Data Protection
Encryption, DLP, data classification, and privacy regulations.
Overview
Data protection safeguards sensitive information.
Data Classification
| Level | Description | Example |
|---|---|---|
| Public | Unrestricted | Marketing materials |
| Internal | Employees only | Policies, procedures |
| Confidential | Limited access | Financial data |
| Restricted | Highly sensitive | PII, PHI |
Encryption at Rest
# Full disk encryption (Linux)
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 encrypted
mkfs.ext4 /dev/mapper/encrypted
mount /dev/mapper/encrypted /mnt/secure
# File encryption
gpg -c sensitive_file.txt
gpg sensitive_file.txt.gpg
Encryption in Transit
# TLS/SSL
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
# SSH tunnel
ssh -L 8080:localhost:80 user@remote-server
Data Loss Prevention
# DLP Rules
dlp_policies:
- name: Credit Card Detection
pattern: '\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b'
action: block
alert: true
- name: SSN Detection
pattern: '\b\d{3}-\d{2}-\d{4}\b'
action: quarantine
alert: true
Privacy Regulations
| Regulation | Region | Requirements |
|---|---|---|
| GDPR | EU | Consent, data rights |
| CCPA | California | Consumer privacy |
| HIPAA | US Healthcare | PHI protection |
| PCI DSS | Payment | Card data security |
Data Masking
# Mask sensitive data
def mask_email(email):
name, domain = email.split('@')
masked_name = name[0] + '*' * (len(name) - 2) + name[-1]
return f"{masked_name}@{domain}"
def mask_credit_card(card):
return f"{'*' * 12}{card[-4:]}"
Best Practices
- Encrypt everywhere — Rest and transit
- Access controls — Need-to-know basis
- Data minimization — Collect only necessary
- Retention policies — Delete old data
- Audit logging — Track access
Practice
Implement encryption for sensitive data at rest and in transit.