By Alexander Allerdings, Niklas Werth and Philip Betzler.<\/p>\n\n\n\n
Security Requirements are requirements that have to be met in a Software Development process to make the software secure. To avoid time and resource costly delays they should be considered from the beginning. In this blog entry we take a closer look at the category Data at Rest.<\/p>\n\n\n\n\n\n\n\n
Below is an incomplete list of nine categories of Security Requirements:<\/p>\n\n\n\n
Auditing and Logging<\/strong>:<\/p>\n\n\n\n Auditing and Logging describes the recording of events in different Logs, separated by information level. Authentication and Authorization<\/strong><\/span>:<\/p>\n\n\n\n Authentication and Authorization<\/span> describes account handling requirements, such as specific requirements towards password complexity, account deactivation without deletion or cooldown times after wrong login attempts.<\/p>\n\n\n\n Session Control<\/span>:<\/strong><\/p>\n\n\n\n Session Control<\/span> defines measures to identify clients and their active sessions.<\/p>\n\n\n\n Input Validation \/ Output Encoding<\/span>:<\/strong><\/p>\n\n\n\n Input Validation describes the mechanism to validate received input and making sure you’re not getting attacked by SQL injections and <\/span>this kind of attacks. Output Encoding<\/span> defines mechanism to encode output to clients.<\/p>\n\n\n\n Exception Handling<\/span>:<\/strong><\/p>\n\n\n\n Exception Handling<\/span> describes how to handle exceptions (writing to log files, free private data and do not send detailed information to user!<\/strong>)<\/p>\n\n\n\n Encryption and Integrity<\/span>:<\/strong><\/p>\n\n\n\n Encryption defines what kind of algorithms should be used (only FIPS or BSI approved), that the default setting should always be the highest possible and how the keys should be protected. Integrity defines how to check for integrere data.<\/p>\n\n\n\n Data at Rest<\/span>:<\/strong><\/p>\n\n\n\n Data at Rest defines how data that is saved on non volatile memory should be secured.<\/p>\n\n\n\n Data in Transit<\/span>:<\/strong><\/p>\n\n\n\n Data in Transit defines how a connection needs to be secured to transport important information.<\/p>\n\n\n\n Configuration Management<\/span>:<\/strong><\/p>\n\n\n\n Configuration Management describes the usage of version and configuration management software (Git, etc.), the separation of interfaces and the requirements towards application configurations. <\/p>\n\n\n\n In this Blog entry we will take a closer look on the Security Requirement Data at Rest.<\/p>\n\n\n\n So, the definition of Data at Rest was listed above, but of what kind of data are we talking? Big problems can be caused if personal data of customers are hacked, in form of large fines and a damaged reputation. If the only stolen thing is an old file, with absolutely no value the damage is significantly smaller.<\/p>\n\n\n\n Here is a non complete list of important data that should never lay around unsecured:<\/p>\n\n\n\n What can we do to secure these information properly? What kind of attacks are prevented or increased in difficulty by those measurements?<\/p>\n\n\n\n Attacks that are prevented or increased in difficulty are the stealing of whole Computer or Hard Drives or the hacking of the network or PC the data is stored on.<\/p>\n\n\n\n Local Environments are defined by having the data only on one active computer at at time. The data can either be stored on one of his hard drives or mobile storage solutions. The data can be saved in files, or databases on the same computer. Solutions could be the encryption of the hard drive in combination with an encryption of the files and the settings that any database should save their data encrypted as well.<\/p>\n\n\n\n Distributed Systems Environments consists of multiple programs executed on multiple computers and they might be locally separated. Data is normally not saved as files on the different computers, but in file databases that provide access to every authorized user\/program. Because of the safety requirements of any distributed system there are multiple instances of each program to reduce the probability of downtimes. This means there are multiple instances of the databases to be secured. Each of these instances have to be configured to save the data encrypted, like the local environment computer, and the access to be saved by the means of requirement Authentication and Authorization.<\/p>\n\n\n\n Hard Drive \/ File Encryption:<\/strong><\/p>\n\n\n\n Hard Drive Encryptions encrypt some or all data saved to the hard drive when writing and decrypt them when reading from the Hard Drive. There are two versions of Hard Drive encryptions, the software and the hardware version.<\/p>\n\n\n\n Software Encryptions: Hardware Encryptions: Database Encryption:<\/strong><\/p>\n\n\n\n Database Encryption make sure that no saved files or backups of a database are saved in plain text to the file system. They differ in the level of separate encrypted entries.<\/p>\n\n\n\n Transparent\/External Database Encryption: Column-Level Encryption: In this Blog entry we shortly described different Security Requirements and had an deeper view on the category Data at Rest. We explained what kind of data is meant and how to secure it in different environments. At the end we gave an short overview of the individual possibilities and possible side effects.<\/p>\n","protected":false},"excerpt":{"rendered":" By Alexander Allerdings, Niklas Werth and Philip Betzler. Security Requirements are requirements that have to be met in a Software Development process to make the software secure. To avoid time and resource costly delays they should be considered from the beginning. In this blog entry we take a closer look at the category Data at […]<\/p>\n","protected":false},"author":1017,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[26,651],"tags":[],"ppma_author":[791],"class_list":["post-21821","post","type-post","status-publish","format-standard","hentry","category-secure-systems","category-system-designs"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":3978,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/08\/16\/security-in-smart-cities\/","url_meta":{"origin":21821,"position":0},"title":"Security in Smart Cities","author":"Johannes Kaeppler","date":"16. August 2018","format":false,"excerpt":"Today cities are growing bigger and faster than ever before. This results in various negative aspects for the citizens such as increased traffic, pollution, crime and cost of living, just to name a few. Governments and city administrations and authorities are in need to find solutions in order to alleviate\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":4005,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/08\/20\/cloud-security-tools-and-recommendations-for-devops-in-2018\/","url_meta":{"origin":21821,"position":1},"title":"Cloud security tools and recommendations for DevOps in 2018","author":"Immanuel Haag","date":"20. August 2018","format":false,"excerpt":"Introduction Over the last five years, the use of cloud computing services has increased rapidly, in German companies. According to a statistic from Bitkom Research in \u00a02018, the acceptance of cloud-computing services is growing. Cloud-computing brings many advantages for a business. For example, expenses for the internal infrastructure and its\u2026","rel":"","context":"In "DevOps"","block_context":{"text":"DevOps","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/devops\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2023\/08\/19AAsLm7ATw8Fl8aVbJQdYw.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2023\/08\/19AAsLm7ATw8Fl8aVbJQdYw.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2023\/08\/19AAsLm7ATw8Fl8aVbJQdYw.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":3981,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/08\/16\/usability-and-security\/","url_meta":{"origin":21821,"position":2},"title":"Usability and Security","author":"Christof Kost","date":"16. August 2018","format":false,"excerpt":"Usability and Security - Is a tradeoff necessary? Usability is one of the main reasons for a successful software with user interaction. But often it is worsened by high security standards. Furthermore many use cases need authentication, authorisation and system access where high damage is risked when security possibilities get\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/08\/2018-08-16-12_12_42-NotificerffeationsForm.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/08\/2018-08-16-12_12_42-NotificerffeationsForm.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/08\/2018-08-16-12_12_42-NotificerffeationsForm.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/08\/2018-08-16-12_12_42-NotificerffeationsForm.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/08\/2018-08-16-12_12_42-NotificerffeationsForm.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/08\/2018-08-16-12_12_42-NotificerffeationsForm.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":3232,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2017\/10\/06\/usable-security-users-are-not-your-enemy\/","url_meta":{"origin":21821,"position":3},"title":"Usable Security – Users are not your enemy","author":"mw195","date":"6. October 2017","format":false,"excerpt":"Introduction Often overlooked, usability turned out to be one of the most important aspects of security. Usable systems enable users to accomplish their goals with increased productivity, less errors and security incidents. And It stills seems to be the exception rather than the rule. When it comes to software, many\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/10\/windows-uac.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":3221,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/03\/25\/security-in-a-saas-startup-and-todays-security-issues-with-devops\/","url_meta":{"origin":21821,"position":4},"title":"Security in a SaaS startup and today’s security issues with DevOps","author":"cp054","date":"25. March 2018","format":false,"excerpt":"Motivation Facing security in a company nowadays is a big job: it starts with a backup strategy ensuring the business continuation, plans for recovery after major breakdowns, ensuring physical security (entrance control, lock-pads, safes), screening of potential employees, monitoring servers, applications and workstations, training the employees in security issues and\u2026","rel":"","context":"In "DevOps"","block_context":{"text":"DevOps","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/devops\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/09\/figure-3-push-to-public.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/09\/figure-3-push-to-public.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/09\/figure-3-push-to-public.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/09\/figure-3-push-to-public.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":11186,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2020\/09\/14\/the-development-of-the-intranet-into-beyondcorp\/","url_meta":{"origin":21821,"position":5},"title":"The development of the intranet into BeyondCorp","author":"Aron K\u00f6cher","date":"14. September 2020","format":false,"excerpt":"Aron K\u00f6cher, Miro Bilge Only a few years earlier, the solution to exchange digital information like documents or pictures was to establish a physical connection between the participants. A usb stick was passed around the class to exchange music, you went to your friends house to print some urgent papers\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"jetpack_sharing_enabled":true,"authors":[{"term_id":791,"user_id":1017,"is_guest":0,"slug":"pb082","display_name":"Philip Betzler","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/6dd292042200ae5b155900b0ecba4ae55984d3bdcfab4e4909a8eb0870d8f00e?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/21821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/users\/1017"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/comments?post=21821"}],"version-history":[{"count":9,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/21821\/revisions"}],"predecessor-version":[{"id":21840,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/21821\/revisions\/21840"}],"wp:attachment":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/media?parent=21821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/categories?post=21821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/tags?post=21821"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/ppma_author?post=21821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Internal programming logging should go to a trace or “normal” log, domain level events (failed or successful logins etc.) should be saved in a audit log. There are specific requirements on how an audit log needs to be secured.<\/p>\n\n\n\nData at Rest <\/h2>\n\n\n\n
The definition defines all data as affected, that is saved on non volatile memory, but there are differences of regarding the effects of compromised data.<\/p>\n\n\n\n
Data that is only used to check information against and is never read should be saved hashed by an secure Hash function with an strong salt vector. Data that has to be read has to be protected by strong cryptographic algorithm. The possibilities vary depending in which kind of environment those data have to be saved.<\/p>\n\n\n\nLocal Environments<\/h2>\n\n\n\n
Distributed Systems Environments<\/h2>\n\n\n\n
Methods<\/h2>\n\n\n\n
Software Encryptions require an encryption program to run on the computer. When a file should be saved on the Hard Drive they encrypt the data before it is sent to the disk. An example is VeraCrypt, an OS independent OpenSource program, an other is BitLocker, a software that is included in Windows OS. The activation of disk encryption will increase the CPU load, because the data needs to be de-\/ encrypted.<\/p>\n\n\n\n
Hardware Encryptions require specific hard drives or USB drives that are called Self Encrypting Drives (SEDs). These drives de-\/encrypt the data themselves and thus reduce the CPU overhead that a Software Encryption would cause.
SEDs cost a price premium. In contrast to the costs stands the limited CPU load gains in capable computer systems.<\/p>\n\n\n\n
Transparent\/External Database Encryption (TDE) is the encryption of the whole database and backups by the Database Management System (DBMS).<\/p>\n\n\n\n
Column-Level Encryption is the separate encryption of every column in a database, in contrast to TDE which encrypts everything together.<\/p>\n\n\n\nSummary:<\/h2>\n\n\n\n