Differences

This shows you the differences between two versions of the page.

--- dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_use [2022/01/21 07:54]
nick
+++ dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_use [2022/05/27 20:00] (current)
nick grammar
@@ Line 1: / Line 1: @@
-====== 2.3.4.2.3 Data-In-Use ======
+====== 2.3.4.2.3 Data-in-Use ======
 [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:start| Return to State of Data Taxonomy]]
 ===== Overview =====
+[[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_use | Return to Top]]
-[[dido:public:ra:xapend:xapend.a_glossary:d:data_in_use]] covers data being processed (i.e., updated, processed, erased, accessed or read) by a system. Data-In-Use is not passively stored, but is actively moving through parts of a [[dido:public:ra:xapend:xapend.a_glossary:c:computerplaform]]. Data-In-Use is one of three states of digital data -- the other states are [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:rest | Data-at-Rest]] and [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:motion | Data-in-Motion]].
+[[dido:public:ra:xapend:xapend.a_glossary:d:data_in_use]] covers data being processed (i.e., updated, processed, erased, accessed or read) by a system. Data-In-Use is not passively stored, but is actively moving through parts of a [[dido:public:ra:xapend:xapend.a_glossary:c:computerplaform]] (i.e., [[dido:public:ra:xapend:xapend.a_glossary:c:cpu]], [[dido:public:ra:xapend:xapend.a_glossary:d:dram]], [[dido:public:ra:xapend:xapend.a_glossary:b:bus | Data Bus]], etc). **Data-In-Use** is one of three states of digital data -- the other states are [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_at_rest | Data-at-Rest]] and [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_motion | Data-in-Motion]].
-Data states are used by information security professionals to identify [[dido:public:ra:xapend:xapend.a_glossary:e:endpoint | Endpoints]] where data should be encrypted. In addition to encryption, some important ways that Data-In-Use is protected include user authentication at all stages, strong identity management and well-maintained permissions for profiles within an organization.
+Data States identify [[dido:public:ra:xapend:xapend.a_glossary:e:endpoint | Endpoints]] where data should be [[dido:public:ra:xapend:xapend.a_glossary:e:encryption| encrypted]]. In addition to encryption, some important ways that Data-In-Use is protected include user authentication at all stages, strong identity management and well-maintained permissions for profiles within an organization.
-Examples of Data-In-Use include data stored or processed in [[dido:public:ra:xapend:xapend.a_glossary:r:computermemory]], [[dido:public:ra:xapend:xapend.a_glossary:d:datastore | Datastores]] or [[dido:public:ra:xapend:xapend.a_glossary:c:cpu | CPUs]]. Requesting access to transaction history on a banking website or authorizing user login input are applications of Data-In-Use.
+Examples of **Data-In-Use** include data stored or processed in [[dido:public:ra:xapend:xapend.a_glossary:r:computermemory]], [[dido:public:ra:xapend:xapend.a_glossary:d:datastore | Datastores]], [[dido:public:ra:xapend:xapend.a_glossary:c:cpu | CPUs]] or [[dido:public:ra:xapend:xapend.a_glossary:b:bus | Buses]]. Requesting access to transaction history on a banking website or authorizing user login input are examples of Data-In-Use.
-==== Datatype Issues for Data-In-Use ====
+===== Datatype Issues =====
+[[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_use | Return to Top]]
+Many problems occurring during **Data-In-Use** operations are traceable to [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:10_errors:start#runtime_errors | Runtime Errors]] or [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:10_errors:start#logic_errors | Logic Errors]]. Although Runtime Errors can cause crashes to the Application or even the system they run on, Logic Errors are pernicious in that often they can go undetected for a long time and leave a system [[dido:public:ra:xapend:xapend.a_glossary:v:vulnerable]] to attacks. See [[dido:public:ra:xapend:xapend.a_glossary:c:cwe]] for more details. At this time, there are 900+ weakness that can lead to Vulnerabilities.
-==== Security of Data-In-Use ====
+**Logic Errors** typically have no externally visible issues, such as a program or system crash, but the errors might only occur when the conditions are right. For example, what happens when values are zero, or at the min or max of their data ranges? What happens if a very large string is passed into the software? So, it is not just important to perform [[dido:public:ra:xapend:xapend.a_glossary:b:blackboxtesting]] but also [[dido:public:ra:xapend:xapend.a_glossary:w:whiteboxtesting]] where the internals of the Application along with its limits are known in order to design tests for both its normal and marginal areas.
-Due to Data-In-Use being directly accessible by one or more users, data in this state is vulnerable to attacks and exploits. Additionally, security risks become greater as the permissions and devices increase. Oftentimes, Data-In-Use can contain digital certificates, [[dido:public:ra:xapend:xapend.a_glossary:e:encryption]] keys, and [[dido:public:ra:xapend:xapend.a_glossary:i:intelp]] which make it crucial for businesses to monitor. Common practices for protecting Data-In-Use are defined under [[dido:public:ra:1.4_req:2_nonfunc:25_security | Securability ]] and include:
+==== DIDO Specifics ====
+[[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_use | Return to Top]]
+===== Security Issues =====
+[[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_use | Return to Top]]
+Given that Data-In-Use is directly accessible by one or more users, data in this state is vulnerable to attacks and exploits. Additionally, security risks become greater as permissions and devices increase. Oftentimes, Data-In-Use can contain digital certificates, [[dido:public:ra:xapend:xapend.a_glossary:e:encryption]] keys, and [[dido:public:ra:xapend:xapend.a_glossary:i:intelp]], which make it crucial for businesses to monitor data in this state. Common practices for protecting Data-In-Use are defined under [[dido:public:ra:1.4_req:2_nonfunc:25_security |Securability ]] and include:
 ^ Physical Security | <WRAP>
@@ Line 25: / Line 34: @@
 [[dido:public:ra:xapend:xapend.a_glossary:d:datasecurity]] is the process of protecting data from unauthorized access and data corruption by using a [[dido:public:ra:xapend:xapend.a_glossary:e:encryption_algorithm]] to [[dido:public:ra:xapend:xapend.a_glossary:e:encryption | encrypt]] data throughout its lifecycle especially while the data is **in use**. Encryption can be any combination of [[dido:public:ra:xapend:xapend.a_glossary:h:hashing]], tokenization, and [[dido:public:ra:xapend:xapend.a_glossary:k:key_management]] practices that protect data across all [[dido:public:ra:xapend:xapend.a_glossary:a:application | Applications]] and [[dido:public:ra:xapend:xapend.a_glossary:p:platform | Platforms]].
-With the rise of Decentralized and Distribute systems, it is no longer possible to trust all the parts of a [[dido:public:ra:xapend:xapend.a_glossary:s:sw_stack]] and [[dido:public:ra:xapend:xapend.a_glossary:s:solution_stack]] especially devices such as:
+With the rise of Decentralized and Distributed systems, it is no longer possible to trust all the parts of a [[dido:public:ra:xapend:xapend.a_glossary:s:sw_stack]] and [[dido:public:ra:xapend:xapend.a_glossary:s:solution_stack]] especially devices such as:
 [[dido:public:ra:xapend:xapend.a_glossary:n:netdev]],
 [[dido:public:ra:xapend:xapend.a_glossary:m:mobile]],
 [[dido:public:ra:xapend:xapend.a_glossary:p:peripheral_device]], or
 [[dido:public:ra:xapend:xapend.a_glossary:s:storagedevice]],
-[[dido:public:ra:xapend:xapend.a_glossary:w:web_service]]. Also, each Web Service also represent a stack of more components, such as: [[https://cloudstack.apache.org/ | Apache CloudStack]],
+[[dido:public:ra:xapend:xapend.a_glossary:w:web_service]]. Also, each Web Service also represents a stack of additional components, such as: [[https://cloudstack.apache.org/ | Apache CloudStack]],
 [[https://en.wikipedia.org/wiki/LAMP_(software_bundle)                                             | LAMP (Linux, Apache, MySQL, PHP/Perl/Python) ]],
 [[https://docs.oracle.com/en/cloud/paas/cloud-stack-manager/csmug/oracle-cloud-stack-manager.html  | Oracle Cloud Stack ]],
-[[https://www.ibm.com/docs/en/sc-and-ds/8.2.2?topic=services-web-service-protocol-stack            | Web Service Protocol Stack]]. Each of these components, the connections and  the [[dido:public:ra:xapend:xapend.c_hwarch:network | Network devices]] represent a risk, especially when [[dido:public:ra:xapend:xapend.a_glossary:i:instrumentation]] for monitoring of the component is added to the mix. For example, using a [[dido:public:ra:xapend:xapend.a_glossary:d:debugger]] tool is useful during development for observing the state of the component, but those features leave vulnerabilities for exposing sensitive information. See [[https://cwe.mitre.org/ | MITRE Common Weakness Enumeration (CWE)]] list.
+[[https://www.ibm.com/docs/en/sc-and-ds/8.2.2?topic=services-web-service-protocol-stack            | Web Service Protocol Stack]]. Each of these components, the connections and  the [[dido:public:ra:xapend:xapend.c_hwarch:network | Network devices]], represent a risk, especially when [[dido:public:ra:xapend:xapend.a_glossary:i:instrumentation]] for monitoring of the component is added to the mix. For example, using a [[dido:public:ra:xapend:xapend.a_glossary:d:debugger]] tool is useful during development for observing the state of the component, but those features leave vulnerabilities for exposing sensitive information. See the [[https://cwe.mitre.org/ | MITRE Common Weakness Enumeration (CWE)]] list.
-The following are approaches to helping solve some of these problems:
+The following are approaches to help solve some of these problems:
   * [[dido:public:ra:xapend:xapend.a_glossary:a:acl]]
@@ Line 43: / Line 52: @@
   * [[dido:public:ra:xapend:xapend.a_glossary:s:secme]]
   * [[dido:public:ra:xapend:xapend.a_glossary:f:fme]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:t:tme]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:s:sgx]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:m:mpc]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:t:tresor]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:h:homomorphic_encryption]]
   * [[https://cwe.mitre.org/data/definitions/215.html | CWE-215]]: Insertion of Sensitive Information into Debugging Code - The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
   * [[https://cwe.mitre.org/data/definitions/489.html | CWE-489]]: Active Debug Code - The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
@@ Line 72: / Line 86: @@
   * [[dido:public:ra:xapend:xapend.a_glossary:f:fde]]
   * [[dido:public:ra:xapend:xapend.a_glossary:f:fme]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:t:tme]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:s:sgx]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:m:mpc]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:t:tresor]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:h:homomorphic_encryption]]
   * [[dido:public:ra:xapend:xapend.a_glossary:a:authorization]] of [[dido:public:ra:xapend:xapend.a_glossary:p:peripheral_device]] such as:
     * [[dido:public:ra:xapend:xapend.a_glossary:g:geolocation]] services
@@ Line 99: / Line 118: @@
   * [[https://cwe.mitre.org/data/definitions/1295.html | CWE-1295]]: Debug Messages Revealing Unnecessary Information - The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.
 </WRAP>|
-^ Securty Culture | <WRAP>
+^ Security Culture | <WRAP>
 [[dido:public:ra:xapend:xapend.a_glossary:c:securityculture]] **CyberSecurity Culture (CSC)** of organizations refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding  [[dido:public:ra:xapend:xapend.a_glossary:c:cyber_security]] and how these manifest in people’s behavior with information technologies. **CyberSecurity Culture (CSC)** is about making [[dido:public:ra:xapend:xapend.a_glossary:i:is|information security]] considerations an integral part of an employee’s job, habits and conduct, embedding them in their day-to-day actions.
-Some common tools to help create a good Securty Culture are:
+Some common tools to help create a good Security Culture are:
   * [[dido:public:ra:xapend:xapend.a_glossary:b:biometrics]]
@@ Line 131: / Line 150: @@
 </WRAP>|
 ^ Access Control | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol]] defines a set of controls restricting access to resources based on the group membership, identity, clearance, physical & logical location and need-to-know. In addition, access includes method of permission to consume, enter, control, restrict, use and protect the resource to guarantee: Availability, Confidentiality, and Integrity.
+[[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol]] defines a set of controls restricting access to resources based on the group membership, identity, clearance, physical & logical location, and need-to-know. In other words, it provides the [[dido:public:ra:xapend:xapend.a_glossary:a:authorization]] for access to resources. Additionally, access includes a method of permission to consume, enter, control, restrict, use and protect the resource to guarantee: Availability, Confidentiality, and Integrity.
 Some of the more traditional resources requiring **Access Control** are:
@@ Line 148: / Line 167: @@
   * [[dido:public:ra:xapend:xapend.b_stds:tech:oasis:xacml | eXtensible Access Control Markup Language (XACML) ]]
   * [[dido:public:ra:xapend:xapend.a_glossary:p:pbms]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:policy#definition_2_security]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:p:policy#definition_2_security | Security Policy ]]
   * [[dido:public:ra:xapend:xapend.a_glossary:p:pdp]]
   * [[dido:public:ra:xapend:xapend.a_glossary:p:pep]]
@@ Line 158: / Line 177: @@
 </WRAP>|
-^ Inentification, Authetication and Authetication | <WRAP>
+^ Identification and Authentication | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:a:authentication]]
+[[dido:public:ra:xapend:xapend.a_glossary:i:identification]] and
+[[dido:public:ra:xapend:xapend.a_glossary:a:authentication]] are the basis for access to the system. Recently, a new Data State has been added called [[dido:public:ra:xapend:xapend.a_glossary:d:data_in_use]]. In many ways, it is harder to to use Identification and Authentication than with
+[[dido:public:ra:xapend:xapend.a_glossary:d:dataatrest]] or [[dido:public:ra:xapend:xapend.a_glossary:d:data_in_motion]] because processing the **Data** generally requires processing a [[dido:public:ra:xapend:xapend.a_glossary:c:cryptographic_algorithm]] to [[dido:public:ra:xapend:xapend.a_glossary:d:decryption | decrypt]] the **Data**. The use of [[dido:public:ra:xapend:xapend.a_glossary:p:protection_ring | Protection Rings]] can help, but at each level there is still a need to identify and authenticate the request.
-Protecting [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:rest]] is far easier than protecting [[dido:public:ra:xapend:xapend.a_glossary:d:data_in_use]] -- information that is being processed, accessed or read -- and data in motion -- information that is being transported between systems.
+The following are some of the ways to establish the identity of an entity and Authenticate the entity making the request.
-The best way to secure data in use is to restrict access by user role, limiting system access to only those who need it. Even better would be to get more granular and restrict access to the data itself.
+  * [[dido:public:ra:xapend:xapend.a_glossary:i:identification]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:a:authentication]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:p:password]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:p:pin]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:m:mfa]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:o:otp]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:t:2fa]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:b:biometric_authentication]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:i:id]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:h:hash_key]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:s:ssi]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:d:did]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:u:url]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:u:uri]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:q:qr_code]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:b:barcode]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:u:uuid]]
+  * [[dido:public:ra:xapend:xapend.a_glossary:f:figi]]
-This can be accomplished by only enabling access to specific data sets and fields or through the obfuscation of data not needed prior to analysis in other applications. The use of metadata, as opposed to raw data, can also help prevent sensitive information from leaking.
+</WRAP>|
-Encryption plays a major role in protecting data in use or in motion. Data should always be encrypted when it's traversing any external or internal networks. This includes encrypting all data prior to transport or using protected tunnels, such as HTTPS or SSL/Transport Layer Security. Encrypted tunnels, such as VPNs and Generic Routing Encapsulation, are also potential options.
+==== DIDO Specifics ====
+[[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_use | Return to Top]]
-One final tip to secure data in use or in motion is to provide proper visibility for breach detection purposes. Advancements in AI security tools that ingest network telemetry data and then analyze it to spot anomalies in data access behavior can identify threats, determine the extent of damage and provide actionable insights on how to stop further data loss. Modern AI and security analytics tools, such as network detection and response and AI for IT operations platforms, are great ways to gain the proper level of visibility without requiring large amounts of time from an administrative perspective.
-Next Steps
-ITOps security requires attention to training
-enterprise database security best practices
-Protect against evolving data security threats
-  * [[dido:public:ra:xapend:xapend.a_glossary:s:sgx]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:m:mpc]]
-</WRAP>|
+<color blue><todo @char #char:2022-03-17>New section - review </todo></color>
 /**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

DIDO Wiki

User Tools

Site Tools

Differences

Page Tools