Server Data Security Controls

Introduction

The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking and erasure.

Procedures

Microsoft SQL Column Encryption

It is important to encrypt data on a server at the database level, these instructions will allow you to encrypt columns of data on a Microsoft SQL database. The following information is provided by the Microsoft Documentation Website.

  1. Create a database Master Key:

    ALWAYS back up your master key, you can learn how do to so here

    CREATE MASTER KEY ENCRYPTION BY   
PASSWORD = '<complex password>';
  2. You may then:
    • Encrypt with symmetric encryption and authenticator
    • Encrypt with simple symmetric encryption

    Scripts to complete these have been provided by Microsoft here.

Microsoft SQL Always Encrypted

Always encrypted is a featured designed to protect sensitive data such as credit card numbers or Social Security Numbers. This feature allows the database engine to process encrypted data whilst still protecting its confidentiality. This service uses Column Encryption Keys and Column Master Keys. More information on this service can be found here.

FISMA Compliance

FISMA (The Federal Information Security Management Act) has a set of requirements to ensure your data is secure. The National Institute of Standards and Technology Special Publication 800-53 has a set of guidelines that ensure you are FISMA compliant. These include:

  • Create an Inventory of Information Systems
  • Select applicable security controls
  • Implement the security controls
  • Assess the security controls
  • Authorize the information systems
  • Monitor the security controls

PCI Compliance

The PCI Security Standards Council is an organization that sets security standards designed to ensure that all companies maintain a secure environment for the use of and transmission of credit card information. While the scope of PCI Compliance is large, the official PCI v4 compliance lists a few best practices designed to help every day use of credit card information.

  • Review logged data frequently (information on how this can be done on Windows can be found here)
  • Ensure that all failures in security controls are detected an responded to promptly
  • Review changes that could introduce security risk
  • Perform risk assessment
  • Review external connections and third-party access (information on how to do this can be found here)

More information can be found here.

Standards for High Risk Digital Data Protection v. 6

Virginia Tech has a list of standards used in the protection of high risk digital data. A full in-depth breakdown of these standards can be found here. Some of these standards utilize techniques explained in these documents, some of which include: