Differences

This shows you the differences between two versions of the page.

--- dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:processing [2022/01/27 12:48]
nick removed
+++ — (current)
@@ Line 1: / Line 1: @@
-====== 2.3.4.2.3 Data-In-Use ======
-[[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:start| Return to State of Data Taxonomy]]
-===== Overview =====
-[[dido:public:ra:xapend:xapend.a_glossary:d:data_in_use]] covers data being processed (i.e., updated, processed, erased, accessed or read) by a system. Data-In-Use is not passively stored, but is actively moving through parts of a [[dido:public:ra:xapend:xapend.a_glossary:c:computerplaform]] (i.e., CPU, Memory, Data Bus, etc). **Data-In-Use** is one of three states of digital data -- the other states are [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_at_rest | Data-at-Rest]] and [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_in_motion | Data-in-Motion]].
-Data States identify [[dido:public:ra:xapend:xapend.a_glossary:e:endpoint | Endpoints]] where data should be [[dido:public:ra:xapend:xapend.a_glossary:e:encryption| encrypted]]. In addition to encryption, some important ways that Data-In-Use is protected include user authentication at all stages, strong identity management and well-maintained permissions for profiles within an organization.
-Examples of **Data-In-Use** include data stored or processed in [[dido:public:ra:xapend:xapend.a_glossary:r:computermemory]], [[dido:public:ra:xapend:xapend.a_glossary:d:datastore | Datastores]], [[dido:public:ra:xapend:xapend.a_glossary:c:cpu | CPUs]] or [[dido:public:ra:xapend:xapend.a_glossary:b:bus | Buses]]. Requesting access to transaction history on a banking website or authorizing user login input are examples of Data-In-Use.
-===== Datatype Issues =====
-Many problems occurring during **Data-In-Use** opertions are traceable to [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:10_errors:start#runtime_errors | Runtime Errors]] or [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:10_errors:start#logic_errors | Logic Errors]]. Allthough Runtime Errors can cause crashes to the Aplication or even the system they run on, the Logic Errors are pernicious in that often they can go undetected for a long time and can leave a system [[dido:public:ra:xapend:xapend.a_glossary:v:vulnerable]] to attacks. See [[dido:public:ra:xapend:xapend.a_glossary:c:cwe]] for more detals. At this time there are 900+ weakness that can lead to Vulnerabilities.
-**Logic Errors** often have no externally visible issues such as a program or system crash, but the errors might only occur when the conditions are right. For example, what hppens when values are zero, or at the min or max of theior data ranges. What happens if a very large string is passed into the software. So, it is not just important to perform [[dido:public:ra:xapend:xapend.a_glossary:b:blackboxtesting]] but also [[dido:public:ra:xapend:xapend.a_glossary:w:whiteboxtesting]] where the internals of the Application are known and the limits are know to design tests at these marginal areas.
-===== Security Issues =====
-Due to Data-In-Use being directly accessible by one or more users, data in this state is vulnerable to attacks and exploits. Additionally, security risks become greater as the permissions and devices increase. Oftentimes, Data-In-Use can contain digital certificates, [[dido:public:ra:xapend:xapend.a_glossary:e:encryption]] keys, and [[dido:public:ra:xapend:xapend.a_glossary:i:intelp]] which make it crucial for businesses to monitor. Common practices for protecting Data-In-Use are defined under [[dido:public:ra:1.4_req:2_nonfunc:25_security | Securability ]] and include:
-^ Physical Security | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:p:physicalsecurity]] is essential while data is being processed. Often, the [[dido:public:ra:xapend:xapend.a_glossary:c:cipher | Cipher Data]] is decrypted to [[dido:public:ra:xapend:xapend.a_glossary:p:plaintext]] during processing. The decrypted data can leave residues behind in on-line and off-line storage, as well as in memory after the processing is complete.  Therefore, when it is not possible to guarantee physical security, steps be taken to prevent:
-  * [[dido:public:ra:xapend:xapend.a_glossary:c:coldboot_atack]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:d:data_remanence]]
-</WRAP>|
-^ Data Security | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:d:datasecurity]] is the process of protecting data from unauthorized access and data corruption by using a [[dido:public:ra:xapend:xapend.a_glossary:e:encryption_algorithm]] to [[dido:public:ra:xapend:xapend.a_glossary:e:encryption | encrypt]] data throughout its lifecycle especially while the data is **in use**. Encryption can be any combination of [[dido:public:ra:xapend:xapend.a_glossary:h:hashing]], tokenization, and [[dido:public:ra:xapend:xapend.a_glossary:k:key_management]] practices that protect data across all [[dido:public:ra:xapend:xapend.a_glossary:a:application | Applications]] and [[dido:public:ra:xapend:xapend.a_glossary:p:platform | Platforms]].
-With the rise of Decentralized and Distribute systems, it is no longer possible to trust all the parts of a [[dido:public:ra:xapend:xapend.a_glossary:s:sw_stack]] and [[dido:public:ra:xapend:xapend.a_glossary:s:solution_stack]] especially devices such as:
-[[dido:public:ra:xapend:xapend.a_glossary:n:netdev]],
-[[dido:public:ra:xapend:xapend.a_glossary:m:mobile]],
-[[dido:public:ra:xapend:xapend.a_glossary:p:peripheral_device]], or
-[[dido:public:ra:xapend:xapend.a_glossary:s:storagedevice]],
-[[dido:public:ra:xapend:xapend.a_glossary:w:web_service]]. Also, each Web Service also represent a stack of more components, such as: [[https://cloudstack.apache.org/ | Apache CloudStack]],
-[[https://en.wikipedia.org/wiki/LAMP_(software_bundle)                                             | LAMP (Linux, Apache, MySQL, PHP/Perl/Python) ]],
-[[https://docs.oracle.com/en/cloud/paas/cloud-stack-manager/csmug/oracle-cloud-stack-manager.html  | Oracle Cloud Stack ]],
-[[https://www.ibm.com/docs/en/sc-and-ds/8.2.2?topic=services-web-service-protocol-stack            | Web Service Protocol Stack]]. Each of these components, the connections and  the [[dido:public:ra:xapend:xapend.c_hwarch:network | Network devices]] represent a risk, especially when [[dido:public:ra:xapend:xapend.a_glossary:i:instrumentation]] for monitoring of the component is added to the mix. For example, using a [[dido:public:ra:xapend:xapend.a_glossary:d:debugger]] tool is useful during development for observing the state of the component, but those features leave vulnerabilities for exposing sensitive information. See [[https://cwe.mitre.org/ | MITRE Common Weakness Enumeration (CWE)]] list.
-The following are approaches to helping solve some of these problems:
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:acl]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:z:zero-trust_model]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:z:zta]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:t:tor]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:s:secme]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:f:fme]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:t:tme]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:s:sgx]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:m:mpc]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:t:tresor]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:h:homomorphic_encryption]]
-  * [[https://cwe.mitre.org/data/definitions/215.html | CWE-215]]: Insertion of Sensitive Information into Debugging Code - The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
-  * [[https://cwe.mitre.org/data/definitions/489.html | CWE-489]]: Active Debug Code - The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
-  * [[https://cwe.mitre.org/data/definitions/1295.html | CWE-1295]]: Debug Messages Revealing Unnecessary Information - The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.
-</WRAP>|
-^ Network Security | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:n:networksecurity]] covers all [[dido:public:ra:xapend:xapend.a_glossary:n:netdev]] and is an over-arching term describing the [[dido:public:ra:xapend:xapend.a_glossary:p:p_p|policies and procedures]] implemented by a network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources.
-This means that a well-implemented network security blocks viruses, [[dido:public:ra:xapend:xapend.a_glossary:m:malware]], hackers, etc. from accessing or altering secure information. Many of these goals can be achieved by having:
-  * [[dido:public:ra:xapend:xapend.a_glossary:h:hardwarefirewall]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:acl]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:h:https]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:s:ssl]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:t:tls]]
-</WRAP>|
-^ Platform Security | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:p:platformsecurity]] is the security architecture covering [[dido:public:ra:xapend:xapend.a_glossary:h:hardware]], and
-[[dido:public:ra:xapend:xapend.a_glossary:s:software]] for the entire [[dido:public:ra:1.4_req:1_func:platform | Computing Platform Stack]], including:
-[[dido:public:ra:1.4_req:1_func:platform:hw_arch | Hardware Platform]],
-[[dido:public:ra:1.4_req:1_func:platform:os_arch | Operating System Platform]],
-[[dido:public:ra:1.4_req:1_func:platform:sw_arch | Runtime Platform]], and
-[[dido:public:ra:1.4_req:1_func:platform:net_arch| Network Platform]].
-Many of these goals can be achieved by considering:
-  * [[dido:public:ra:xapend:xapend.a_glossary:s:softwarefirewall]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:acl]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:f:fde]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:f:fme]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:t:tme]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:s:sgx]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:m:mpc]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:t:tresor]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:h:homomorphic_encryption]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:authorization]] of [[dido:public:ra:xapend:xapend.a_glossary:p:peripheral_device]] such as:
-    * [[dido:public:ra:xapend:xapend.a_glossary:g:geolocation]] services
-    * [[dido:public:ra:xapend:xapend.a_glossary:b:bluetooth]]
-    * [[dido:public:ra:xapend:xapend.a_glossary:t:tcp]] networks
-    * [[dido:public:ra:xapend:xapend.a_glossary:w:wireless]]
-    * [[dido:public:s_cli:05_contents:01_prt:03_langconst:07_memandstor:start | Memory and Storage]]
-</WRAP> |
-^ Application Security | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:a:applicationsecurity]] is the [[dido:public:ra:xapend:xapend.a_glossary:b:business_process]] of developing, adding, and testing security features within applications to prevent security [[dido:public:ra:xapend:xapend.a_glossary:v:vulnerability | Vulnerabilities]] against cyberthreats such as unauthorized access and modification.
-Application Security describes security measures in the [[dido:public:ra:xapend:xapend.a_glossary:a:application|Application]] that aim to prevent data or code within the Application from being stolen or hijacked. It encompasses the security considerations that happen during application development and design, but it also involves systems and approaches to protect Applications after deployment.
-**Application Security** covers [[dido:public:ra:xapend:xapend.a_glossary:h:hardware]], [[dido:public:ra:xapend:xapend.a_glossary:s:software]], and [[dido:public:ra:xapend:xapend.a_glossary:b:business_process | Business Processes]] to minimize security [[dido:public:ra:xapend:xapend.a_glossary:v:vulnerability | Vulnerabilities]]. **Application Security** also covers any security measures added-to or integrated-into the Appication. For example, the use of a [[dido:public:ra:xapend:xapend.a_glossary:s:softwarefirewall]].
-  : **Note:** The use of the word Application here should not beconfused with OSI [[dido:public:ra:xapend:xapend.a_glossary:a:applayer]] or the [[dido:public:ra:xapend:xapend.a_glossary:t:tcp_concept_model]] Application Level.
-  * [[dido:public:ra:xapend:xapend.a_glossary:s:softwarefirewall]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:authentication]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:m:mfa]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:o:otp]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:t:2fa]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:n:n-tier]]
-  * [[https://cwe.mitre.org/data/definitions/215.html | CWE-215]]: Insertion of Sensitive Information into Debugging Code - The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
-  * [[https://cwe.mitre.org/data/definitions/489.html | CWE-489]]: Active Debug Code - The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
-  * [[https://cwe.mitre.org/data/definitions/1295.html | CWE-1295]]: Debug Messages Revealing Unnecessary Information - The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.
-</WRAP>|
-^ Securty Culture | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:c:securityculture]] **CyberSecurity Culture (CSC)** of organizations refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding  [[dido:public:ra:xapend:xapend.a_glossary:c:cyber_security]] and how these manifest in people’s behavior with information technologies. **CyberSecurity Culture (CSC)** is about making [[dido:public:ra:xapend:xapend.a_glossary:i:is|information security]] considerations an integral part of an employee’s job, habits and conduct, embedding them in their day-to-day actions.
-Some common tools to help create a good Securty Culture are:
-  * [[dido:public:ra:xapend:xapend.a_glossary:b:biometrics]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:i:identification]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:n:nda]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:d:dlp]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:d:data_retention_policy]]
-  * [[dido:public:ra:xapend:xapend.b_stds:defact:todo:start | Talk Openly Develop Openly (TODO)]]
-  * [[dido:public:ra:1.3_gov:1_legaldocs:3_pp | Policies and Procedures (P&P)]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:b:bia]]
-</WRAP>|
-^ Data Logging | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:d:datalog]] (also known as **Logging**) is the process of creating a **Log** which is the automatically production of time-stamped documentation for events relevant to a particular system. There are many tools available to help with **Logging**, some are Technical Standards and some are de facto Standards:
-  * Technical Standards
-    * [[dido:public:ra:xapend:xapend.b_stds:tech:iso:customer_dispute]]
-    * [[dido:public:ra:xapend:xapend.b_stds:tech:iso:quality_monitor_and_measure]]
-    * [[dido:public:ra:xapend:xapend.b_stds:tech:ietf:syslog]]
-  * de facto Standards
-    * [[dido:public:ra:xapend:xapend.b_stds:defact:orcle:java_logger_api]]
-    * [[dido:public:ra:xapend:xapend.b_stds:defact:apache:log4j]]
-    * [[dido:public:ra:xapend:xapend.b_stds:defact:apache:log4cxx]]
-    * [[dido:public:ra:xapend:xapend.b_stds:defact:apache:log4php]]
-    * [[dido:public:ra:xapend:xapend.b_stds:defact:apache:log4net]]
-    * [[dido:public:ra:xapend:xapend.b_stds:defact:apache:log4scala]]
-    * [[dido:public:ra:xapend:xapend.a_glossary:s:solidity_events]]
-  * Tools:
-    * [[dido:public:ra:xapend:xapend.e_tools:logging]]
-</WRAP>|
-^ Access Control | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol]] defines a set of controls restricting access to resources based on the group membership, identity, clearance, physical & logical location and need-to-know. In other words, it provides the [[dido:public:ra:xapend:xapend.a_glossary:a:authorization]] for access to resources. Additionally, access includes method of permission to consume, enter, control, restrict, use and protect the resource to guarantee: Availability, Confidentiality, and Integrity.
-Some of the more traditional resources requiring **Access Control** are:
-[[dido:public:s_cli:05_contents:01_prt:03_langconst:07_memandstor:start | Memory and Storage]],
-[[dido:public:ra:xapend:xapend.a_glossary:p:peripheral_device]],
-[[dido:public:ra:xapend:xapend.a_glossary:c:cpu]],
-[[dido:public:ra:xapend:xapend.a_glossary:h:heap]],
-[[dido:public:ra:xapend:xapend.a_glossary:s:stack_memory]],
-[[dido:public:ra:xapend:xapend.a_glossary:n:nvs]], and
-[[dido:public:ra:xapend:xapend.a_glossary:n:nic]].
-Many of these goals can be achieved by considering:
-  * [[dido:public:ra:xapend:xapend.a_glossary:l:ldap]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrolfunction]]
-  * [[dido:public:ra:xapend:xapend.b_stds:tech:oasis:saml | Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML)]]
-  * [[dido:public:ra:xapend:xapend.b_stds:tech:oasis:xacml | eXtensible Access Control Markup Language (XACML) ]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:pbms]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:policy#definition_2_security | Security Policy ]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:pdp]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:pep]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:pib]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:pip]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:prp]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:aec]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:acp]]
-</WRAP>|
-^ Inentification and Authetication | <WRAP>
-[[dido:public:ra:xapend:xapend.a_glossary:i:identification]],
-[[dido:public:ra:xapend:xapend.a_glossary:a:authentication]] for the basis for access to the system. Recently, a new Data State has been added called [[dido:public:ra:xapend:xapend.a_glossary:d:data_in_use]]. In many ways, it is harder to to use Identification and Authtetication than with
-[[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_at_rest]] , or [[dido:public:ra:1.2_views:3_taxonomic:4_data_tax:02_state_taxonomy:data_at_motion]] becase processing the **Data** generally requires processing a [[dido:public:ra:xapend:xapend.a_glossary:c:cryptographic_algorithm]] to [[dido:public:ra:xapend:xapend.a_glossary:d:decryption | decrypt]] the **Data**. The use of [[dido:public:ra:xapend:xapend.a_glossary:p:protection_ring | Protection Rings]] can help, but at each level there is still a need to identify and authentic the request.
-The following are some of the ways to establish the Identity of an entity and to Authenticate the entity making the request.
-  * [[dido:public:ra:xapend:xapend.a_glossary:i:identification]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:authentication]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:a:accesscontrol]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:password]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:p:pin]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:m:mfa]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:o:otp]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:t:2fa]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:b:biometric_authentication]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:i:id]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:h:hash_key]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:s:ssi]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:d:did]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:u:url]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:u:uri]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:q:qr_code]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:b:barcode]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:u:uuid]]
-  * [[dido:public:ra:xapend:xapend.a_glossary:f:figi]]
-</WRAP>|
-/**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-/* To add a discussion page to this page, comment out the line that says
-  ~~DISCUSSION:off~~
-*/
-~~DISCUSSION:on|Outstanding Issues~~
-~~DISCUSSION:off~~

DIDO Wiki

User Tools

Site Tools

Differences

Page Tools