This is not a Wikipedia article: It is an individual user's work-in-progress page, and may be incomplete and/or unreliable. For guidance on developing this draft, see Wikipedia:So you made a userspace draft.

Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL
Easy tools: Citation bot (help) | Advanced: Fix bare URLs
This page was last edited by Koavf (talk | contribs) 5 years ago. (Update timer)

Finished writing a draft article? Are you ready to request an experienced editor review it for possible inclusion in Wikipedia? Submit your draft for review!

Data owners identify subsets of their Sensitive data that require protection, including circumstances that are not controlled by the owner. Data-centric security refers to protecting sensitive data items^[1] independently of their state^[2], of the container^[3] they are kept or transported with, and of their location, by controlling what actors and in what way can access^[4] each individual sensitive data item. Data-centric security approaches may involve data life-cycle^[5] control and options to dynamically adjust parameters and policies pertaining to data access and life-cycle.

History[edit]

Sensitive data[edit]

The notion of data-centric security relies on that of sensitive data. These are data items^[1] which immediately contain sensitive information, or which can be combined with other data to yield such information.

The most commonly known kinds of sensitive data are related to data privacy. A distinction can be made between private data, such as credit card data^[6], where the knowledge of the data is controlled by the subject, and the broader set of personal data^[7], such as any Personally identifiable information , in particular any Personal identifier .

There are regulations concerning data protection in general^[8], as well as normative documents concerning specific branches, such as healthcare^[9] or finance (e.g. psyment cards^[6], or corporate compliance).

Sensitive data detection[edit]

Determining what and where sensitive data are, in an organization, involves steps that need to be repeated, at different time intervals depending on the step: First, the scope of data protection is defined, by identifying what kinds of regulations are applicable and which systems at that organization are concerned. Next, policies and technical procedures are defined, for the purpose of identifying the actually present sensitive data items^[1]. The set of these items is usually too large to allow manual identification. Therefore, an automated processes for detecting these items is run regularly, following the specified policies and procedures, and using specialized Data loss prevention software.

As an example of what data are being detected, consider the following excerpt from a blog post^[10] covering SSD in the context of Microsoft Server 2012 and FCI^[11]:

... people think of "documents" as Microsoft Office documents, IT admins know well that's not all that it's out there. PDF files, CAD drawings and other types of files account for a significant portion of the sensitive data ...
There are lot of classification criteria including file path, extension, size, date of creation, author, specific content, etc. The most interesting one is analyzing the content of a file for matches against custom regex-filters allowing you to search for example for:
* certain words or word combinations, or base of word, neglecting word forms, suffixes or prefixes
* specifically formatted data, for example credit card numbers, phone numbers, SSNs, PII, contract numbers, etc.
* amount of data above threshold such as more than 10 credit card numbers in one file
Basically, you can identify anything that can be expressed with a regular expression, which can go from an easy Social Security Number to formatted or unformatted credit card numbers from all the most common providers ...

Methods[edit]

Masking[edit]

Data Masking

Encryption[edit]

Tokenization[edit]

Vendors[edit]

More content ...[edit]

Cloud Security Alliance guidance^[12]
European Parliament study^[13]^[14]

intially defined, and related to the concept of De-perimeterisation, in the Jericho Forum Commandments
data privacy
compliance
encryption

Notes[edit]

OLD References[edit]

RMS viewer[edit]

rmsviewer.com (free)^[15] — only mobile, multi-platform: (iTunes) AppStore, Google Play (Android), Windows Store, (Blackberry) App World

Microsoft (download, free)^[16] — only mobile and OS X:

... You can download the Active Directory Rights Management Services (AD RMS) mobile device extension from the Microsoft Download Center and install this extension on top of an existing AD RMS deployment. This lets users who have mobile devices and Mac computers protect and consume sensitive data when their device supports the latest RMS client and uses RMS-enlightened apps. ...

Apple (iTunes, free)^[17] — only OS X 10.6 or later

Information-centric security[edit]

policies^[18]

data obfuscation^[19], FPE^[20]^[21]^[22]

Data-centric security[edit]

DCS for data bases[edit]

cell-level access^[23]

DCS for e-mails[edit]

standard e-mail encryption e.g. using STARTTLS technology

identity-based encryption (IBE) ^[24] e.g. using HP Voltage technology^[25]^[26]

DCS for documents[edit]

on premise: Microsoft^[27], Adobe^[28]^[29]

clouds: Microsoft Azure RMS^[30]^[31]

^ ^a ^b ^c A data item stands for an atomic unit of data that has precise meaning and format. This similar to, but without the attributes of a Data element. Examples: PID, date, postal address, e-mail address. A data item may be kept as the sole content of a data base entry, or it may be loosely imbedded in a document or data stream.
^ Data is considered, generally, to be at any single time in one of the following states: at rest, in use, in motion.
^ A data container stands for a technical or logical entity that can be addressed by standard procedures or software, and that contains non-atomic information kept in multiple data items, meta-data, and embedded data containers. Examples: documents, messages, streams, files, data base rows/columns/tables, personally held devices like tokens and ID cards.
^ Identity and Access Management (IAM) — definitions: "Gartner Glossary: IAM". Retrieved 2015-06-17., "TechTarget definition: IAM system". Retrieved 2015-06-17., "Microsoft Developer Netwaork: IAM". 2004. Retrieved 2015-06-17.; Wikipedia provides a list of the components of IAM.
^ Wikipedia concepts related to data life-cycle — definitions: information life-cycle, system life-cycle; applications: Data management, Data administration, Cybermethodology.
^ ^a ^b Wikipedia: PCI DSS
^ An sample definition of personal data can be taken from UK legislature: "Key definitions of the Data Protection Act"., "Data Protection Act 1998".
^ Examples of general regulations on data protection — USA: FISMA; EU: "Data protection in the EU"., "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data". Retrieved 2015-07-14.
^ Examples of data protection regulations on healthcare — USA: HIPAA; EU: "Public health data collection in the EU". Retrieved 2015-07-14., name=HCDP:EU.ie>"European Standards on Confidentiality and Privacy in Healthcare". Retrieved 2015-07-14.
^ "Using FCI to protect files of any type with Windows Server 2012". Retrieved 2015-07-14.
^ Microsoft Server "File Classification Infrastructure": "Windows Server FCI now supports Azure RMS". Retrieved 2015-07-14., "Windows Server 2012 File Classification Infrastructure". Retrieved 2015-07-14.; involved a "Data Classification Toolkit" "Microsoft Data Classification Toolkit". Retrieved 2015-07-14..
^ "Security Guidance for Critical Areas of Focus in Cloud Computing V3.0" (PDF). Retrieved 2015-07-31.
^ "Mass Surveillance, Part 2 Technology Foresight" (PDF). Retrieved 2015-07-31.
^ "Mass Surveillance, STOA Options Brief" (PDF). Retrieved 2015-07-31.
^ "RMS Viewer - mobile document and email protection". Retrieved 2015-06-17.
^ "Active Directory Rights Management Services Mobile Device Extension". Retrieved 2015-06-17.
^ "RMS Viewer". Retrieved 2015-06-17.
^ "Business-driven data privacy policies". IBM Software. 2013.
^ Wikipedia: Data masking
^ Wikipedia: Format-preserving encryption
^ "HP Format-Preserving Encryption". Retrieved 2015-07-14.
^ "Dataguise Launches DgSecure Version 5.0". Retrieved 2015-07-14.
^ Rask; et al. (2012). "Implementing Row- and Cell-Level Security in Classified Databases". Microsoft. {{cite news}}: Explicit use of et al. in: |first1= (help)
^ Wikipedia: ID-based encryption
^ "HP SecureMail Cloud Standard". Retrieved 2015-07-14.
^ "Email Security - The IBE Architectural Advantage" (PDF). Retrieved 2015-07-14.
^ "Active Directory Rights Management Services". Retrieved 2015-07-14.
^ "Adobe LiveCycle ES4". Retrieved 2015-06-17.
^ "Specify the document permissions for users and groups". Adobe. Retrieved 2015-06-17.
^ Plastina, D. (2013-11-05). "The NEW Microsoft RMS has shipped!". The Official RMS Team Blog.
^ Plastina, D. (2013-03-04). "Windows Server FCI (File Classification Infrastructure) now supports Azure RMS". The Official RMS Team Blog.

Category:Security Category:Data security Category:Data protection Category:Information privacy Category:Information sensitivity Category:Regulatory compliance

[def:data_item-1] A data item stands for an atomic unit of data that has precise meaning and format. This similar to, but without the attributes of a Data element. Examples: PID, date, postal address, e-mail address. A data item may be kept as the sole content of a data base entry, or it may be loosely imbedded in a document or data stream.

[wiki:data_states-2] Data is considered, generally, to be at any single time in one of the following states: at rest, in use, in motion.

[def:data_container-3] A data container stands for a technical or logical entity that can be addressed by standard procedures or software, and that contains non-atomic information kept in multiple data items, meta-data, and embedded data containers. Examples: documents, messages, streams, files, data base rows/columns/tables, personally held devices like tokens and ID cards.

[notes:IAM-4] Identity and Access Management (IAM) — definitions: "Gartner Glossary: IAM". Retrieved 2015-06-17., "TechTarget definition: IAM system". Retrieved 2015-06-17., "Microsoft Developer Netwaork: IAM". 2004. Retrieved 2015-06-17.; Wikipedia provides a list of the components of IAM.

[notes:lifecycle:wiki-5] Wikipedia concepts related to data life-cycle — definitions: information life-cycle, system life-cycle; applications: Data management, Data administration, Cybermethodology.

[PDP:PCIDSS-6] Wikipedia: PCI DSS

[def:PII:UKDP1998.1-7] An sample definition of personal data can be taken from UK legislature: "Key definitions of the Data Protection Act"., "Data Protection Act 1998".

[regl:priv:gen-8] Examples of general regulations on data protection — USA: FISMA; EU: "Data protection in the EU"., "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data". Retrieved 2015-07-14.

[regl:priv:health-9] Examples of data protection regulations on healthcare — USA: HIPAA; EU: "Public health data collection in the EU". Retrieved 2015-07-14., name=HCDP:EU.ie>"European Standards on Confidentiality and Privacy in Healthcare". Retrieved 2015-07-14.

[SDD:MSS:blog.1-10] "Using FCI to protect files of any type with Windows Server 2012". Retrieved 2015-07-14.

[def:FCI-11] Microsoft Server "File Classification Infrastructure": "Windows Server FCI now supports Azure RMS". Retrieved 2015-07-14., "Windows Server 2012 File Classification Infrastructure". Retrieved 2015-07-14.; involved a "Data Classification Toolkit" "Microsoft Data Classification Toolkit". Retrieved 2015-07-14..

[pdf:CSA:v3.0-12] "Security Guidance for Critical Areas of Focus in Cloud Computing V3.0" (PDF). Retrieved 2015-07-31.

[pdf:EUP:MaSvlc.2-13] "Mass Surveillance, Part 2 Technology Foresight" (PDF). Retrieved 2015-07-31.

[pdf:EUP:MaSvlc.ob-14] "Mass Surveillance, STOA Options Brief" (PDF). Retrieved 2015-07-31.

[RMSviewer.com-15] "RMS Viewer - mobile document and email protection". Retrieved 2015-06-17.

[MS:AD-RMSviewer-16] "Active Directory Rights Management Services Mobile Device Extension". Retrieved 2015-06-17.

[Apple:RMSviewer-17] "RMS Viewer". Retrieved 2015-06-17.

[IBM:Policy:2013-18] "Business-driven data privacy policies". IBM Software. 2013.

[Wiki:DataMasking-19] Wikipedia: Data masking

[Wiki:FPE-20] Wikipedia: Format-preserving encryption

[Voltage:FPE.1-21] "HP Format-Preserving Encryption". Retrieved 2015-07-14.

[DataGuise:FPE.1-22] "Dataguise Launches DgSecure Version 5.0". Retrieved 2015-07-14.

[MS:CLS:2012-23] Rask; et al. (2012). "Implementing Row- and Cell-Level Security in Classified Databases". Microsoft. {{cite news}}: Explicit use of et al. in: |first1= (help)

[Wiki:IBE-24] Wikipedia: ID-based encryption

[Voltage:HP.2015-25] "HP SecureMail Cloud Standard". Retrieved 2015-07-14.

[Voltage:white.2006-26] "Email Security - The IBE Architectural Advantage" (PDF). Retrieved 2015-07-14.

[MS:AD-RMS-27] "Active Directory Rights Management Services". Retrieved 2015-07-14.

[Adobe:ES4-28] "Adobe LiveCycle ES4". Retrieved 2015-06-17.

[Adobe:LC:RM:UG-29] "Specify the document permissions for users and groups". Adobe. Retrieved 2015-06-17.

[MS:RMS:2013-30] Plastina, D. (2013-11-05). "The NEW Microsoft RMS has shipped!". The Official RMS Team Blog.

[MS:RMS:2014-31] Plastina, D. (2013-03-04). "Windows Server FCI (File Classification Infrastructure) now supports Azure RMS". The Official RMS Team Blog.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]