SEC07-BP02: Apply data protection controls based on data sensitivity

Overview

Once you understand your data classification scheme (SEC07-BP01), you must implement appropriate protection controls that match the sensitivity level of your data. Different data classifications require different levels of protection, from basic access controls for public data to comprehensive encryption and monitoring for highly sensitive information.

This best practice ensures that your protection mechanisms are proportionate to the value and sensitivity of the data, optimizing both security and operational efficiency while meeting regulatory and compliance requirements.

Implementation Guidance

1. Map Protection Controls to Classification Levels

Define specific protection controls for each data classification level established in your data classification scheme:

• Public Data: Basic access logging and integrity protection
• Internal Data: Access controls, basic encryption, and audit logging
• Confidential Data: Strong encryption, strict access controls, detailed monitoring
• Restricted Data: Maximum security controls including encryption at rest and in transit, multi-factor authentication, and comprehensive audit trails

2. Implement Encryption Controls

Apply encryption controls based on data sensitivity:

• Encryption at Rest: Use AWS KMS with appropriate key management policies
• Encryption in Transit: Implement TLS/SSL for data transmission
• Field-Level Encryption: Apply granular encryption for highly sensitive fields
• Client-Side Encryption: Implement for maximum data protection

3. Configure Access Controls

Establish access controls proportionate to data sensitivity:

• Identity and Access Management: Implement least privilege access
• Multi-Factor Authentication: Require for sensitive data access
• Attribute-Based Access Control: Use data classification tags for access decisions
• Time-Based Access: Implement temporary access for sensitive operations

4. Establish Monitoring and Auditing

Implement monitoring controls based on data classification:

• Access Logging: Log all access to classified data
• Anomaly Detection: Monitor for unusual access patterns
• Real-Time Alerting: Alert on unauthorized access attempts
• Compliance Reporting: Generate reports for regulatory requirements

5. Implement Data Loss Prevention

Deploy DLP controls appropriate to data sensitivity:

• Content Inspection: Scan data for sensitive information
• Egress Controls: Prevent unauthorized data exfiltration
• Endpoint Protection: Secure data on user devices
• Network Monitoring: Monitor data flows across network boundaries

6. Configure Backup and Recovery Controls

Establish backup and recovery controls based on data classification:

• Backup Encryption: Encrypt backups according to data sensitivity
• Retention Policies: Apply appropriate retention periods
• Recovery Testing: Test recovery procedures for critical data
• Geographic Distribution: Distribute backups based on data requirements

Implementation Examples

Example 1: Data Protection Control Matrix

Code snippet hidden for website display

Example 2: Automated Protection Control Implementation

Code snippet hidden for website display

Example 3: CloudFormation Template for Classification-Based Protection

Code snippet hidden for website display

Example 4: Terraform Configuration for Multi-Service Protection Controls

Code snippet hidden for website display

Relevant AWS Services

Encryption Services

• AWS Key Management Service (KMS): Customer-managed keys for sensitive data encryption
• AWS CloudHSM: Hardware security modules for highest security requirements
• AWS Certificate Manager: SSL/TLS certificates for encryption in transit

Access Control Services

• AWS Identity and Access Management (IAM): Fine-grained access control policies
• AWS Single Sign-On (SSO): Centralized access management
• Amazon Cognito: User authentication and authorization
• AWS Secrets Manager: Secure storage and rotation of secrets

Monitoring and Auditing Services

• AWS CloudTrail: API call logging and audit trails
• Amazon GuardDuty: Threat detection and security monitoring
• Amazon Macie: Data classification and sensitive data discovery
• AWS Config: Configuration compliance monitoring
• AWS Security Hub: Centralized security findings management

Data Loss Prevention Services

• Amazon Macie: Content inspection and DLP capabilities
• AWS Network Firewall: Network-level content filtering
• Amazon VPC: Network segmentation and traffic control

Backup and Recovery Services

• AWS Backup: Centralized backup across AWS services
• Amazon S3 Cross-Region Replication: Geographic data distribution
• AWS Storage Gateway: Hybrid cloud backup solutions

Benefits of Classification-Based Protection Controls

Security Benefits

• Proportionate Protection: Apply security controls appropriate to data sensitivity
• Risk Reduction: Reduce risk of data breaches through layered security
• Compliance Support: Meet regulatory requirements for data protection
• Threat Detection: Enhanced monitoring for sensitive data access

Operational Benefits

• Cost Optimization: Avoid over-protecting low-sensitivity data
• Automation: Automated application of protection controls
• Consistency: Standardized protection across all data assets
• Scalability: Easily extend protection to new data assets

Compliance Benefits

• Regulatory Alignment: Meet GDPR, HIPAA, PCI DSS requirements
• Audit Readiness: Comprehensive audit trails and documentation
• Policy Enforcement: Automated enforcement of data protection policies
• Risk Management: Clear documentation of protection measures

Related Resources

• AWS Well-Architected Framework - Data Classification
• Amazon S3 Security Best Practices
• AWS KMS Best Practices
• Amazon Macie User Guide
• AWS Security Blog - Data Classification
• NIST Privacy Framework ```