Securing Structured Data

Editor’s Note: Read this related blog:“The Structured Future of Data Access Governance“.

There are generally two kinds of data: structured and unstructured. An oversimplification shown in Figure 1 below is essentially correct. When we say, “structured data”, we usually mean traditional data that possess organized layouts with somewhat predictable growth characteristics. In fact, for relational databases, we would further assume that means spreadsheet-like tables having rows and columns (a.k.a. relations, tuples, and attributes). So, for now, let’s just focus on the right-hand side of the above diagram.

What does it mean to secure structured data? While that may seem like an easy question, it is in fact far more complex than one might initially surmise. We first need to understand the fundamental nature of data. Sometimes information systems professionals can draw some very useful analogies from the hard sciences. For example, physics offers us one very useful concept – the states of matter. Figure 1 shown below is an excellent diagram that I modified from Wikipedia explaining the four states of matter.

Looking at these four states, I’m going to strongly suggest that from a higher level there are just two fundamental states – bound and liberated. Bound connotes that molecular cohesion binds the matter into a semi-solid to solid state, while liberated signifies that the matter overcomes molecular cohesion to more freely “bounce around” and thus be anti-solid. It is my contention that data is like matter and that it possesses just these two fundamental states: inert (i.e. at rest) and in motion. Thus, securing data means protecting it while it exists in either state.

Basic Techniques for Protecting Structured Data at Rest

1. Database servers in secure facilities to protect against theft
2. Databases replicated geographically to protect against failure
3. Databases reside upon disks or storage that natively encrypt it
4. Databases used offers encryption of IO blocks written to storage
5. Databases used offers compression of IO blocks written to storage (indirect method)

Basic techniques for protecting structured data in motion

1. Database servers on dedicated, isolated high-speed network fabrics (e.g. 40 GbE or Infiniband)
2. Databases not accessible to outside world or behind a hardened firewall for outside access
3. Application to database communications routed over a secure network protocol (e.g. SSH/SSL)
4. Databases used offers encryption of IO blocks transmitted across network
5. Databases used offers compression of IO blocks transmitted across network (indirect method)

These are the high-level and obvious basics. In an upcoming series of blogs, I’ll delve into more detailed low-level techniques by which to secure your structured data databases such that they can pass a basic vulnerability assessment test. For now, I’ll end with this thought: even if you implemented all ten of the items listed above, you probably would not pass vulnerability assessment examination. In fact, you might fail and fail miserably.

At the end of this series, I will be wrapping it up in a live webinar. REGISTER TODAY!

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*