WEBVTT

1
00:00:00.270 --> 00:00:01.440
In this lesson,

2
00:00:01.440 --> 00:00:04.710
we will learn about Data State Protection.

3
00:00:04.710 --> 00:00:07.770
Data state protection safeguards data

4
00:00:07.770 --> 00:00:10.020
based on its current condition,

5
00:00:10.020 --> 00:00:12.150
whether the data is stored,

6
00:00:12.150 --> 00:00:15.660
being transmitted, or being actively used.

7
00:00:15.660 --> 00:00:20.310
Data state protection concepts include data at rest,

8
00:00:20.310 --> 00:00:24.930
data in transit, and data in use or in processing.

9
00:00:24.930 --> 00:00:29.280
Data at rest refers to data that is stored on physical

10
00:00:29.280 --> 00:00:31.710
or cloud-based storage systems.

11
00:00:31.710 --> 00:00:35.250
Data in transit is defined as data that is being

12
00:00:35.250 --> 00:00:37.980
actively transmitted over networks.

13
00:00:37.980 --> 00:00:41.610
Next, data in use or data in processing

14
00:00:41.610 --> 00:00:44.040
is data that is actively being accessed

15
00:00:44.040 --> 00:00:46.830
or manipulated by applications.

16
00:00:46.830 --> 00:00:50.640
Let's learn more about data state protection concepts,

17
00:00:50.640 --> 00:00:52.770
including data at rest,

18
00:00:52.770 --> 00:00:56.490
data in transit, and data in use or processing.

19
00:00:56.490 --> 00:00:59.400
First, we have data at rest.

20
00:00:59.400 --> 00:01:02.460
Data at rest is stored on physical devices

21
00:01:02.460 --> 00:01:04.530
like thumb drives, hard drives,

22
00:01:04.530 --> 00:01:07.620
solid state drives, or cloud storage.

23
00:01:07.620 --> 00:01:11.070
Data at rest is not moving through networks

24
00:01:11.070 --> 00:01:13.830
or being processed by applications.

25
00:01:13.830 --> 00:01:16.950
It's just sitting there waiting to be used.

26
00:01:16.950 --> 00:01:21.390
Common examples of data at rest include stored files,

27
00:01:21.390 --> 00:01:24.090
databases, and backups.

28
00:01:24.090 --> 00:01:26.640
Protecting data at rest is important

29
00:01:26.640 --> 00:01:29.130
because without proper security,

30
00:01:29.130 --> 00:01:33.000
anyone who gains access to the storage system can view

31
00:01:33.000 --> 00:01:35.790
or steal sensitive information.

32
00:01:35.790 --> 00:01:38.670
Encryption is one of the primary methods

33
00:01:38.670 --> 00:01:41.040
of protecting data at rest.

34
00:01:41.040 --> 00:01:44.490
The Advanced Encryption Standard, or AES,

35
00:01:44.490 --> 00:01:49.110
encrypts data into ciphertext that only authorized users

36
00:01:49.110 --> 00:01:52.800
with the correct cryptographic key can read.

37
00:01:52.800 --> 00:01:56.550
Other protective measures include access controls

38
00:01:56.550 --> 00:02:00.060
like passwords, multifactor authentication,

39
00:02:00.060 --> 00:02:04.200
and specific permissions to ensure only the right people

40
00:02:04.200 --> 00:02:06.210
can access the data.

41
00:02:06.210 --> 00:02:10.470
There are different types of encryption for data at rest.

42
00:02:10.470 --> 00:02:12.690
Which type of encryption is used

43
00:02:12.690 --> 00:02:15.840
depends on how and where the data is stored.

44
00:02:15.840 --> 00:02:19.890
So, let's discuss four different types of encryption,

45
00:02:19.890 --> 00:02:22.350
each with different use cases.

46
00:02:22.350 --> 00:02:26.790
These are disk-level encryption, block-level encryption,

47
00:02:26.790 --> 00:02:30.780
file-level encryption, and record-level encryption.

48
00:02:30.780 --> 00:02:34.020
First, disk-level encryption secures

49
00:02:34.020 --> 00:02:36.570
an entire disk or partition

50
00:02:36.570 --> 00:02:40.980
with a symmetric encryption algorithm like AES.

51
00:02:40.980 --> 00:02:44.850
This encrypts the entire storage volume or drive.

52
00:02:44.850 --> 00:02:48.390
However, because it uses a single encryption key

53
00:02:48.390 --> 00:02:49.830
for the whole disk,

54
00:02:49.830 --> 00:02:53.340
it can slow down the boot and login process.

55
00:02:53.340 --> 00:02:56.370
Technologies like BitLocker for Windows

56
00:02:56.370 --> 00:02:58.895
and FileVault for Mac are commonly

57
00:02:58.895 --> 00:03:01.950
for disk-level encryption.

58
00:03:01.950 --> 00:03:05.730
Second, block-level encryption is similar

59
00:03:05.730 --> 00:03:07.530
to disk-level encryption,

60
00:03:07.530 --> 00:03:10.920
but is mainly used for virtual partitions

61
00:03:10.920 --> 00:03:13.230
and storage area networks.

62
00:03:13.230 --> 00:03:16.050
It secures data at the block level,

63
00:03:16.050 --> 00:03:18.330
providing a layer of protection

64
00:03:18.330 --> 00:03:21.030
within complex storage environments.

65
00:03:21.030 --> 00:03:24.990
A block is a fixed-size unit of data storage

66
00:03:24.990 --> 00:03:28.890
and block level encryption secures individual blocks

67
00:03:28.890 --> 00:03:31.620
of data on the storage device,

68
00:03:31.620 --> 00:03:35.070
allowing for encryption of specific data segments

69
00:03:35.070 --> 00:03:37.950
rather than the entire disk.

70
00:03:37.950 --> 00:03:40.585
Third, file-level encryption protects

71
00:03:40.585 --> 00:03:43.860
individual files on a system.

72
00:03:43.860 --> 00:03:47.280
Each file can be encrypted with the same key

73
00:03:47.280 --> 00:03:51.150
or a different key depending upon what is needed.

74
00:03:51.150 --> 00:03:53.760
For example, at Dion Training,

75
00:03:53.760 --> 00:03:56.220
employees use their own encryption keys

76
00:03:56.220 --> 00:03:58.440
to protect individual files

77
00:03:58.440 --> 00:04:01.650
before uploading them to a shared drive.

78
00:04:01.650 --> 00:04:05.370
This way, even if other employees can see the files

79
00:04:05.370 --> 00:04:06.630
on the shared drive,

80
00:04:06.630 --> 00:04:08.910
they cannot access or read them

81
00:04:08.910 --> 00:04:12.180
without the unique encryption key to decode them.

82
00:04:12.180 --> 00:04:16.320
Fourth, and finally, we have record-level encryption.

83
00:04:16.320 --> 00:04:19.170
Record-level encryption is especially useful

84
00:04:19.170 --> 00:04:21.360
for high-security databases

85
00:04:21.360 --> 00:04:23.610
where each record in the database

86
00:04:23.610 --> 00:04:26.340
must be encrypted individually.

87
00:04:26.340 --> 00:04:30.630
Record-level encryption is similar to file-level encryption,

88
00:04:30.630 --> 00:04:33.690
but offers even more granular control,

89
00:04:33.690 --> 00:04:37.650
allowing you to choose exactly which records to protect

90
00:04:37.650 --> 00:04:40.230
and which encryption keys to use.

91
00:04:40.230 --> 00:04:43.560
Both file-level and a record-level encryption

92
00:04:43.560 --> 00:04:46.260
provide precise security controls,

93
00:04:46.260 --> 00:04:48.300
but can slow down access

94
00:04:48.300 --> 00:04:50.520
because the data must be decrypted

95
00:04:50.520 --> 00:04:54.000
each time a file or record is opened.

96
00:04:54.000 --> 00:04:57.390
Second, we have data in transit.

97
00:04:57.390 --> 00:05:00.090
Data in transit refers to information

98
00:05:00.090 --> 00:05:02.640
actively moving across networks

99
00:05:02.640 --> 00:05:06.450
such as within corporate networks, over the internet,

100
00:05:06.450 --> 00:05:08.640
or through wireless connections.

101
00:05:08.640 --> 00:05:11.910
Data in transit is particularly vulnerable

102
00:05:11.910 --> 00:05:16.110
to interception or tampering by malicious actors.

103
00:05:16.110 --> 00:05:18.548
For example, when a customer enters

104
00:05:18.548 --> 00:05:21.930
their credit card information on a website,

105
00:05:21.930 --> 00:05:26.640
the data travels from their browser to a payment processor.

106
00:05:26.640 --> 00:05:30.270
To protect this sensitive information during transmission,

107
00:05:30.270 --> 00:05:35.100
organizations use secure pathways called encrypted tunnels.

108
00:05:35.100 --> 00:05:37.830
One of the primary technologies used

109
00:05:37.830 --> 00:05:39.369
to protect data in transit

110
00:05:39.369 --> 00:05:43.410
is transport layer security, or TLS.

111
00:05:43.410 --> 00:05:45.720
TLS creates an encrypted tunnel

112
00:05:45.720 --> 00:05:50.720
between systems such as a user's computer and a web server.

113
00:05:50.940 --> 00:05:53.310
This ensures the confidentiality

114
00:05:53.310 --> 00:05:56.070
and integrity of the data as it moves

115
00:05:56.070 --> 00:05:58.620
between the client and server.

116
00:05:58.620 --> 00:06:02.040
For example, when you access a secure website,

117
00:06:02.040 --> 00:06:04.320
TLS encrypts the connection,

118
00:06:04.320 --> 00:06:07.860
ensuring any information sent between your browser

119
00:06:07.860 --> 00:06:12.300
and the server is protected from unauthorized access.

120
00:06:12.300 --> 00:06:15.240
Secure Sockets Layer, or SSL,

121
00:06:15.240 --> 00:06:18.690
was the first technology used to protect data.

122
00:06:18.690 --> 00:06:21.822
It was developed in the 1990s by Netscape

123
00:06:21.822 --> 00:06:25.200
and is the predecessor of TLS.

124
00:06:25.200 --> 00:06:28.733
However, SSL is now considered outdated

125
00:06:28.733 --> 00:06:31.890
due to its security vulnerabilities.

126
00:06:31.890 --> 00:06:35.460
Modern websites and servers use TLS,

127
00:06:35.460 --> 00:06:37.920
which provides stronger encryption.

128
00:06:37.920 --> 00:06:41.880
With TLS versions 1.2 and 1.3

129
00:06:41.880 --> 00:06:44.520
being the recommended standards today.

130
00:06:44.520 --> 00:06:48.000
TLS operates at the application layer,

131
00:06:48.000 --> 00:06:50.100
also known as Layer 7

132
00:06:50.100 --> 00:06:54.450
of the Open Systems Interconnection, or OSI, model.

133
00:06:54.450 --> 00:06:56.760
To establish a secure connection,

134
00:06:56.760 --> 00:07:00.570
the client encrypts a random identification string

135
00:07:00.570 --> 00:07:04.590
using the server's digital certificate and public key.

136
00:07:04.590 --> 00:07:07.530
This information is sent to the server,

137
00:07:07.530 --> 00:07:10.650
which decrypts it to create a symmetric key

138
00:07:10.650 --> 00:07:14.190
that both parties use to secure the connection.

139
00:07:14.190 --> 00:07:17.490
This prevents attacks like on-path attacks

140
00:07:17.490 --> 00:07:21.090
where an attacker can intercept and manipulate data.

141
00:07:21.090 --> 00:07:24.330
TLS is not just used in web browsing.

142
00:07:24.330 --> 00:07:27.540
TLS also secures other network traffic

143
00:07:27.540 --> 00:07:30.990
and protocols for email, file transfers,

144
00:07:30.990 --> 00:07:33.240
and remote authentication.

145
00:07:33.240 --> 00:07:37.290
For example, File Transfer Protocol (FTP),

146
00:07:37.290 --> 00:07:40.020
normally uses two ports for data

147
00:07:40.020 --> 00:07:43.200
and control channels and is not secure.

148
00:07:43.200 --> 00:07:45.300
But when secured with TLS,

149
00:07:45.300 --> 00:07:48.900
the protocol now known as FTPS

150
00:07:48.900 --> 00:07:53.400
or FTP over SSL secures the communication.

151
00:07:53.400 --> 00:07:58.400
Despite the S in FTPS implying SSL usage,

152
00:07:58.620 --> 00:08:02.310
TLS is actually the protocol that we will use.

153
00:08:02.310 --> 00:08:04.410
Next, Cipher Suites play

154
00:08:04.410 --> 00:08:07.920
an important role in TLS communications.

155
00:08:07.920 --> 00:08:11.400
They specify the encryption algorithms used

156
00:08:11.400 --> 00:08:13.530
during a secure session.

157
00:08:13.530 --> 00:08:15.593
For example, a cipher suite

158
00:08:15.593 --> 00:08:20.450
like ECDHE_RSA_AES128_GCM_SHA256

159
00:08:24.540 --> 00:08:27.120
uses elliptic-curve Diffie-Hellman

160
00:08:27.120 --> 00:08:29.940
ephemeral mode for key exchange,

161
00:08:29.940 --> 00:08:32.490
RSA for digital signatures,

162
00:08:32.490 --> 00:08:35.940
the Advanced Encryption Standard in the Galois/Counter Mode

163
00:08:35.940 --> 00:08:38.910
with 128-bit blocks for encryption,

164
00:08:38.910 --> 00:08:43.830
and it uses SHA256 for message authentication.

165
00:08:43.830 --> 00:08:45.810
Using strong cipher suites

166
00:08:45.810 --> 00:08:48.510
with robust algorithms is critical

167
00:08:48.510 --> 00:08:50.700
for maintaining security.

168
00:08:50.700 --> 00:08:53.730
Next, another widely used protocol

169
00:08:53.730 --> 00:08:55.920
for protecting data in transit

170
00:08:55.920 --> 00:08:59.790
is the Internet Protocol Security (IPsec).

171
00:08:59.790 --> 00:09:02.250
IPsec secures data

172
00:09:02.250 --> 00:09:05.670
by creating encrypted tunnels between devices

173
00:09:05.670 --> 00:09:10.560
and is often used with virtual private networks or VPNs.

174
00:09:10.560 --> 00:09:15.560
IPsec provides confidentiality, integrity, authentication,

175
00:09:15.630 --> 00:09:19.440
and protection by encrypting data packets as they travel

176
00:09:19.440 --> 00:09:22.890
between sites or from clients to servers.

177
00:09:22.890 --> 00:09:26.490
IPsec uses several key components

178
00:09:26.490 --> 00:09:30.870
to define its connection: protocols and modes.

179
00:09:30.870 --> 00:09:34.080
IPsec protocols are authentication header

180
00:09:34.080 --> 00:09:37.140
and encapsulating security payload.

181
00:09:37.140 --> 00:09:41.820
Authentication Header provides authentication and integrity,

182
00:09:41.820 --> 00:09:44.880
while Encapsulating Security Payload

183
00:09:44.880 --> 00:09:48.030
adds encryption for confidentiality.

184
00:09:48.030 --> 00:09:52.320
Next, IPsec can operate in the Transport Mode

185
00:09:52.320 --> 00:09:54.180
or in the Tunnel Mode.

186
00:09:54.180 --> 00:09:57.540
The Tunnel Mode is more secure because both data

187
00:09:57.540 --> 00:09:59.490
and headers are encrypted,

188
00:09:59.490 --> 00:10:04.050
so the Tunnel Mode is preferred for site-to-site VPNs.

189
00:10:04.050 --> 00:10:07.110
To establish a secure IPsec tunnel,

190
00:10:07.110 --> 00:10:11.806
a process called the Internet Key Exchange (IKE), is used.

191
00:10:11.806 --> 00:10:14.610
IKE authenticates the peers

192
00:10:14.610 --> 00:10:19.140
and negotiates the security associations between devices.

193
00:10:19.140 --> 00:10:23.640
Security associations are sets of negotiated parameters

194
00:10:23.640 --> 00:10:26.912
that include encryption and authentication protocols

195
00:10:26.912 --> 00:10:30.885
to define the security attributes and keys used

196
00:10:30.885 --> 00:10:34.470
to maintain a secure communication tunnel.

197
00:10:34.470 --> 00:10:39.150
IKE Phase 1 involves key exchange and authentication.

198
00:10:39.150 --> 00:10:44.150
IKE Phase 2 establishes the IPsec security associations

199
00:10:44.520 --> 00:10:47.760
for encrypting and transmitting data securely.

200
00:10:47.760 --> 00:10:50.730
The third, we have data in use.

201
00:10:50.730 --> 00:10:54.840
Data in use refers to data being actively accessed,

202
00:10:54.840 --> 00:10:58.410
processed, or manipulated by applications.

203
00:10:58.410 --> 00:11:02.070
Unlike data at rest, which is stored on a hard drive,

204
00:11:02.070 --> 00:11:05.550
or data in transit, which is moving across a network,

205
00:11:05.550 --> 00:11:09.840
data in use temporarily resides in a system's memory

206
00:11:09.840 --> 00:11:12.840
such as RAM or CPU registers.

207
00:11:12.840 --> 00:11:16.140
This makes data in use particularly vulnerable

208
00:11:16.140 --> 00:11:18.420
to attacks like memory scraping,

209
00:11:18.420 --> 00:11:20.850
where attackers attempt to access data

210
00:11:20.850 --> 00:11:25.230
directly from the system's memory or unauthorized access

211
00:11:25.230 --> 00:11:28.620
through other applications running on the system.

212
00:11:28.620 --> 00:11:31.800
For example, when you work on a document

213
00:11:31.800 --> 00:11:33.570
or a financial report,

214
00:11:33.570 --> 00:11:36.509
the data in use is the data that you are editing.

215
00:11:36.509 --> 00:11:40.590
During this time, the information is actively processed

216
00:11:40.590 --> 00:11:42.150
and held in memory,

217
00:11:42.150 --> 00:11:44.610
exposing it to security risks

218
00:11:44.610 --> 00:11:47.580
because traditional encryption methods often

219
00:11:47.580 --> 00:11:51.150
do not protect data during active processing.

220
00:11:51.150 --> 00:11:53.670
So to protect data in use,

221
00:11:53.670 --> 00:11:57.480
organizations can implement in-memory encryption techniques

222
00:11:57.480 --> 00:12:00.660
that encrypt data even while it is being accessed

223
00:12:00.660 --> 00:12:03.210
or manipulated by applications.

224
00:12:03.210 --> 00:12:05.820
For instance, CPUs with features

225
00:12:05.820 --> 00:12:08.010
like advanced microdevices,

226
00:12:08.010 --> 00:12:10.830
secure memory encryption can encrypt data

227
00:12:10.830 --> 00:12:12.480
that is stored in memory,

228
00:12:12.480 --> 00:12:16.680
safeguarding sensitive information during active use.

229
00:12:16.680 --> 00:12:20.460
Intel's Software Guard Extensions take a different approach

230
00:12:20.460 --> 00:12:23.850
by creating secure enclaves within applications,

231
00:12:23.850 --> 00:12:27.480
isolating sensitive data from the rest of the system,

232
00:12:27.480 --> 00:12:30.390
and making it resistant to memory scraping.

233
00:12:30.390 --> 00:12:33.900
So remember, Data State Protection

234
00:12:33.900 --> 00:12:38.370
involves safeguarding data based on its current condition,

235
00:12:38.370 --> 00:12:41.130
whether it's stored, being transmitted,

236
00:12:41.130 --> 00:12:43.320
or actively being used.

237
00:12:43.320 --> 00:12:46.740
The three states of data are data at rest,

238
00:12:46.740 --> 00:12:50.700
data in transit, and data in use or processing.

239
00:12:50.700 --> 00:12:55.230
Data at rest refers to information stored on devices

240
00:12:55.230 --> 00:12:57.090
or in cloud storage,

241
00:12:57.090 --> 00:12:59.970
requiring encryption and access controls

242
00:12:59.970 --> 00:13:02.940
to prevent unauthorized access.

243
00:13:02.940 --> 00:13:06.350
Data in transit is actively moving through networks

244
00:13:06.350 --> 00:13:11.070
and is protected by technologies like TLS and IPsec,

245
00:13:11.070 --> 00:13:12.657
which creates secure tunnels

246
00:13:12.657 --> 00:13:15.630
to keep the data safe from interception.

247
00:13:15.630 --> 00:13:20.220
Finally, data in use is data that is actively being accessed

248
00:13:20.220 --> 00:13:22.830
or processed in a system's memory,

249
00:13:22.830 --> 00:13:25.800
making it vulnerable to certain attacks.

250
00:13:25.800 --> 00:13:27.480
This data is protected

251
00:13:27.480 --> 00:13:29.974
through techniques like in-memory encryption

252
00:13:29.974 --> 00:13:32.070
and secure enclaves,

253
00:13:32.070 --> 00:13:35.490
which help ensure sensitive information remains safe,

254
00:13:35.490 --> 00:13:38.733
even while being used by applications.