Protecting Data Accessed by Applications
Published on November 2, 2016 by Gabriel Torok
Sensitive business data is more vulnerable now than ever before. As a result, organizations are being pushed to protect/encrypt their data from its initial creation to its final destruction.
Data must be protected in its three states:
- in transit
- at rest, and
- in use
Each state presents different security challenges.
Data is at its most vulnerable when it is in transit. However, many commonly used off the shelf solutions exist to mitigate this risk including browser-based HTTPS and VPN. These well understood solutions provide strong encryption and make it very difficult for unauthorized users to capture the data.
Data is at rest when it is stored on a hard drive or SSD. In this relatively secure state, data is primarily protected by either perimeter-based defenses such as firewalls or anti-malware programs or by encryption built into the operating system or otherwise implemented. There is very little reason not to encrypt sensitive data on a device or hard drive.
Data in use is probably the hardest to protect because, by definition, it must be useable (readable/decrypted) to those who need it. Protection of data in use by an application often relies on strong authentication and access controls with encryption of data at rest and in transit. However, if those checks are somehow circumvented (via probing, stolen credentials, etc.) then running the application in a debugger can probe for further weaknesses and data that may help further compromise the system (like getting elevated privileges, etc.). Think of it as a multi-step process, with each compromise leading to the next set of attacks.
It is important to protect sensitive data whether in transit, at rest or in use. If applications (especially those running on services or devices outside your direct control) access sensitive data, consider hardening them to resist debugging and tampering to make a hacker’s job more difficult.
Learn more about anti-tamper and anti-debugging here.