An organization must ensure that proper due diligence and due care are exercised when considering the storage and handling of data. Data will be stored and accessed across complex, hybrid networks. Data types may include sensitive data, intellectual property, and trade secrets. Regulatory compliance and legal requirements will need to be carefully considered when planning for the storage and handling of data. Data needs to be labeled and classified according to the business value, controls put in place to prevent data loss, and an alert needs to be raised if these controls have any gaps. We need to plan how to handle data throughout the life cycle, from creation/acquisition to end of life. We must understand the implications of storing our data with third parties, such as B2B partners and cloud providers. We must ensure that appropriate protection is applied to data at rest, in transit, and in...

It is important to identify sensitive data and put in place preventative controls to control the unwanted exfiltration or leakage of this data. There are many different controls for managing this requirement. We can use policy to ensure that correct data handling and operational procedures are followed. We can use DLP filters at the network egress points, using capability within our Next Generation Firewall (NGFW) or Unified Threat Management (UTM) appliance. Your cloud provider may offer Cloud Access Security Broker (CASB), protecting your organization when users access the cloud. Microsoft365 offers this protection with a collection of pre-set rules and templates that can be applied. We will look at some additional methods within this section.

Blocking the use of external media

To prevent the local exfiltration of sensitive data, it is important to put in place local controls, also known as Group Policy or Local Policy, for Windows workstations...

It is not always possible to implement a 100% Data Loss Protection (DLP) solution, since a determined insider threat actor may find a workaround. In this case, the objective may be to identify the threat. So, we will now look at methods to detect how the data was exfiltrated from our organization.

Watermarking

If an organization wants to detect the theft or exfiltration of sensitive data, then documents can be checked out from an information system, but an automatic watermark will be applied to the document using the identity of the user who checked out the document, as shown in Figure 3.5. If the document is shared or printed, it will clearly show that user's identity.

Figure 3.5 – Watermarking

This type of control is also used to deter the user from distributing protected content.

Digital rights management

Digital rights management (DRM) is used to protect digital content, typically copyright material...

It is important to address all aspects of the Confidentiality Integrity Availability (CIA) triad. We need to understand the importance of data and label or classify accordingly. We must ensure that data is protected from unauthorized access and that integrity is maintained. Data must also be made available so that business functionality can be maintained.

Data classification

The appropriate data owner needs to be consulted within the enterprise to establish the classification of data to ensure that appropriate controls are implemented.

Due to the amount of data that is typically held by large enterprises, automation is a common approach. For example, keyword or string searches could be utilized to discover documents containing a driver's license number, social security number, debit card numbers, and so on. We have data classification blocking where necessary to prevent data leakage. In Figure 3.6, we can see categories that could be used to label...

Virtualization allows software to control access to the underlying hardware. It uses a thin layer of code to control access to resources, including networking, CPU, storage, and memory.

Pretty much any compute node can be run virtually on top of a software layer. This software layer is the hypervisor. User desktops, email servers, directory servers, switches, firewalls, and routers are just a few examples of virtual machines (VMs).

Virtualization allows for more flexibility in the data center, rapid provisioning, and scalability as workloads increase. Additional benefits include reducing an organization's footprint in the data center (less hardware, reduced power, and so on). Figure 3.16 shows resources being allocated to a virtual guest operating system using Microsoft Hyper-V:

Figure 3.16 – Microsoft Hyper-V

Virtualization strategies

When considering virtualization, an important...

Cloud computing has been a mainstay service for many years, becoming more accepted as a serious business model as many enterprises move to more hybrid networks. The power of the cloud is based upon flexibility. There is a much-used phrase, Elastic Cloud, which represents cost savings and scalability. It is estimated that around 50% of enterprise workloads are hosted by cloud providers and around 46% of data is hosted in the cloud (based upon estimates for 2021). Growth rates are predicted to remain high. There are many cloud providers; however, the current market leaders are Amazon Web Services (AWS), Microsoft Azure, and Google.

Deployment models and considerations

When considering a Cloud Service Provider (CSP), many considerations will affect this important enterprise decision.

Cybersecurity

The most critical consideration is cybersecurity. When we are storing data, such as intellectual property, PII, PHI, and many other types...

It is important to assess all risks when co-operating with a third-party CSP. Is your data secure? Will it be available? What accreditations does the provider have? Have they been audited by recognized authorities?

Micro-segmentation

Micro-segmentation is used to separate workloads, securely, in your data center or a hosted cloud data center. In practice, this means creating policies that restrict communication between workloads where there is no reason for east-west (server to server) traffic. Network zoning is an important concept and can dynamically restrict communication between the zones when a threat is detected.

Traditional security is based on north-south traffic (data moving through the network perimeter), but now we see thousands of workloads all being hosted within the same data center (inside the perimeter). Virtualization can allow a single hardware compute node to host thousands of VMs. By isolating these workloads...

An enterprise will typically create and manage increasingly large volumes of heterogeneous data. We would expect the finance team to store spreadsheets and use finance databases, marketing may create promotional video clips, while transport and logistics planning will need access to graphing and locational data.

This mix of data types means that a single data store is usually not the most efficient approach. Instead, it's more effective to store different types of data in different data stores, each optimized for a specific workload or usage pattern. Therefore, it's important to understand the main storage models and the pros and cons of each model.

File-based storage

These are regular files that are used in a traditional client-server model. Examples would be user-mapped drives accessing shared folders on a NAS device or a file server. Other file types could be VMs hosted by a hypervisor platform.

Database storage

Databases...

In this chapter, you have gained an understanding of the security considerations when hosting data on-premises and off-premises. You learned how an enterprise will implement secure resource provisioning and deprovisioning, and the differences between type 1 and type 2 hypervisors. We then looked at containerization and learned how to choose an appropriate cloud deployment model. Then we learned the differences between the different cloud service models and gained an understanding of micro-segmentation and VPC peering, which will help us to select the correct storage model based on the storage technologies offered by cloud providers.

In this chapter, you have acquired the following skills:

• An understanding of how to implement data loss prevention
• An understanding of how to implement data loss detection
• An understanding of what is meant by data protection
• An understanding of how to implement secure cloud and virtualization solutions
• An understanding...

Here are a few questions to test your understanding of the chapter:

1. What security setting is it when Group Policy prevents my flash drive from being recognized by my Windows computer?
   1. Watermarking
   2. Blocking the use of external media
   3. Print blocking
   4. Data classification blocking
2. What stops me from capturing bank account details using my mobile banking app?
   1. Watermarking
   2. Blocking the use of external media
   3. Print blocking
   4. Data classification blocking
3. What stops me from printing on my home printer when accessing my work computer using RDP?
   1. Watermarking
   2. Blocking the use of external media
   3. Restricted VDI
   4. Data classification blocking
4. Ben has asked a colleague to collaborate on a project by connecting remotely to his desktop. What would prevent this from happening?
   1. Remote Desktop
   2. Protocol (RDP) blocking
   3. Clipboard privacy controls
   4. Web Application Firewall
5. How can you reduce the risk of administrators installing unauthorized applications during RDP admin sessions?
   1. Remote Desktop...

1. B
2. C
3. C
4. B
5. C
6. A
7. C
8. A
9. A
10. A
11. D
12. A
13. A
14. A
15. D
16. A
17. A
18. A
19. A
20. A
21. A
22. A
23. A
24. B
25. C
26. D
27. D
28. C
29. E
30. A