Security Framework
8 : Protecting Endpoints
or the value can be modified so confidentiality and privacy of those fields is preserved ( Figure 8-3 ).
Figure 8-3 : Example of Tokenization in a Medical Record
Data loss prevention ( DLP ) is commonly used to manage data confidentiality . DLP controls the usage of data , such as documents , records , emails , or any other sensitive data , in order to detect and prevent data breaches . DLP can either be endpoint-based or network-based . Endpoint-based DLP controls attempts to access or move data internally or externally of the endpoint . Internally , endpoint DLP controls and prevents data access across a physical device bus such as a hard drive , USB drive , or printer . Externally , endpoint DLP controls and prevents communications , including data before it passes over a network adapter . Network-based DLP relies solely on identifying confidential or sensitive information as it is being communicated between endpoints . Both attempt to identify violations of data use policy , but have different implementations .
8.8.2 DATA INTEGRITY
Data integrity assures that data alteration is detected . Traditional OT data integrity techniques ( e . g . a CRC checksum ) increase reliability and resilience of a system but are not effective against some malicious alterations due to their lack of cryptographic strength . Newer techniques such as digital signatures provide greater trust in the integrity measurements .
In general , data stored on the endpoint consists of two types : executable data ( e . g . binary code and interpreted scripts ), and non-executable data ( e . g . raw data , configuration files , log files ).
Non-executable data is operated on by executable data ( code ). The integrity of executable data is protected by runtime integrity techniques as explained in section 8.7.2 .
The integrity of the non-executable data , the data-in-use , must be monitored while the data is being operated on . The DIU integrity is enforced by :
• proper coding techniques ( such as using appropriate programming languages , implementing buffer-overflow protection , and strict checking of correct input parameters to prevent against injection attacks ) and
• runtime integrity techniques that monitor memory access to detect and protect against memory attacks .
IIC : PUB : G4 : V1.0 : PB : 20160926 - 74 -