Classification Storage A practical solution to file classification for information security En praktisk lösning till fil klassificering för informationssäkerhet Joël Sloof <[email protected]> Faculty of Health, Science and Technology Master thesis in Computer Science Second Cycle, 30 hp (ECTS) Supervisor: Leonardo A. Martucci, University of Karlstad, SWE <[email protected]> Examiner: Karl­Johan Grinnemo, University of Karlstad, SWE <karl­[email protected]> Karlstad, June 6th, 2021 Abstract In the information age we currently live in, data has become the most valuable resource in the world. These data resources are high value targets for cyber criminals and digital warfare. To mitigate these threats, information security, laws and legislation is required. It can be challenging for organisations to have control over their data, to comply with laws and legislation that require data classification. Data classification is often required to determine appropriate security measured for storing sensitive data. The goal of this thesis is to create a system that makes it easy for organisations to handle file classifications, and raise information security awareness among users. In this thesis, the Classification Storage system is designed, implemented and evaluated. The Classification Storage system is a Client–Server solution that together create a virtual filesystem. The virtual filesystem is presented as one network drive, while data is stored separately, based on the classifications that are set by users. Evaluating the Classification Storage system is realised through a usability study. The study shows that users find the Classification Storage system to be intuitive, easy to use and users become more information security aware by using the system. Keywords Data Classification, Information Classification, User­Driven Classification, Information Security Awareness iii Sammanfattning I dagens informationsålder har data blivit den mest värdefulla tillgången i världen. Datatillgångar har blivit högt prioriterade mål för cyberkriminella och digital krigsföring. För att minska dessa hot, finns det ett behov av informationssäkerhet, lagar och lagstiftning. Det kan vara utmanande för organisationer att ha kontroll över sitt data för att följa lagar som kräver data klassificering för att lagra känsligt data. Målet med avhandlingen är att skapa ett system som gör det lättare för organisationer att hantera filklassificering och som ökar informationssäkerhets medvetande bland användare. Classification Storage systemet har designats, implementerats och evaluerats i avhandlingen. Classification Storage systemet är en Klient–Server lösning som tillsammans skapar ett virtuellt filsystem. Det virtuella filsystemet är presenterad som en nätverksenhet, där data lagras separat, beroende på den klassificeringen användare sätter. Classification Storage systemet är evaluerat genom en användbarhetsstudie. Studien visar att användare tycker att Classification Storage systemet är intuitivt, lätt att använda och användare blir mer informationssäkerhets medveten genom att använda systemet. Nyckelord Dataklassificering, Informationsklassificering, Användardriven Klassificering, Informationssäkerhet Medvetenhet iv Acknowledgements I would like to thank and acknowledge all the people at Veriscan for introducing me to the field of information security. Their experience and guidance, motivated me to pursue a career in information security and inspired me to create the Classification Storage system. My family has always supported me in my ventures and that includes this one. I would like to thank my parents and siblings for supporting me and my crazy ideas in life and in this project. Special thanks goes to my fiance Matilda for her love, support and for always believing in me. v Contents 1 Introduction 1 1.1 Thesis Goals and Results .......................... 2 1.2 Methodology ................................. 2 1.3 Ethics and Sustainability .......................... 3 1.4 Thesis Outline ................................ 4 2 Background and Related Work 5 2.1 WebDAV ................................... 6 2.2 Middleware .................................. 6 2.3 Bit Field .................................... 7 2.4 Filesystem in Userspace .......................... 7 2.5 Windows Shell Extension .......................... 8 2.6 Sticky Policies ................................ 8 2.7 Microsoft 365 ................................. 9 2.8 Summary ................................... 9 3 System Architecture 11 3.1 Classification Storage ............................ 11 3.1.1 File Storage ............................. 13 3.1.2 Server / Virtual Storage ....................... 13 3.1.3 Clients ................................ 13 3.2 Server Architecture ............................. 14 3.2.1 Sabre/DAV .............................. 15 3.2.2 Authentication Module ........................ 15 3.2.3 Virtual Filesystem .......................... 15 3.2.4 Server API .............................. 16 3.3 Client Architecture .............................. 16 3.3.1 Client (FUSE) ............................ 17 3.3.2 Windows FUSE Module ....................... 18 3.3.3 Classification Service ........................ 18 3.3.4 Classification Module ........................ 19 3.4 Summary ................................... 19 4 System Implementation 20 vi CONTENTS 4.1 Server ..................................... 20 4.1.1 Sabre/DAV .............................. 22 4.1.2 Virtual Filesystem .......................... 23 4.1.3 Classification Plugin ......................... 24 4.2 Client ..................................... 26 4.2.1 CSFS ................................. 27 4.2.2 CSShellExtension .......................... 29 4.2.3 CSDialogBox ............................. 31 4.3 Summary ................................... 32 5 System Evaluation 34 5.1 Usability Study ................................ 35 5.1.1 Part One: Interview ......................... 35 5.1.2 Part Two: Experiment ........................ 35 5.1.3 Part Three: Post Experiment Interview .............. 38 5.2 Recruitment and Participants ........................ 39 5.3 Ethical Considerations ............................ 39 5.4 Data Analysis ................................. 40 5.5 Results .................................... 43 5.6 Limitations .................................. 44 5.7 Summary ................................... 45 6 Discussion 46 6.1 Classification Storage ............................ 46 6.2 Evaluation Results .............................. 47 6.3 Limitations .................................. 48 6.4 Summary ................................... 49 7 Conclusions 50 References 52 vii Chapter 1 Introduction Throughout history, information has always been an important asset and with the invention of information technology systems (IT systems) and the digital evolution, these assets have evolved to becoming the most valuable resource in the world [37]. The rapid development and adoption of IT and communication systems have changed the world through a digital revolution leading to the current information age [7]. Organisations all over the world are constantly collecting and processing more and more data to analyse and use to their benefit [43]. With data being as valuable as it is and organisations and systems being interconnected across the world, data has become a high value target for cyber criminals and digital warfare [13, 20]. These threats require mitigation in the form of information security, legislation and laws. Legislation and laws are not only focused on the protection of data but also on regulating unlawfully acquired data, preventing organisations from breaching privacy laws and protecting users. For organisations to be compliant with legislation and laws, adequate controls need to be implemented to ensure that sensitive data is secure at all times. Two examples of such controls are ISO 27001 Annex: A.8.2.1 Classification of Information and Annex: A.8.2.2 Labeling of Information [1]. A.8.2.1 is about securing information according to its significance. A.8.2.2 is about labeling information following a classification scheme or policy for an organisation. These types of controls can be challenging to implement on unstructured data such as Word­documents and other files. File classification and labeling of this type of unstructured data, enhances information security and governance [36]. Information security awareness is an important part of information security and information security awareness training has proven to enhance security for organisations [9]. Data classification tools can be used for file classification to enhance information security and comply with legislation and laws. Data classification tools and systems do not only improve information security and identifiability of data, but also raises awareness among users of their responsibilities in protecting the data [36]. 1 CHAPTER 1. INTRODUCTION This thesis explores if a system can be created, where users set classifications and labels when working with files directly. The system should also store files separately depending on classification levels. 1.1 Thesis Goals and Results The goal of this thesis is to design, implement and evaluate a system that allows users to perform file classifications. The system should be able to store files separately based on classification to allow for appropriate security measures to be applied for each classification level. To users, this distributed storage system should be presented as
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages69 Page
-
File Size-