Skip to main content

5.2 Protecting Applications and Data - Managerial Controls and Access Controls

Topic 5.2: Protecting Applications and Data: Managerial Controls and Access Controls

Protecting data requires a multi-faceted approach that considers the data's state, its sensitivity, and the legal requirements governing its handling. Security controls must be tailored to address these factors.

Data exists in one of three states, each with unique security needs. Data at rest is data stored on a drive, which can be protected through physical security of the storage media and by encrypting the data itself. Data in transit is data being sent over a network. It can be protected by securing the physical cables or, more commonly, by encrypting the data before transmission. Data in use is data being actively processed by an application. It must be unencrypted to be used, so its security relies heavily on access controls to limit who can view or modify it.

Organizations often classify data based on its sensitivity to prioritize security efforts. Furthermore, specific types of data are governed by laws and regulations that mandate how they must be protected.

  • Personally Identifiable Information (PII): Data that can be used to identify an individual, such as a name, address, or Social Security number.
  • Protected Health Information (PHI): Any health-related information, including medical records and payment history, governed by laws like HIPAA.
  • Payment Card Information (PCI): Credit card data, which is regulated by the Payment Card Industry Data Security Standard (PCI-DSS).

Managerial controls, in the form of policies, provide the high-level guidance for protecting this data. A cryptography policy specifies the approved encryption algorithms and minimum key lengths for the organization. A web application security policy outlines the requirements for security testing and vulnerability remediation for all applications.

A key technical control for protecting data is the access control model, which defines who can do what with which data.

  • Role-Based Access Control (RBAC): Access is granted based on a user's job role (e.g., only users in the "Human Resources" role can access employee salary files).
  • Rule-Based Access Control (RuBAC): Access is determined by a set of rules, often layered on top of another model (e.g., a rule that denies all access to a financial database outside of business hours).
  • Discretionary Access Control (DAC): The owner of a file or object has the discretion to decide who else can access it and what permissions they have.
  • Mandatory Access Control (MAC): A strict, centrally managed model where both users (subjects) and data (objects) are assigned security labels or clearance levels. Access is granted based on a comparison of these labels. A well-known MAC model is the Bell-LaPadula model, which enforces a "write up, read down" policy to prevent data from flowing from a higher security level to a lower one.

All these models adhere to the principle of least privilege, which states that a user should only be granted the minimum level of access necessary to perform their job functions.

On a Linux-based system, these access controls are implemented through file permissions. Each file has permissions set for three entities: the user (the file's owner), the group (a group of users who share access), and others (all other users). There are three types of permissions: read (r), write (w), and execute (x). These permissions can be viewed with the ls -l command and modified with the chmod command, using either a numeric or symbolic method to assign or remove permissions for each entity.