CompTIA CASP+ CAS-004 Certification: Basics of Secure Storage Controls

Many organizations face the challenge of implementing protection and data security measures to meet a wide range of requirements that lie beyond regulatory compliance. Security professionals daily face the challenge of securing the application, compute, and network environment, while audit professionals are charged with verifying their success. Too often, storage security has slipped under their radar because of limited familiarity with the technology. Storage managers and administrators may be confronting these issues and technologies for the first time.

This guide highlights the basics of identifying key business drivers for data security, describes threats and attacks, summarizes security concepts and relationships, and then describes what constitutes storage security.

Most organizations are extremely dependent on digital information, which is processed electronically, and transferred on local and public networks. Within these organizations, many tasks performed are simply not possible without information and communications technology (ICT), while others can only be partially performed without ICT (i.e., many enterprises are totally reliant on the correct functioning of their ICT assets). As society as a whole becomes more dependent on ICT and digital assets, the social impact of the failure of ICT resources ceases to be an inconvenience and begins to take on the character of a disaster. A few other elements of the ICT infrastructure have a more important relationship with data than that of storage systems and ecosystems – they are the repository. They may also be the last line of defense against an adversary, but only if storage managers and administrators invest the time and effort to implement and activate the available storage security controls.

While the data are becoming increasingly precious assets for both organizations and individuals, there are no global or national practice standards that can be used to categorize the sensitivity and value of the data beyond the following:
- Personal, private information (including personally identifiable information or PII)
- Business information
- National security (both classified and unclassified) information
- Storage controls
- Cloud storage
- Geotagging
- Wearable technologies
- Encrypted and unencrypted communication
- Resource provisioning and de-provisioning
- Data flow security
- Resilience issues
- Data security considerations
- Cloud and on-premise data security

- Wearable technologies

Objective
Most organizations implement network security controls and perform audits, as security assessments. If every component of the organization is not included, the assessment is incomplete and leaves the organization exposed. This guide presents a defense-in-depth strategy that needs to be implemented, which should include physical, virtual, cloud, on-premise, and user devices connecting to the office network. This guide presents the assessment tools for performing security assessments at all levels.

Data classification
Data classification is a scheme by which the organization assigns a level of sensitivity to each piece of information that it owns and maintains. Although the existence of and adherence to a formal data classification scheme is one of the foundational elements of an information security program, many organizations—even those that profess a strong commitment to protecting the company and customer information—fail to implement data classification. Common reasons include waiting for a scheme that is perfect in theory (but not practical), cost, and lack of organizational will to drive a data classification program through to full implementation. Properly valuing data and categorizing based on sensitivity helps avoid both under and over-protection.

Overprotection increases costs without accompanying value, while under protection increases the likelihood of loss or compromise, which can impact both overall profitability as well as competitiveness, protecting the following types of data:
- One that is worthy of protection
- One that is proportional to its value
- One that is only useful for its lifetime

As an example, consider the following data security classification scheme:
- Public: Minimally sensitive data that is useful to corporate affiliates and the general public on a need-to-know basis; the protection of data is at the discretion of the custodian (per corporate policy). Examples include building maps as well as business contact data in a directory.
- Sensitive: Moderately sensitive data that is useful to corporate employees and non-employees with a business need to know; the protection of data is covered by corporate policy and contracts. Examples include information in non-disclosure agreements, research details, and most financial transactions.
- Restricted: Highly sensitive data that is available for approval only by individuals with designated access rights and signed non-disclosure agreements; the protection of data is covered by the law. Examples include medical records, non-public research data, most PII, and contracts.
It is important to use only a few data security classifications in order to keep the classification process manageable. Also, an organization can ease into its security classification activity by starting with “most sensitive” and “highest value”. Finally, a good data classification scheme should include a time element, to allow a piece of information to change its status on a certain date (for example, when data becomes public).

Business drivers
Organizations that proactively address their data protection and data security needs can realize tangible benefits in the form of increased customer trust, reduced losses due to fraud and theft, and competitive advantage while competitors are distracted with their own reactive security initiatives. Unfortunately, data security is not viewed as a business enabling capability by most organizations. Instead, it is viewed similar to insurance; i.e., something an organization must have in order to preserve its viability.

Consequently, the business drivers for data security tend to be defensive and reactive in nature. The following business drivers are associated with data security:
- Theft prevention: Threats of insider larceny, industrial espionage, and organized crime exploitation are on the rise. Perpetrators are often faced with poor defenses, potentially high rewards, and light penalties if caught. Increasingly, perpetrators target specific victims as noted by the 2008 CSI/FBI report1. Data security may provide enough of a deterrent that it prevents the crime altogether or makes it less rewarding.
- Prevention of unauthorized disclosure: Increasingly, data protection and privacy regulations are holding firms accountable for safeguarding their data. The unauthorized (whether intentional or accidental) disclosure of regulated data (customer records, trade secrets, business information) has resulted in serious embarrassment, significant inconveniences, and harsh penalties for organizations that do not exercise appropriate due diligence and care. This trend is expected to continue with increasingly severe penalties and expand the scope of the types of data that are explicitly regulated.
- Prevention of data tampering: Whether for purposes of theft, blackmail, deception, or malicious destruction, unauthorized modifications to data can lead to substantial financial losses and criminal prosecution under laws such as the Sarbanes-Oxley Act (SOX) if it involves financial information. An equally insidious possibility occurs in the form of a successful attack with inconclusive evidence of tampering (data may or may not have been modified) that erodes confidence in the integrity of the data.
- Prevention of accidental corruption/destruction: Increased complexity within ICT, flat or declining budgets, expanding workloads, limited expertise, and inadequate training combine to increase the likelihood of human error. Something as simple as adding a switch to a live storage network could result in a complete network outage or corruption of data in-flight if the appropriate precautions have not been taken. Mistakes within storage ecosystems can have catastrophic impacts because this is where data resides.
- Accountability: Corporate officers are being held to higher standards of accountability. For example, the SOX in the U.S. makes these executives explicitly responsible for establishing, evaluating, and monitoring the effectiveness of internal controls over financial reporting. ICT lies at the foundation of an effective system of internal controls over the data used in financial reporting. These controls should include separation of duties and enforcement of least privilege policies.
- Authenticity: As more and more digital records are created, modified, processed, archived, and ultimately destroyed, there is a need to demonstrate the authenticity of some of this data at each stage in its lifecycle. To establish the authenticity of data, additional information metadata such as cryptographic hashes and secure timestamps, as well as data provenance information like transaction/change logs and conversion records must be maintained.
- Verifiable transactions: While identification, authentication, and authorization are usually considered to be technologies primarily directed at controlling who can do what to which data; they can also play a role in tracing responsibility for transactions that change sensitive data values. To fulfill this role, technologies and procedures must be strengthened to assure adequate traceability and non-repudiation of transactions. The associated records should meet the standards required for acceptance as evidence in legal proceedings.
- Business continuity: For many organizations, the availability of business-critical data along with the applications and services they support is of paramount importance. Thus, substantial resources have been dedicated to ensuring continuity of business operations in the face of limited disruption events (system failures, hacker attacks, denial of service attacks, and operator errors) and “smoking crater” events. Storage technology already figures heavily in these solutions and is expected to play an even more dominant role in the future.
- Regulatory and legal compliance: At a basic level, compliance is the state of being in accordance with specified requirements, and for many organizations, compliance is the top business driver for data and ICT infrastructure security investments. However, regulatory and legal requirements rarely include enough specificity to determine whether the data handling and ICT infrastructure operations and outcomes are compliant without some degree of interpretation and “reading between the lines”. For example, new requirements for the retention of electronic records have been mandated in both statutory and regulatory law during the last decade. The preservation of legal, medical, and enterprise data in digital form, previously a concern in sound administration of the business, has become a legal necessity that confronts the networked storage industry with both challenges and rich opportunities.

Information assurance
Information assurance defines and applies a collection of policies, standards, methodologies, services, and mechanisms to maintain mission integrity with respect to people, process, technology, information, and supporting infrastructure.

Information assurance includes the following core principles:
- Confidentiality: Ensures the disclosure of information only to those persons with authority to see it.
- Integrity: Ensures that information remains in its original form; the information remains true to the creator’s intent.
- Availability: Information or information resource is ready for use within the stated operational parameters.
- Possession: Information or information resource remains in the custody of authorized personnel.
- Authenticity: Information or information resources conform to reality; it is not misrepresented as something it is not.
- Utility: Information is fit for a purpose and in a usable state.
- Privacy: Ensures the protection of personal information from observation or intrusion as well as adherence to relevant privacy compliances.
- Authorized use: Ensures cost-incurring services are available only to authorized personnel.
- Nonrepudiation: Ensures the originator of a message or transaction may not later deny action.
 

The figure below llustrates information assurance:


Figure: Information assurance

When some form of data protection or data security is required, a range of security services can be brought to bear.

The National Security Agency’s (NSA) Information Assurance Technical Framework (IATF) identifies the following as the primary security service areas:
- Access control: Assuring that networked resources and data are usable only by authorized entities and that data is protected from unauthorized disclosure or modification. It also includes resource control, for example, preventing logon to local workstation equipment or limiting the use of remote access. Access control mechanisms are fundamental measures that may be used by other security services (for example, confidentiality, integrity, availability, and limiting the use of network resources all depend on limiting the ability of an unauthorized entity to access an item or service).

The key elements of access control include the following:
- Identification: A process or measure used to recognize an entity (a user, a process, a role associated with multiple users).
- Authentication: A process or measure for determining whether something or someone is who or what it is declared to be, with some level of assurance (an authenticated identity).
- Authorization: A process or measure for determining the access rights of an entity, also with some level of assurance.
- Enforcement: A process or measure for actual enforcement of the access control decision; this is what actually provides protection against attacks. The concept of enforcing an access control decision is separate from the decision itself.
- Confidentiality: Assuring that data (both at rest and in-flight) is available only to authorized entities. Confidentiality services will prevent disclosure of data while in storage, transiting a local network, or flowing over the public Internet. The provision of the confidentiality security service depends on several variables to determine the protection needs – location(s) of the data, type of data, amounts or parts of user data, and value of data.

The key elements of confidentiality include the following:

- Data protection: A process or measure that invokes mechanisms that act directly on the data (or act in response to characteristics of the data) rather than responding to an entity’s attempt to access data. The most common method for providing confidentiality by data protection is to encrypt the appropriate data.
- Data separation: Data separation traditionally refers to the concept of providing for separate paths (for example, Red/Black7) or process separation (computer security techniques). Data separation mechanisms provide confidentiality by preventing data from reaching a location or destination where it could be disclosed to unauthorized entities (e.g., servers containing sensitive HR information are inaccessible from the public Internet). The primary variable in the level of assurance provided by a data separation mechanism is the level of trust associated with the process or machine implementing the mechanism.
- Traffic flow protection: Important information can be observed or inferred from traffic characteristics such as frequency, quantity, and destination of communications. Measures that add superfluous (usually random) data and hide network layer addresses can obfuscate this kind of information.
- Integrity: Guarding against improper modification or destruction of information as well as assuring non-repudiation and authenticity. It includes prevention of unauthorized modification of data (both stored and communicated), detection and notification of unauthorized modification of data, and logging of all changes to data. Integrity can be applied to a single data unit (protocol data unit, database element, file, etc.) or to a stream of data units (e.g., all protocol data units exchanged in a connection).
- Availability: Assuring timely and reliable access to and use of data and information services for authorized users. A loss of availability is the disruption of access or use of information or an information system. It includes protection from attacks, unauthorized use, and resilience to routine failures.
- Nonrepudiation: Repudiation is denial by one of the entities involved in a transaction that it participated in that transaction. The nonrepudiation security service provides the ability to prove to a third party that the entity did indeed participate in the transaction.

The manner in which these services are implemented is also important. Conventional wisdom within the security community suggests the use of a defense in depth strategy, in which an organization uses multiple security techniques to help mitigate the risk accruing from compromise or circumvention of one component of the defense being compromised or circumvented. Different security products from multiple vendors are sometimes deployed to defend different potential attack vectors, helping prevent a shortfall in any one defense, leading to a wider failure.

The secure administration of storage systems has the following benefits:
- Centrally manages, records, and audits admin actions for storage of CLI and GUI sessions with real-time monitoring.
- Ensures that the storage administrator has no control over the audit logging to prevent tampering.
- Eliminates the need to share privileged administrative credentials (like the root user password on Linux) that are required for some software-defined storage (SDS) products.
- Provides time-bound privilege storage admin sessions and remote termination of storage admin sessions.
- Supports multi-factor authentication for the users accessing storage admin sessions.
- Can capture keystrokes, process activity, and programs that are running (useful in some SDS offerings).
- Manages and audits privileged storage accounts and authentication secrets, such as passwords and SSH keys.
Secure remote support is managed by the customer, and it has the following benefits:
- Provides time-bound audited access to the service, maintenance, or support teams.
- Supports a custom approval workflow (multi-level approval) for each access session.
- Records and audits all activity that is performed in support or service sessions.

Use case examples
This guide demonstrates the integration of the IBM Spectrum Scale with Verify Privilege Vault. The concept can be extended and applied to other IBM Storage Systems. IBM® Security™ Verify Privilege Vault On-Premises (Verify Privilege Vault), formerly known as IBM Security™ Secret Server, is the next-generation privileged account management that integrates with IBM Storage to ensure that access to IBM Storage administration sessions is secure and monitored in real-time with required recording for audit and compliance. Privilege access to storage administration sessions is centrally managed, and each session can be time-bound with remote monitoring.

IBM Spectrum Scale
IBM Spectrum Scale is a scalable, high-performance file system that is suitable for various use cases (See Figure). It provides world-class storage management with scalability, flash-accelerated performance, and automatic storage tier capabilities. IBM Spectrum Scale reduces storage costs while improving security and management efficiency in the cloud, big data, and analytics environments.

In a nutshell, IBM Spectrum Scale provides the following benefits:
- Virtually limitless scaling to nine quintillion files and yottabytes of data.
- High performance and simultaneous access to a common set of shared data.
- Integrated information lifecycle management (ILM) functions to automatically move data between storage tiers, including flash, disk, tape, and object storage (public and private cloud). ILM can reduce operational costs because fewer administrators can manage larger storage infrastructures.

With SDS, you can build your infrastructure solution with the following characteristics:
- Easy to scale with relatively inexpensive commodity hardware while maintaining world-class storage management capabilities.
- Deployable on Amazon Web Services (AWS) and IBM Cloud. A cross-platform solution that is available on IBM AIX®, Linux, and Windows server nodes, or a mix of all three. IBM Spectrum Scale is also available for IBM Z.
- Available as the prepackaged storage solution that is named IBM ESS with de-clustered RAID included.
- Global data access across geographic distances and unreliable WAN connections.
- Multi-site support to connect a local IBM Spectrum Scale cluster to remote clusters, which provides greater administrative flexibility and control.
- Proven reliability across multiple sites, and support for concurrent hardware and software upgrades.
- State-of-the-art protocol access methods for managing files and objects under the same global namespace, which make more efficient use of storage space and avoid data islands. The supported protocols include NFS, SMB, POSIX, OpenStack Swift, and S3.
- Seamless integration for Hadoop applications through the Hadoop Distributed File System (HDFS) transparency feature.
- Proven security features to ensure data privacy, authenticity, and auditability.
- File-level encryption for data at rest and secure erase.
- Policy-driven compression to reduce the size of data at rest and increase storage efficiency.
- Can be used as persistent storage for containers.
- Includes a GUI to simplify storage administration tasks and monitor many aspects of the system.


Figure: IBM Spectrum Scale

IBM Spectrum Scale is often used in high-performance and computationally demanding environments across different areas, such as banking, financial, healthcare, oil and gas, and automotive industries. It is most common use cases are in artificial intelligence (AI) and deep learning, big data analytics, content repository, private cloud, and compute clusters. It is also commonly used for data optimization and resiliency for archive, high-speed backup, and disaster recovery, and ILM.
IBM Spectrum Scale supports various deployment models, and one of them is IBM ESS, which is a modern hardware-based implementation. IBM ESS is available as IBM ESS 3000 (high-density storage) and IBM ESS 5000 (high-capacity and high-performance storage).

Verify Privilege Vault
IBM Security Verify Privilege provides on-premises and cloud offerings. Verify Privilege Vault (Figure 8.3) is a cloud-based solution, for which organizations do not need to worry about any hardware or software requirements. However, IBM Security Verify Privilege On-Premises requires a dedicated server for installation and an SQL database to store details. Based on the requirements, features, and architecture, your organization can decide which offering to select. In this guide, we refer to Verify Privilege Vault On-Premises, although the information in this paper can be extended to the cloud offering with relevant and required changes. Privileged access is the route to an organization’s most valuable information. As a result, implementing PAM has become a top priority. Verify Privilege Vault is a full-featured PAM solution that is available both on-premises and in the cloud, and it is ready to empower your security and IT ops team to secure and manage all types of privileged accounts quickly and easily.

With Verify Privilege Vault, you can do the following:
- Establish a secure vault.
- Discover privileges.
- Protect passwords.
- Meet compliance requirements.
- Control sessions.
Verify Privilege Vault is fast to deploy, easy to use, and scalable for the enterprise. It integrates with the larger IBM Security portfolio for key use cases, such as identity governance and multi-factor authentication.

The figure below illustrates the IBM Privilege Vault:


Figure: IBM Privilege Vault

The following list describes the architecture that is shown in the preceding figure:
- The left side of the architecture represents different mediums through which Verify Privilege Vault can be accessed. The right side represents the high-level internal working.
- Verify Privilege Vault requires an SQL server for its configuration and data management. You can configure the setup for high availability as needed.
- Verify Privilege Vault provides session launchers that are tailored to start specific applications based on triggers in a secret template. For example, for the Windows platform, the remote desktop connection application is invoked when trying to access a Windows account secret. Similarly, for the UNIX or Linux platforms, the PuTTY application is triggered when using a UNIX or Linux account secret.
- A distributed engine is used for remote password changing and the discovery of new accounts.

Security implications/privacy concerns
One of the biggest obstacles presented by BYOD or COPE initiatives is the security issues that are inherent with mobile devices. Many of these vulnerabilities revolve around storage devices. Let’s look at a few.

Data storage
While protecting data on a mobile device is always a good idea, in many cases, an organization must comply with an external standard regarding the minimum protection provided to the data on the storage device. For example, the Payment Card Industry Data Security Standard (PCI DSS) enumerates requirements that payment card industry players should meet to secure and monitor their networks, protect cardholder data, manage vulnerabilities, implement strong access controls, and maintain security policies. The different storage types share certain issues and present issues unique to each type.

Non-removable storage
The storage that is built into a device may not suffer all the vulnerabilities shared by other forms but is still data at risk. One tool at our disposal with this form of storage that is not available with others is the ability to remotely wipe the data if the device is stolen. At any rate, the data should be encrypted with AES-128 or AES-256 encryption. Also, a backup copy of the data should be stored in a secure location.

Removable storage
While removable storage may be desirable in that it may not be stolen if the device is stolen, it still can be lost and stolen itself. Removable storage of any type represents one of the primary ways data exfiltration occurs. If removable storage is in use, the data should be encrypted with AES-128 or AES-256 encryption.

Cloud storage
While cloud storage may seem like a great idea, it presents many unique issues. Among them are the following:
- Data breaches: Cloud providers may include safeguards in service level agreements (SLAs), but ultimately the organization is responsible for protecting its own data, regardless of where it is located. When this data is not in your hands—and you may not even know where it is physically located at any point in time—protecting your data is difficult.
- Authentication system failures: These failures allow malicious individuals into the cloud. This issue is sometimes made worse by the organization itself when developers embed credentials and cryptographic keys in source code and leave them in public-facing repositories.
- Weak interfaces and APIs: Interfaces and application programming interfaces (APIs) tend to be the most exposed parts of a system because they’re usually accessible from the open Internet.

Transfer/backup data to uncontrolled storage
In some cases, users store sensitive data in cloud storage that is outside the control of the organization, using sites such as Dropbox. These storage providers have had their share of data loss issues as well. Policies should address and forbid this type of storage of data from mobile devices.

Improper storage of sensitive data
Sensitive information in this discussion includes usernames, passwords, encryption keys, and paths that applications need to function but that which would cause harm if discovered. Determining the proper method of securing this information is critical and not easy. It is a generally accepted rule to not hard-code passwords—although this was not always considered a best practice. Instead, passwords should be protected using encryption when they are included in the application code. This makes them difficult to change, reverse, or discover. Storing this type of sensitive information in a configuration file also presents problems. Such files are usually discoverable, and, even if hidden, they can be discovered by using a demo version of the software if it is a standard or default location. Whatever the method used, significant thought should be given to protecting these sensitive forms of data.

To prevent disclosure of sensitive information from storage, the following measures can be implemented:
- Ensure that memory locations where this data is stored are locked memory.
- Ensure that ACLs attached to sensitive data are properly configured.
- Implement an appropriate level of encryption.

Data recovery and storage
In most organizations, data is one of the most critical assets when recovering from a disaster. However, an operations team must determine which data is backed up, how often the data is backed up, and the method of backup used. An organization must also determine how data is stored, including data in use and data that is backed up. While data owners are responsible for determining data access rules, data life cycle, and data usage, they must also ensure that data is backed up and stored in alternate locations to ensure that it can be restored.
Let’s look at an example. Suppose that an organization’s security administrator has received a subpoena for the release of all the emails received and sent by the company’s chief executive officer (CEO) for the past three years. If the security administrator is only able to find one year’s worth of email records on the server, he should check the organization’s backup logs and archives before responding to the request. Failure to produce all the requested data could possibly have legal implications. The security administrator should restore the CEO’s email from an email server backup and provide whatever is available up to the last three years from the subpoena date. Keep in mind, however, that the organization should provide all the data that it has regarding the CEO’s emails. If the security administrator is able to recover the past five years’ worth of the CEO’s email, the security administrator should notify the appropriate authorities and give them access to all five years’ data.
As a rule of thumb, in a subpoena situation, you should always provide all the available data, regardless of whether it exceeds the requested amount or any internal data retention policies. For example, if users are not to exceed 500 MB of storage but you find that a user has more than 3 GB of data, you should provide all that data in response to any legal requests. Otherwise, you and the organization could be held responsible for withholding evidence.

Data ownership
The main responsibility of a data, or the information owner is to determine the classification level of the information she owns and protect the data for which she is responsible. This role approves or denies access rights to the data. However, the data owner usually does not handle the implementation of the data access controls. The data owner role is usually filled by an individual who understands the data best through membership in a particular business unit. Each business unit should have a data owner. For example, a human resources department employee better understands the human resources data than does an accounting department employee. The data custodian implements the information classification and controls after they are determined by the data owner. Whereas the data owner is usually an individual who understands the data, the data custodian does not need any knowledge of the data beyond its classification levels. Although a human resources manager should be the data owner for the human resources data, an IT department member could act as the data custodian for the data. This would ensure the separation of duties. The data owner makes the decisions on access, while the data custodian configures the access permissions established by the data owner. During a specific incident response and recovery process action, the response team should first speak to the data owner, the person ultimately responsible for the data.

Data handling
The appropriate policies must be in place for data handling. When data is stored on servers and is actively being used, data access is usually controlled by using access control lists (ACLs) and implementing group policies and other data security measures, such as data loss prevention (DLP). However, once data is archived to backup media, data handling policies are just as critical. Enterprise data archiving is usually managed using a media library. All media should be properly labeled to ensure that those responsible for recovery can determine the contents of the media. Enterprises should accurately maintain media library logs to keep track of the history of the media. This is important because all media types have a maximum number of times they can safely be used. A media librarian should keep a log that tracks all media (backup and other types, such as operating system installation discs).

During media disposal, you must ensure that no data remains on the media. The most reliable, secure means of removing data from magnetic storage media, such as a magnetic tape cassette, is through degaussing, which involves exposing the media to a powerful, alternating magnetic field. It removes any previously written data, leaving the media in a magnetically randomized (blank) state.

Some other disposal terms and concepts with which you should be familiar are as follows:
- Data purging: This involves using a method such as degaussing to make the old data unavailable even with forensics. Purging renders information unrecoverable against laboratory attacks (forensics).
- Data clearing: This involves rendering information unrecoverable by a keyboard.
- Remanence: This term refers to any data left after the media has been erased. This is also referred to as data remnants or remnant magnetization.

Data security considerations
The security of the data processed by any new system is perhaps one of the most important considerations during an integration. Data security must be considered during every stage of the data life cycle. This section discusses issues surrounding data security during integration.

Data remnants
Data remnants are data that is left behind on a computer or another resource when that resource is no longer used. If resources, especially hard drives, are reused frequently, an unauthorized user can access data remnants. The best way to protect this data is to employ some sort of data encryption. If data is encrypted, it cannot be recovered without the original encryption key. Administrators must understand the kind of data that is stored on physical drives so they can determine whether data remnants should be a concern. If the data stored on a drive is not private or confidential, the organization may not be concerned about data remnants. However, if the data stored on the drive is private or confidential, the organization may want to implement asset reuse and disposal policies. Whenever data is erased or removed from storage media, residual data can be left behind. The data may be able to be reconstructed when the organization disposes of the media, resulting in unauthorized individuals or groups gaining access to it. Security professionals must consider media such as magnetic hard disk drives, solid-state drives, magnetic tapes, and optical media, such as CDs and DVDs.

When considering data remanence, security professionals must understand the following three countermeasures:
- Clearing: This includes removing data from the media so that it cannot be reconstructed using normal file recovery techniques and tools. With this method, the data is recoverable only using special forensic techniques.
- Purging: Also referred to as sanitization, purging makes the data unreadable even with advanced forensic techniques. When this technique is used, data should be unrecoverable.
- Destruction: Destruction involves destroying the media on which the data resides. Overwriting is a destruction technique that writes data patterns over the entire media, thereby eliminating any trace data.
- Degaussing, another destruction technique, involves exposing the media to a powerful, alternating magnetic field to remove any previously written data and leave the media in a magnetically randomized (blank) state. Encryption scrambles the data on the media, thereby rendering it unreadable without the encryption key.
- Physical destruction involves physically breaking the media apart or chemically altering it. For magnetic media, physical destruction can also involve exposure to high temperatures. The majority of these countermeasures work for magnetic media. However, solid-state drives present unique challenges because they cannot be overwritten. Most solid-state drive vendors provide sanitization commands that can be used to erase the data on the drive. Security professionals should research these commands to ensure that they are effective. Another option for these drives is to erase the cryptographic key.
Often a combination of these methods must be used to fully ensure that the data is removed.
Data remanence is also a consideration when using any cloud-based solution for an organization. Security professionals should be involved in negotiating any contract with a cloud-based provider to ensure that the contract covers data remanence issues, although it is difficult to determine that the data is properly removed. Using data encryption is a great way to ensure that data remanence is not a concern when dealing with the cloud.

Data aggregation
Data aggregation allows data from multiple resources to be queried and compiled together into a summary report. The account used to access the data needs to have appropriate permissions on all of the domains and servers involved. In most cases, these types of deployments incorporate a centralized data warehousing and mining solution on a dedicated server. Security threats to databases usually revolve around unwanted access to data. Two security threats that exist in managing databases are the processes of aggregation and inference. Aggregation is the act of combining information from various sources. This can become a security issue with databases when a user does not have access to a given set of data objects but does have access to them individually—or at least has access to some of them—and is able to piece together the information to which he/she should not have access. The process of piecing together the information is called inference.

Two types of access measures can be put in place to help prevent access to inferable information, which are as follows:
- Content-dependent access control: With this type of measure, access is based on the sensitivity of the data. For example, a department manager might have access to the salaries of the employees in his or her department but not to the salaries of employees in other departments. The cost of this measure is increased processing overhead.
- Context-dependent access control: With this type of measure, access is based on multiple factors to help prevent inference. Access control can be a function of factors such as location, time of day, and previous access history.

Data isolation
Data isolation in databases prevents data from being corrupted by two concurrent operations. Data isolation is used in cloud computing to ensure that tenant data in a multitenant solution is isolated from other tenants’ data, using tenant IDs in the data labels. Trusted login services are usually used as well. In both of these deployments, data isolation should be monitored to ensure that data is not corrupted. In most cases, some sort of transaction rollback should be employed to ensure that proper recovery can be made.

Data ownership
While most of the data an organization possesses may be created in-house, some of it is not. In many cases, organizations acquire data from others who generate such data as their business. These entities may retain ownership of the data and only license its use. When integrated systems make use of such data, consideration must be given to any obligations surrounding this acquired data. Service-level agreements (SLAs) that specify particular types of treatment or protection of the data should be followed. The main responsibility of a data or information owner is to determine the classification level of the information she owns and to protect the data for which she is responsible. This role approves or denies access rights to the data. However, the data owner usually does not handle the implementation of the data access controls.
The data owner’s role is usually filled by an individual who understands the data best through membership in a particular business unit. Each business unit should have a data owner. For example, a human resources department employee better understands the human resources data than an accounting department employee.
The data custodian implements the information classification and controls after they are determined by the data owner. Whereas the data owner is usually an individual who understands the data, the data custodian does not need any knowledge of the data beyond its classification levels. Although a human resources manager should be the data owner for the human resources data, an IT department member could act as the data custodian for the data.

Data sovereignty
Information that has been converted and stored in binary digital form is subject to the laws of the country in which it is located. This concept is called data sovereignty. When an organization operates globally, data sovereignty must be considered. It can affect security issues such as the selection of controls and ultimately could lead to a decision to locate all data centrally in the home country. No organization operates within a bubble. All organizations are affected by laws, regulations, and compliance requirements. Organizations must ensure that they comply with all contracts, laws, industry standards, and regulations. Security professionals must understand the laws and regulations of the country or countries they are working in and the industry within which they operate. In many cases, laws and regulations are written in a manner whereby specific actions must be taken. However, in some cases, laws and regulations leave it up to the organization to determine how to comply.
The United States and the European Union both have established laws and regulations that affect organizations that do business within their area of governance. While security professionals should strive to understand laws and regulations, security professionals may not have the level of knowledge and background to fully interpret these laws and regulations to protect their organization. In these cases, security professionals should work with legal representation regarding legislative or regulatory compliance.

Data volume
Organizations should strive to minimize the amount of data they hold. More data means a larger attack surface. Data retention policies should be created that prescribe the destruction of data when it is no longer of use to the organization. Keep in mind that the creation of such policies should be driven by legal and regulatory requirements for the retention of data that might be relevant to the industry in which the enterprise operates.

Security and privacy considerations of storage
When integrating storage solutions into an enterprise, security practitioners should be involved in the design and deployment to ensure that security issues are considered. The following are some of the security considerations for storage:
- Limit physical access to the storage solution.
- Create a private network to manage the storage solution.
- Implement ACLs for all data, paths, subnets, and networks.
- Implement ACLs at the port level, if possible.
- Implement multi-factor authentication.
Security practitioners should ensure that an organization adopts appropriate security policies for storage solutions to ensure that storage administrators prioritize the security of the storage solutions.

Conclusion
When integrating storage systems and solutions into an enterprise’s infrastructure, security practitioners are constantly involved in the design and deployment to ensure any storage security risks and issues are considered and mitigated. Storage security engineers need to ensure organizations adopt appropriate security policies for secure cloud, and on-premise storage and the stakeholders prioritize the security of storage solutions. This guide presents the concepts for encrypted and clear text communications and data flow security.