Configuration Management & Data Protection | CompTIA Security+ SY0-601 | 2.1a

In this video you will learn about configuration management as it relates to diagrams, baseline configurations, standard naming conventions, & Internet protocol schemas. You will also learn about data sovereignty & data protection such as: data loss prevention, data masking, data encryption, and digital rights management.

Configuration Management

Configuration management is the practice of handling changes systematically so that a system maintains its integrity over time.  Configuration management implements the policies, procedures, techniques, and tools that manage, evaluate proposed changes, track the status of changes, and maintain an inventory of system and support documents as the system changes.  Configuration management programs and plans provide technical and administrative direction to the development and implementation of the procedures, functions, services, tools, processes, and resources required to successfully develop and support a complex system.  During system development, configuration management allows program management to track requirements throughout the lifecycle through acceptance and operations and maintenance.  As changes inevitably occur in the requirements and design, they must be approved and documented, creating an accurate record of the system status.  Ideally the configuration management process is applied throughout the system life cycle.

Several factors pertaining to configuration management that you need to be concerned about for the CompTIA Security+ SY0-601 certification exam are the following:

  • Diagrams:   Good network diagrams & well-written and up-to-date documentation is crucial and allows you to not only troubleshoot problems but also respond quickly to security incidents.[1]
  • Baseline Configuration:  After a minimum desired state of security is defined, baselines should be taken to assess the current security state of computers, servers, network devices, and the network in general.  Baseline configurations should be properly documented & reviewed to include a set of specifications for information systems or configuration items within those systems.[1]
  • Standard Naming Conventions:  A standardized naming convention allows for positively identifying devices within a network.  You should make sure that your organization has appropriate naming conventions for describing IT infrastructure, applications, & users.  Appropriate naming conventions are used to avoid conflicts and to be able to correlate data among disparate systems.[1]
  • Internet Protocol (IP) Schema:  Similar to standard naming conventions, having a proper IPv4 & IPv6 schema will help avoid conflicts within on-premises network or cloud deployments and to be able to correlate data among disparate systems.[1]

Data Sovereignty

Data sovereignty is the idea that data is subject to the laws and governance structures within the nation it is collected.  The concept of data sovereignty is closely linked with data security, cloud computing, network sovereignty and technological sovereignty.  Unlike technological sovereignty, data sovereignty is specifically concerned with questions surrounding the data itself.[2]  With the rise of cloud computing, many countries have passed various laws around control and storage of data, which all reflects measures of data sovereignty.[2]  More than 100 countries have some sort of data sovereignty laws in place.

Data Protection

Data protection is the process of safeguarding important data from corruption, compromise or loss and providing the capability to restore the data to a functional state should something happen to render the data inaccessible or unusable.[3]  Aspects about data protection that you need to be concerned with for the CompTIA Security+ SY0-601 certification exam are the following:

Data Loss Prevention (DLP)

Data loss prevention software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring[4], detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage).[5]  Most DLP policies focus on the use of content-level scanning and deep content inspection to identify sensitive data and protect it.  The following actions should be considered when designing a DLP policy:[6]

  • Consider any risk assessments your company has performed.
  • Incorporate key members of management from the various departments of your organization.
  • Identify the most sensitive data of the organization.
  • Outline a phased implementation of DLP & incorporate guidelines for tracking success of the initiative.
  • Attempt to minimize any negative impacts on the business caused by the policy implementation.
  • Periodically review the DLP policy.
  • Include the appropriate event-monitoring specifics as they apply to the policy.

Data Masking

Data masking is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel.  The main reason for applying masking to a data field is to protect data that is classified as personally identifiable information (PII), sensitive personal data, or commercially sensitive data.

  • Data Tokenization:  is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.  The token is a reference (identifier) that maps back to the sensitive data through a tokenization system.  The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization systems.

Data Encryption

Data encryption is a way of translating data from plaintext (unencrypted) to ciphertext (encrypted).  Users can access encrypted data with an encryption key and decrypted data with a decryption key.[7]  When it comes to data encryption, you need to know about the following types of data:

  • Data at Rest:  this is data that is housed physically on computer data storage in any digital form.  Data at rest includes both structured and unstructured data.[8]  This type of data is subject to threats from hackers & other malicious threats to gain access to the data digitally or physical theft of the data storage media.  To prevent this data from being accessed, modified or stolen, organizations will often employ security protection measures such as password protection, data encryption, or a combination of both.
  • Data in Transit/Motion:  this is data that is in route between a source and a destination on a computer network.  To protect data in transit, the lines of communication need to be encrypted as well by using protocols such as VPN, TLS or SSL.
  • Data in Processing:  this is the collection and manipulation of items of data to produce meaningful information.[9] 

Digital Rights Management (DRM)

Digital rights management is the management of legal access to digital content.  Various tools or technological protection measures such as access control technologies can restrict the use of proprietary hardware and copyrighted works.[10]  DRM technologies are the use, modification, and distribution of copyrighted works (such as software and multimedia content), as well as system that enforce these policies within devices.[11]  In layman’s terms, DRM limits the end user’s rights to copy, transfer, or use software or digital media. An example of DRM is the limits on the number of systems that can use an application at the same time, such as Adobe Creative Cloud or Microsoft Office 365.

References

  1. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  2. Irion, K. (2012). Government Cloud Computing and National Data Sovereignty. Policy & Internet.
  3. What is Data Protection? SNIA.
  4. Hayes, R. (2007). Retail Security and Loss Prevention.
  5. De Groot, J. (2020, Oct 1). What is Data Loss Prevention (DLP)? A Definition of Data Loss Prevention. Data Insider.
  6. Sequeira, A. (2018). CompTIA Network+ N10-007 Cert Guide.
  7. What is encryption? Data encryption defined. IBM.
  8. Pickell, D. (2018). Structured vs. Unstructured Data – What’s the Difference? G2.
  9. French, C. (1996). Data Processing and Information Technology (10th ed). Thomson.
  10. Computer Forensics:  Investigating Network Intrusions and Cybercrime. Cengage Learning.
  11. Fact Sheet: Digital Rights Management and Technical Protection Measures. Priv.GC.CA.