Device, Mobile Device, Peripheral Device, or Storage Device, Web Service. Also, each Web Service also represents a stack of additional components, such as: Apache CloudStack, LAMP (Linux, Apache, MySQL, PHP/Perl/Python) , Oracle Cloud Stack , Web Service Protocol Stack. Each of these components, the connections and the Network devices, represent a risk, especially when Instrumentation for monitoring of the component is added to the mix. For example, using a Debugger tool is useful during development for observing the state of the component, but those features leave vulnerabilities for exposing sensitive information. See the MITRE Common Weakness Enumeration (CWE) list. The following are approaches to help solve some of these problems:
|
Network Security | Network Security covers all Network Device and is an over-arching term describing the policies and procedures implemented by a network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources. This means that a well-implemented network security blocks viruses, Malicious Software (Malware), hackers, etc. from accessing or altering secure information. Many of these goals can be achieved by having: |
Platform Security | Platform Security is the security architecture covering Hardware (H/W), and Software (SW) for the entire Computing Platform Stack, including: Hardware Platform, Operating System Platform, Runtime Platform, and Network Platform. Many of these goals can be achieved by considering:
|
Application Security | Application Security is the Business Process of developing, adding, and testing security features within applications to prevent security Vulnerabilities against cyberthreats such as unauthorized access and modification. Application Security describes security measures in the Application that aim to prevent data or code within the Application from being stolen or hijacked. It encompasses the security considerations that happen during application development and design, but it also involves systems and approaches to protect Applications after deployment. Application Security covers Hardware (H/W), Software (SW), and Business Processes to minimize security Vulnerabilities. Application Security also covers any security measures added-to or integrated-into the Appication. For example, the use of a Software Firewall.
|
Security Culture | CyberSecurity Culture (CSC) CyberSecurity Culture (CSC) of organizations refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding Cybersecurity and how these manifest in people’s behavior with information technologies. CyberSecurity Culture (CSC) is about making information security considerations an integral part of an employee’s job, habits and conduct, embedding them in their day-to-day actions. Some common tools to help create a good Security Culture are: |
Data Logging | Data Logging (also known as Logging) is the process of creating a Log which is the automatically production of time-stamped documentation for events relevant to a particular system. There are many tools available to help with Logging, some are Technical Standards and some are de facto Standards:
|
Access Control | Access Control defines a set of controls restricting access to resources based on the group membership, identity, clearance, physical & logical location, and need-to-know. In other words, it provides the Authorization for access to resources. Additionally, access includes a method of permission to consume, enter, control, restrict, use and protect the resource to guarantee: Availability, Confidentiality, and Integrity. Some of the more traditional resources requiring Access Control are: Memory and Storage, Peripheral Device, Central Processing Unit (CPU), Heap Memory, Stack Memory, Non-Volatile Storage (NVS), and Network Interface Card (NIC). Many of these goals can be achieved by considering: |
Identification and Authentication | Identification and Authentication are the basis for access to the system. Recently, a new Data State has been added called Data-in-Use. In many ways, it is harder to to use Identification and Authentication than with Data-at-Rest or Data-in-Motion because processing the Data generally requires processing a Cryptographic Algorithm to decrypt the Data. The use of Protection Rings can help, but at each level there is still a need to identify and authenticate the request. The following are some of the ways to establish the identity of an entity and Authenticate the entity making the request. |
[char][✓ char, 2022-03-17]New section - review