Index

Introdução...................................................................................................................................................3
I................................................................................................................................................................... 3
Digital Certificates.......................................................................................................................................3
Public Key Infrastructure (PKI).................................................................................................................3
Components of PKI..............................................................................................................................3
Certificate Authorities (CAs)....................................................................................................................4
Types of CAs:.......................................................................................................................................4
How do CAs create digital certificates?...............................................................................................4
SSL/TLS Certificates.................................................................................................................................5
For what they are essential for:...........................................................................................................5
How SSL/TLS Certificates Function.......................................................................................................5
The Technology Behind SSL/TLS..........................................................................................................6
Code Signing Certificates.........................................................................................................................6
How Does Code Signing Certificate Work?..........................................................................................6
Types of Code Signing Certificate........................................................................................................7
The Process of Obtaining and Using Digital Certificates..........................................................................7
II..................................................................................................................................................................8
Protection of Data.......................................................................................................................................8
Encryption Techniques............................................................................................................................8
Types of Data Encryption.....................................................................................................................9
Data Backup and Recovery......................................................................................................................9
What are the 3 types of backups?.......................................................................................................9
What is the difference between backup and recovery?....................................................................10
What are the types of data recovery?...............................................................................................10
What types of data sources typically need to be recovered?............................................................11
Data Masking and Anonymization.........................................................................................................11
Key Techniques for Data Masking & Anonymization.........................................................................12
Access Controls and Permissions...........................................................................................................13
How Does Access Control Work?.......................................................................................................13
 Types of Security Access Controls......................................................................................................14
Secure File Transfer Protocols...............................................................................................................15
Top Protocols For Secure File Transfer..............................................................................................15
Conclusion.................................................................................................................................................16
Introdução

In an era where digital interactions and transactions are integral to daily life, securing data and
communication channels has become paramount. Digital certificates and various data protection
techniques are foundational to maintaining the integrity, confidentiality, and authenticity of
information exchanged over the internet. This presentation delves into intricacies of digital
certificates and data protection mechanisms, exploring their roles, processes and importance.

Digital Certificates
A digital certificate, also known as a public key certificate, is used to cryptographically link
ownership of a public key with the entity that owns it. Digital certificates are for sharing public
keys to be used for encryption and authentication.

Public Key Infrastructure (PKI)

Public key infrastructure includes the policies, roles, hardware, software, and procedures
required to create, manage, distribute, use, store, and revoke digital certificates. A digital
certificate works like a passport or driver’s license by proving your identity and providing certain
allowances.

The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of
network activities such as e-commerce, internet banking, and confidential email. It's a system
that allows users and machines to securely exchange data over the internet and verify the other
party’s identity.

For example, when you log in to your online banking account, PKI encrypts the connection and
ensures your sensitive information remains private and secure. That way, you can safely input
your credentials and access your account with the assurance you’re not interacting with an
illegitimate website.

Components of PKI
Public key infrastructure is not a single technology, but a combination of several essential parts.
Together, they provide the technologies and processes to manage encryption, protect data, and
secure communication at scale.

 PKI keys: A key pair that enables encryption — a process of concealing data to prevent
anyone but the intended recipient from reading it. In cryptography, each public key is
 paired with a private key. The public key is distributed freely and openly, while the
private key is secret to the owner.

 Digital certificates: Electronic credentials that bind the certificate holder’s identity to a
key pair that can be used to encrypt and sign information.

 Certificate authority (CA): A trusted entity that issues digital certificates.

 Registration authority (RA): Responsible for accepting certificate requests and

authenticating the individual or organization behind them.

 Certificate repositories: Secure locations where certificates are stored and can be
retrieved for validation.

 Centralized management software: A dashboard where organizations can manage their

cryptographic keys and digital certificates.

 Hardware security module (HSM): Physical devices that provide a secure environment
for performing cryptographic operations and storing/managing digital keys.

Certificate Authorities (CAs)

A certificate authority, or certification authority, is a trusted third-party organization that creates
and issues digital certificates. In the case of a public CA, they’re also responsible for vetting and
validating the identities of certificate holders, making them an integral part of public key
infrastructure.

All CAs must maintain a “certificate revocation list.” In short, it documents all certificates
revoked by a trusted CA before their scheduled expiration date, identifying any that should no
longer be trusted.

Types of CAs:
Ÿ Root CA: The most trusted type of CA in the PKI hierarchy. A Root CA's certificate is self-
signed, which means it’s authenticated by its own digital signature. These CAs form the
foundation of trust since their certificates are used to create, sign, and issue certificates to
subordinate CAs or directly to end entities.

Ÿ Subordinate CA: An organization certified by a Root CA or a subordinate higher up in the

chain. Certificates issued by a Subordinate CA carry the signature of the Root CA, thus
inheriting trust. Each certificate in the chain is responsible for certifying the authenticity of
the next, creating a continuous and reliable trust path from top to bottom.

How do CAs create digital certificates?

Ÿ Key generation: A user generates a key pair.
Ÿ Certificate request: The user sends a certificate signing request (CSR) to a CA, including
their public key and identifying information.

Ÿ Verification: The CA validates the user’s identity, often with the help of an RA.

Ÿ Certificate issuance: Once verified, the CA issues a digital certificate containing the user’s
public key and other identification details. This certificate is also signed by the CA’s private
key, creating a digital signature.

Ÿ Certificate use: When engaging in secure communications, the sender can encrypt the
message using the recipient’s public key. Upon receiving it, the recipient can decrypt the
message using their private key.

SSL/TLS Certificates
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) certificates are digital
certificates that serve as the first line of defense in the vast landscape of cyber threats.

For what they are essential for:

 Establishing Secure Connections: SSL/TLS certificates enable secure connections
between web servers (websites) and clients (users' browsers). This is crucial for
protecting data in transit from being intercepted or tampered with by malicious actors.
 Authenticating Identities: These certificates authenticate the identity of websites,
ensuring that users are communicating with the legitimate site and not a fraudulent one.
This is particularly important to prevent phishing attacks.
 Ensuring Data Integrity: SSL/TLS encryption ensures that data sent between the user
and the website cannot be altered without detection, maintaining data integrity.

How SSL/TLS Certificates Function

 Encryption Process: When a user connects to a secure website (HTTPS), the website
presents its SSL/TLS certificate to the user's browser. This certificate contains the public
key necessary to begin a secure session.
 Secure Data Transmission: Through a process known as the SSL/TLS handshake, the
browser and the server establish a secure connection using the certificate's public key. All
data transmitted during the session is encrypted and can only be decrypted by the
recipient's private key, ensuring the confidentiality of the information exchanged.
The Technology Behind SSL/TLS
SSL/TLS certificates are based on a cryptographic protocol that involves two keys:

1. Public Key: Used to encrypt information sent from the user to the server.
2. Private Key: Held securely by the website, used to decrypt the received information.

This use of asymmetric encryption ensures that even if the data is intercepted, it remains
unreadable without the corresponding private key.

Code Signing Certificates

Code Signing Certificate is a digital certificate which confirms that the software comes from a
trusted source and is not altered or tampered with.

How Does Code Signing Certificate Work?

#1. Purchase Code Signing Certificate: First, you need to buy code signing certificate, and the
certificate follows the organization and extended validation process. An individual or a
company can apply for a Code Signing certificate

#2. Verify Identity: Once you apply for the certificate, the certificate authority (the CA)
undergoes the verification process depending upon the type, like an individual or a company.
The certificate authorizes the identity to ensure users that they are downloading software from
the original source.

#3. Certificate Installation: After getting Code Signing certificates, you need to install them on
the desired platform. When you start signing executables and scripts, the process of signing on
each platform seems different.

The code is signed with a digital signature, and a string of data being hashed that shows the
publisher’s identity also ensures that the code is not changed since it is signed. A digital
signature shows your identity information when you signed a software, driver, or application.

#4. Distribute Software: After signing the software, it is time to distribute it. Users will see a
signature while downloading software. The software will show your verified publisher’s identity
during downloading. It also assures that the code remained intact since it is signed.

It is wise to timestamp your code as it will keep the code valid even if the certificate is expired.
Each certificate comes with a validity period. Users will have no unwanted warning when they
download the software.
Types of Code Signing Certificate
Code certificates can be classified into two types based on the level of validation sought —
Organization Validation (OV) Code Signing and Extended Validation (EV) Code Signing. The
core difference between the two is the CA’s verification level and how the private key is stored.
Both these types make use of public-private key cryptography and allow the applicant to encrypt
the code.

1. OV Code Signing Certificate: An OV code signing certificate can be obtained much

faster because, in this case, the CA performs primary verification only. This includes
verifying details such as the developer’s identity, the organization’s name, phone number,
and the applicant’s physical address.

Once approved, the private key is issued to the applicant, who can store it on his system just like
the private key of an SSL certificate is stored. However, this may not always be secure and must,
therefore, be avoided unless you are looking for a price benefit.

2. EV Code Signing Certificate: EV Code Signing Certificate is an advanced code signing

cert and is ideal for serious publishers who are ready to undergo a comprehensive vetting
process. This is carried out following the guidelines laid down by the CA/Browser
Forum. The documentation required for its approval usually includes everything
mentioned for the OV Certificate.

In addition to that, the applicant would be required to furnish a business registration certificate,
an attestation from a government organization or a Chartered Public Accountant, and a business
profile created by a reputable information source. Once the EV code signing certificate is issued,
the applicant would be required to store the private key in an external hardware token, making it
a safer option for software development firms and companies.

The Process of Obtaining and Using Digital Certificates

Step 1: Pick a Certificate Authority

The initial step in obtaining a digital certificate is selecting an authorized certificate authority
(CA). A CA is a trusted third-party organization that issues digital certificates to users and
devices.

Step 2: Generate a Key Pair

Once you've selected your certificate authority, the next step is to generate a key pair. A key pair
consists of both a public key and a private key used for authentication purposes on users or
devices.
Step 3: Generate a Certificate Signing Request (CSR)

The next step is to generate a certificate signing request (CSR). A CSR is simply an image file
containing information about the user or device requesting the digital certificate, such as their
name, contact info, and public key.

Once submitted to the certificate authority, they will verify all details and issue the digital
certificate accordingly.

Step 4: Validate Your Identity

Once the CSR has been submitted, the certificate authority will verify your identity to confirm
that you are authorized to obtain a digital certificate.

This may involve requesting additional documentation or information like a government-issued

ID or proof of business ownership.

Step 5: Install the Digital Certificate

Once the certificate authority has verified your identity and issued you a digital certificate,
installation can begin on your device or server.

Depending on which type of digital certificate was obtained and how it's installed, there may be
different steps depending on which device or server is used.

II

Protection of Data
Data protection is the process of safeguarding data and restoring important information in the
event that the data is corrupted, compromised or lost due to cyberattacks, shutdowns, intentional
harm or human error. It embraces the technologies, practices, processes and workflows
that ensure rightful access to data, so the data is available when it's needed.

Encryption Techniques
Data Encryption is a method of preserving data confidentiality by transforming it into ciphertext,
which can only be decoded using a unique decryption key produced at the time of the encryption
or before it. The conversion of plaintext into ciphertext is known as encryption.
Types of Data Encryption
There are multiple encryption techniques, each of which have been developed with various
security requirements in mind.

1. Symmetric Key Encryption

There are a few strategies used in cryptography algorithms. For encryption and decryption
processes, some algorithms employ a unique key. In such operations, the unique key must be
secured since the system or person who knows the key has complete authentication to decode the
message for reading. This approach is known as “symmetric encryption” in the field of network
encryption.

2. Asymmetric Key Encryption

Some cryptography methods employ one key for data encryption and another key for data
decryption. As a result, anyone who has access to such a public communication will be unable to
decode or read it. This type of cryptography, known as “public-key” encryption, is used in the
majority of internet security protocols. The term “asymmetric encryption” is used to describe this
type of encryption.

Data Backup and Recovery

Backup and recovery is the process of duplicating data and storing it in a secure place in case of
loss or damage, and then restoring that data to a location—the original one or a safe alternative—
so it can be used again in operations. Ideally, this backup copy (often called a snapshot) is
immutable—meaning it cannot be altered after it is created to protect against mutations such as
ransomware. Backup and recovery is also a category of onsite and cloud-based technology
solutions that automate and support this process, enabling organizations to protect and retain
their data for business and compliance reasons.

What are the 3 types of backups?

Backups are often bucketed into three categories:

Ÿ Full backups – Like filling up an extra tire at the service station, think of this process as
pumping all of the data stored on a production system into a backup system for safekeeping.
Full backups protect every bit of data from a single server, database, virtual machine (VM),
or data source connected to the network. These backups can take many hours, even days,
depending on the amount of data being saved. The more modern a data management solution
is, the fewer full backups it must perform, and when it does, the faster it goes.

Ÿ Incremental backups – Think of incremental backups as adding just a little more air each
time you revisit the station—just in case—so you’re always ready to replace your tire. An
incremental backup captures only new data since the last full incremental was performed.
 However, a full backup is required before a backup solution can perform its first incremental
backup. Then it can automatically do them based on the last incremental taken.

Ÿ Differential backups – Like incremental backups, these add more air but the delta is from
the last full backup, not the last incremental. Think of this backup as what’s different from
the last time you even filled the tire with air. Again, this can only happen if a full backup has
been performed first. Organizations typically establish policies about how much data and
when incremental or differential backups should occur.

What is the difference between backup and recovery?

The key difference between backup and recovery is that the backup process is how you save and
protect your production data and safely store it away so you have it for a later time, when you
might need to use it.

Recovery is the process whereby you retrieve and restore that backup data to your production
systems to avoid downtime.

Reliable backups and fast recovery together ensure business continuity and business resilience.

What are the types of data recovery?

The amount of data organizations create, capture, and store has skyrocketed over the last decade.
And analysts anticipate the amount of new data generated will grow at more than 50%
compounded annually.

Because enterprises and people are storing data in more places, new categories of backup data
recovery have emerged. These include:

Ÿ Granular recovery of files, folders and objects – Also known as file-level or object-level
recovery, this is the process of quickly getting back one or just a few specific data sets from
among many volumes.

Ÿ Instant mass restore – This process allows IT staff to recover not just files but hundreds of
virtual machines (VMs) instantly, at scale, to any point in time, saving time and resources.

Ÿ Volume recovery – A process teams that need to recover an unlimited number of VMs at the
same time used for faster recovery; for example, all VMs belonging to an application group.

Ÿ Virtual Machine Disk (VMDK) recovery – This recovery process ensures all data and apps
on a VM are restored quickly.
Ÿ Bare machine recovery – Restoring an entire operating system (software, apps, and data) in
one process.

Ÿ Instant volume mounts – Teams can save time using a backup solution as a target to restore
an entire volume to a Windows VM.

Ÿ Instant restores of VMs – This process restores a large number of VMs to any previous
recovery point with backup copies fully hydrated and available immediately.

What types of data sources typically need to be recovered?

All of the data sources that your organization protects may at some time need to be recovered
due to a data loss event.

Ÿ VMs (VMware, Microsoft, Nutanix)

Ÿ Physical servers (Windows, Linux)

Ÿ Databases (RDBMs) and Distributed

Ÿ Databases (NoSQL, Hadoop, Mongo, Apache, etc.)

Ÿ Files (NAS)

Ÿ Containers (e.g. Kubernetes)

Ÿ Applications (Microsoft Exchange, SAP HANA)

Ÿ SaaS applications (Microsoft 365, Salesforce)

Ÿ Primary storage

Ÿ Mainframes

Data Masking and Anonymization

Data Masking: Replacing sensitive data with fictitious but realistic data, ensuring that
unauthorized users cannot access actual information.

Anonymization: Removing or altering personally identifiable information (PII) so that data

cannot be traced back to individuals.

Data Masking and Anonymization is typically done during the data cleansing and preparation
steps before data sets are made available to the larger team. These steps often involve a lot of
manual effort and take up a lot of time before they could be shipped to data scientists for
deriving analytics and insights.
The key goal for any DMA solution would therefore be twofold:

a) Identify and protect individuals’ information in healthcare datasets

b) And ensure that even after DMA, the utility of the dataset is not compromised for its intended
usage

Key Techniques for Data Masking & Anonymization

Data Masking and Data Anonymization could be accomplished by several techniques. Each
technique produces a slight difference in privacy guarantees and the utility of resultant data. In
DMA generally, privacy and utility are inversely proportional to each other.

Some of the key techniques that could be leveraged in DMA solutions are:~

Complete Random Substitution or CRS (aka Pseudonymization)

Ÿ Data in one or more columns of a table is randomly substituted with values from an
appropriate list/generator

Ÿ This preserves the look and feel of data with high privacy

Ÿ It could alter the distribution of the data, affecting utility for certain use cases

Ÿ This technique does not offer fine-grained control of privacy vs utility

Generalization (e.g., k-anonymization)

Ÿ Some data is excluded deliberately to make it less identifiable

Ÿ The data may be modified into a series of ranges

Ÿ This technique results in stronger privacy due to reduced data dimensions

Ÿ But data utility is compromised

Differential Privacy
Ÿ This technique introduces ‘noise’ in the data set but preserves stat distribution

Ÿ Correct selection of its control parameters gives a good balance between utility and privacy

Ÿ Support for non-numeric data is not readily available

Synthetic Data
Ÿ In this technique, data engineers build new artificial data that is modeled on a real dataset

Ÿ The right models ensure the balance between privacy and utility.

Ÿ This technique works well across data types

Ÿ But it is complex to implement and requires creating new models in some cases

Access Controls and Permissions

Access control is a proactive security measure that helps deter, detect, and prevent unauthorized
access. By controlling who or what has access to a resource, it ensures that only those with the
necessary permissions can access the data or service. This significantly reduces the risk of a
security breach, both from external attackers and insider threats.

How Does Access Control Work?

1. Authentication
Authentication is the first step in access control. It involves verifying the identity of the user or
system requesting access. This is usually done by matching the provided credentials with the
stored information. Authentication methods include password-based, biometric-based, and
certificate-based authentication.

2. Authorization
Authorization follows successful authentication. It involves granting or denying access based on
the user’s or system’s privileges. The privileges are predefined and dictate what resources the
user or system can access and to what extent. Authorization helps in maintaining the principle of
least privilege, ensuring users and systems have only the access they need.

3. Access
Access refers to the actual use or interaction with a resource. This could involve viewing,
modifying, or deleting data, or using a service. The extent of access is dictated by the
authorization process. Access is monitored and controlled to prevent unauthorized activities.

4. Manage
Management of access control involves maintaining and updating the access control system. This
includes defining and updating access policies, managing user credentials, onboarding and
offboarding users, and maintaining the access control hardware and software. Effective
management ensures the access control system remains robust and up-to-date.
5. Audit
Auditing is an essential component of access control. It involves monitoring and recording
access patterns and activities. Auditing helps in identifying any unusual or suspicious activities
and aids in forensic investigations. Regular audits can reveal security vulnerabilities and help
improve the access control system.

Types of Security Access Controls

Role-Based Access Control (RBAC)

Role-Based Access Control, or RBAC, is an access control framework that assigns system access
rights and permissions to users based on their roles within an organization. For instance, a
financial analyst in a company might have access to sensitive financial data but would not have
the same access to the company’s HR records. RBAC is widely adopted due to its simplicity and
ease of administration.

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control, abbreviated as ABAC, is a security framework that uses a set of
policies to grant or deny access to resources. These policies are based on attributes, which can
include user attributes (like role or location), resource attributes (like the type of information),
and environment conditions (like time or network location). ABAC is dynamic and flexible,
making it suitable for complex environments where access decisions need to consider a
multitude of factors.

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is a method that grants access rights based on rules
specified by users. In DAC, the owner of the information or resource decides who can access
specific resources. This model provides flexibility and individual control, but it also comes with
risks as users might inadvertently grant access to those who should not have it.

Mandatory Access Control (MAC)

Mandatory Access Control, or MAC, is an approach where access is granted or denied based on
the information’s classification and the user’s security clearance level. It is widely used in
organizations handling highly classified and sensitive data, like military institutions or
government agencies. MAC is rigid and highly secure, but it can be complex to implement and
manage.
Policy-Based Access Control (PBAC)
Policy-Based Access Control, or PBAC, is an access control model that determines access based
on a set of policies that define allowable actions within a system. PBAC policies are often
complex, involving a combination of rules, roles, attributes, and environmental factors. This
model allows for fine-grained access control, enabling administrators to manage access based on
the specific needs of the organization and the context of the access request. While PBAC is fairly
similar to ABAC, it is easier to implement and requires less IT and development resources.

Secure File Transfer Protocols

Secure file transfers are a way to safely share data using encryption and secure protocols.
Business-critical data is protected using a range of secure protocols, including SSL/TLS, PGP,
AS2, SFTP, FTPS, HTTPs and more. These protocols are supported in managed file transfer
platforms, allowing organizations to standardize their transfers on the most secure protocols.

In addition to secure protocols, managed file transfer solutions offer additional security features,
including proxy servers that support PCI, SOX and HIPAA compliance and data loss prevention
(DLP).

Top Protocols For Secure File Transfer

The original File Transfer Protocol established an easy method for transferring files over a
network. But FTP was designed in the 1970s, long before data security was much of a concern.
FTP is still around, but its usage has drastically diminished with the introduction of secure file
transfer protocols.

So what is a secure file transfer protocol? Most people will answer SFTP, which is half the
answer. Basically, whereas FTP is known as an insecure protocol because it doesn’t provide
encryption, secure file transfer protocols do.

SSH File Transfer Protocol (SFTP)

SFTP is a protocol developed by the Internet Engineering Task Force (IETF), and is perhaps the
most common file transfer protocol in use today. SFTP is built on Secure Shell cryptography to
encrypt data being transferred. This encryption is done in part by transferring information in
packets as opposed to plain text, which generally leads to faster transmission times when
compared to FTP. SFTP supports the use of key pairs as well as host-based authentication,
making SFTP useful for sensitive data such as personally information.
File Transfer Protocol Over SSL (FTPS)
FTPS is an attempt to make FTP secure using Secure Sockets Layer (SSL). SSL however was
deprecated in 2015 so even though most FTPS servers are using Transport Layer Security (TLS),
we still refer to it as FTPS. TLS uses certificates to authenticate users and to prevent information
from being accessed by unauthorized parties. FTPS requires two ports on the client server which
can make it more difficult to get FTPS transfers through a firewall. There is also explicit FTPS
(FTPES) which provides extra functionality for secure file sharing.

Applicability Statement 2 (AS2)

The AS2 protocol is widely used between trading partners in the retail and automotive industries.
AS2 is based on S/MIME and HTTPS for sending encrypted messages. AS2 also enables digital
signatures and Message Disposition Notification (MDN), which provide the sender with receipts
for non-repudiation.

ODETTE File Transfer Protocol 2 (OFTP2)

OFTP2 is a TCP/IP protocol that is popular among automotive companies, especially those based
in Europe. OFTP2, much like AS2, supports non-repudiation through receipts. Importantly,
OFTP2 can compress large amounts of data, making OFTP2 an efficient means of transferring
large files. The original OFTP was introduced in 1986 by the Organisation for Data Exchange by
Tele-Transmission in Europe (ODETTE).

Additionally, OFTP2 can operate through Value Added Networks (VANs), with both push and
pull modes.

User Datagram Protocol (UDP)

UDP is a transport layer protocol similar to TCP. UDP however doesn’t include much of the
“overhead” implied by other protocols, such as handshakes, certificates or receipts. This makes
UDP a much faster method of sending data such as video or audio files, especially when
transfers are occurring over long-distance networks that are experiencing high-latency. That
speed however comes with noticeable drawbacks, including packet loss.

Conclusion
Digital certificates and data protection mechanisms are vital for ensuring the security and
integrity of information in the digital world. By implementing these technologies and practices,
individuals and organizations can safeguard their data from threats and ensure secure,
trustworthy communications and transactions. Understanding these concepts is essential for
anyone involved in managing or transmitting sensitive information, as it empowers them to
protect their data effectively and maintain the trust of their users and stakeholders.