Data Protection at the Host Level

File Permissions and Access Control

File system permissions form the foundation of host-level data protection, controlling which users and processes can access, modify, or execute specific files and directories.

Windows NTFS Permissions

Linux File Permissions

• Read (r/4): View file contents or list directory contents
• Write (w/2): Modify file contents or create/delete files in the directory
• Execute (x/1): Run executable files or access a directory

rwxr-xr--
Owner:  rwx = read / write / execute
Group:  r-x = read / execute only
Others: r-- = read only

# Set permissions with chmod
chmod 750 /sensitive/directory   # Owner full, Group r+x, Others none
chmod 640 /secure/file.conf      # Owner r+w, Group read, Others none

# Check ACLs
getfacl /path/to/file

Encryption Technologies

Data encryption provides cryptographic protection for information stored on host systems, ensuring data remains confidential even if physical security is compromised or unauthorized access is gained.

Full Disk Encryption

• BitLocker (Windows): TPM-integrated full disk encryption with pre-boot authentication, network unlock, and recovery key options
• FileVault (macOS): XTS-AES encryption with hardware acceleration and institutional key escrow for enterprise recovery
• LUKS (Linux): Standard Linux disk encryption via dm-crypt with multi-key support and passphrase management
• VeraCrypt: Cross-platform open-source disk and file container encryption

File and Folder Encryption

• EFS (Encrypting File System): Windows per-file and per-folder encryption integrated with user certificates
• GnuPG: Open-standard file encryption for cross-platform individual file protection
• Azure Information Protection: Cloud-managed persistent file encryption following data wherever it goes

Backup and Recovery

Comprehensive backup strategies ensure data can be recovered following security incidents, hardware failures, or disasters. Backups are not just an IT function; they are a critical security control.

The 3-2-1 Backup Rule

• 3 Copies: Maintain at least three copies of important data
• 2 Media Types: Store on at least two different media types (local + cloud, SSD + tape)
• 1 Offsite: Keep at least one copy in a geographically separate location

Backup Types

• Full Backup: Complete copy of all data; longest time to create, fastest to restore
• Incremental: Only changes since last backup; fastest to create, requires chain for restore
• Differential: Changes since last full backup; balanced restore speed vs. storage
• Continuous Data Protection (CDP): Real-time replication — minimum data loss on recovery

Data Classification and DLP

Data Classification Framework

• Public: Information approved for public release; no special protection required
• Internal: Business information for employees; basic access controls
• Confidential: Sensitive business data; encryption and strict access controls required
• Restricted: Highly sensitive data (PII, financial, IP); maximum protection required

DLP Controls

• Content Inspection: Scanning data for sensitive patterns (PII, credit cards, health data)
• Endpoint DLP: Blocking unauthorized transfer of sensitive data via USB, email, or uploads
• Network DLP: Monitoring and blocking sensitive data leaving the network perimeter
• Cloud DLP: Controlling sensitive data in SaaS applications and cloud storage

Best Practices