1

Access Controls — ACLs, File Systems & Geographic Access

An Access Control List (ACL) is a list of permission entries that defines who can do what with a resource. Each individual entry in an ACL is called an Access Control Entry (ACE). ACLs can be applied to file systems, network devices, and databases — anywhere that resources need to be protected.

ACL-capable file systems

NTFS
Windows File System
Supports granular ACLs on files and folders. Permissions: Full Control, Modify, Read & Execute, Read, Write, Delete. Share permissions (simple) apply over the network; NTFS permissions (granular) apply locally. Standard practice: permissive share, restrictive NTFS.
EXT3 / EXT4
Linux File Systems
Traditional Linux file systems supporting the owner/group/other (rwx) permission model. EXT4 is the more modern and common version. Both support ACLs via the setfacl/getfacl commands beyond the basic rwx model.
ZFS
Advanced Linux/Unix File System
A more modern, high-capacity file system supporting built-in data integrity checking (checksums), snapshots, and ACLs. Increasingly common in enterprise Linux environments and network-attached storage.

Database security — fine-grained permissions

Databases allow more granular permission control than file systems. Rather than just "can this user access this file," databases can control permissions at the level of individual tables, views, records, and fields. You can also restrict which SQL operations a user can perform:

Object-level permissions
Control access per table, view, or stored procedure. A user might be able to read from the Customers table but not the SalaryHistory table. Much more granular than file-level ACLs.
Statement-level permissions
Control which SQL statements a user can execute: SELECT (read), INSERT (add), UPDATE (modify), DELETE (remove). A reporting user might only have SELECT permission — they can read but never modify data.

Geographic access requirements

Storage location (data sovereignty)
Where you put your servers determines which laws govern your data. Servers in Germany = GDPR. Different countries have different privacy laws. Geographic location of the server is a deliberate compliance decision.
Employee access location
Employees who travel need access from multiple geographic locations. Cloud-based systems with global nodes can support this. VPNs provide secure access but extend the corporate network boundary.
Geographic blocking
If your business only operates in one region, you can geographically block access from all other areas. Block by country, state, or even city. Reduces attack surface significantly — most attacks come from unexpected locations. Legitimate security control when your user base is defined and local.
2

File System Permissions — Windows icacls & Linux rwx/Octal

Incorrect permissions = data breaches. If a folder that should be private is set to publicly visible due to a misconfiguration, that's a breach. Permissions must be verified regularly (see Ch.26 IAM auditing — permission creep). The icacls command in Windows and chmod/chown in Linux are the primary tools for viewing and modifying these.

Windows permissions — icacls

icacls (Integrity Control Access Control Lists) is the Windows command-line tool for showing and modifying file permissions.

FlagPermissionWhat it allows
NNo accessUser has no permissions on this resource whatsoever
FFull controlRead, write, delete, change permissions, take ownership — complete control
RRead-onlyCan view and copy but cannot modify, delete, or execute
RXRead & executeCan view and run executables, scripts, and programs
MModifyCan read, write, and delete — but cannot change permissions or take ownership
WWriteCan create new files and write to existing ones, but cannot read other files in the folder
DDeleteCan delete the file or folder

Usage example: icacls \\server\share\folder /grant:r "group:(OI)(CI)R" — grants read-only to a group, with OI (Object Inherit) and CI (Container Inherit) flags ensuring sub-files and sub-folders inherit the permission.

Linux permissions — rwx, octal notation, chmod, chown

In Linux, everything is treated as a file — files, directories, devices, memory. Permissions apply universally. Three permission types (read/write/execute) across three subjects (owner/group/world) create a 9-character permission string.

Linux Permission String — Owner / Group / World Breakdown (755 example)
-
r
w
x
r
-
x
r
-
x
type
OWNER (rwx)
GROUP (r-x)
WORLD (r-x)
r
w
x
7
Owner (4+2+1)
-
r
-
x
5
Group (4+0+1)
-
r
-
x
5
World (4+0+1)
r = 4
read
w = 2
write
x = 1
execute
- = 0
no permission
777
rwxrwxrwx — all permissions for everyone (dangerous)
755
rwxr-xr-x — owner full, group/world read+exec
750
rwxr-x--- — owner full, group read+exec, world none
644
rw-r--r-- — owner read+write, group/world read only
600
rw------- — owner read+write only, nobody else
400
r-------- — owner read only, most restrictive

Key Linux permission commands

chmod — change mode
Modifies permissions on files and directories. Numeric: chmod 755 file. Symbolic: chmod g+x,o-r file (add execute for group, remove read for others). Or explicit: chmod u=rwx,g=rw,o=rx file.
chown — change owner
Changes the owner of a file or directory. chown jason home changes the owner of the home directory to the user jason. Can also change group ownership: chown jason:staff home.
3

Encryption — Data at Rest, in Motion & in Use

Encryption is a form of risk mitigation for access controls. Even if file permissions are misconfigured and someone accesses a file they shouldn't, if the file is encrypted they still can't read the contents. Encryption protects data across all three of its possible states.

Data at Rest
Inactive stored data
Data sitting on a hard drive, SSD, tape, or cloud storage — inactive, not being transmitted. Vulnerable to physical theft of the storage medium. Protection: whole-disk encryption (BitLocker, VeraCrypt), database encryption, file/folder encryption. If the drive is stolen, the attacker can't read the data without the key.
Data in Transit / Motion
Actively moving over network
Data travelling from server to client over a network. Vulnerable to network interception and MITM attacks. Protection: transport encryption protocols — TLS/HTTPS (web traffic), IPSec (VPNs), WPA2/3 (WiFi), SSH (remote administration). The channel itself is encrypted.
Data in Use
Loaded in RAM/CPU
Data decrypted and loaded into RAM or CPU for active processing. Hardest to protect — the data must be readable to the processor. Encrypted files get decrypted when opened. Protection: processor security extensions (Intel SGX Secure Enclaves, AMD SEV), Trusted Execution environments. See Chapter 28.
4

DLP — Data Loss Prevention: Components & Four Actions

Data Loss Prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorised systems or transmitted over unauthorised networks. DLP keeps your data from leaving your control.

Three DLP components

Policy server
Central management component. Configures classification rules, confidentiality policies, and privacy rule sets. Defines how incidents are logged and compiled into reports. The brain of the DLP system — where you set what is and isn't allowed.
Endpoint agent
Software installed on client computers. Enforces DLP policy even when the device is not connected to the network. Example: prevents copying files to a USB drive on a laptop that's offline — the policy is enforced locally, not just at the network boundary.
Network agent
Network appliance sitting at the network boundary. Scans messages, emails, and file transfers as they cross the perimeter. Interfaces with web proxies and email gateways. Catches data leaving the network before it exits.

Four DLP actions — in escalating severity

Alert
Copying is allowed, but the event is logged and an alert is sent to the administrator. Lowest intervention — audit only. User can still copy the file but it's recorded.
Block
Copying is prevented — user cannot take the file. But the user still has access to the original file on the network. Their action is stopped, not their access.
Quarantine
Access to the original file is denied to the user (or all users). Often done by encrypting the file so it's unreadable. Both copying and viewing are prevented.
Tombstone
The original file is quarantined AND replaced with a placeholder message: "This file has been removed due to a DLP policy violation. Contact [administrator] to reinstate." Most severe action.
DLP can scan both structured and unstructured data. Structured = JSON, CSV, database exports with defined fields. Unstructured = chat, email, Word documents, PDFs. Most sensitive leakage happens in unstructured formats (someone copies a Word document containing PII to a personal USB). DLP must handle both types to be effective.
5

DLP Discovery & Classification — Six Methods

Before DLP can protect data, it needs to identify what should be protected. DLP uses six different discovery and classification methods to detect sensitive data in structured and unstructured formats.

1. Classification
Matches rules based on confidentiality tags or labels already applied to the data (e.g. from data classification system). If a "Secret" labelled file tries to be emailed by someone with only "Unclassified" clearance, DLP flags it. Uses existing classification metadata.
2. Dictionary
A set of patterns — specific words, phrases, or regex expressions — that trigger DLP. Example: code name "Tiger" for a secret project. Any document or email containing "Tiger" trying to leave the network is blocked. Fully configurable by the organisation.
3. Policy Template
A specialised dictionary optimised for a regulatory or legislative schema. Pre-built templates exist for PCI DSS (credit card numbers), HIPAA (health data patterns), GDPR (EU personal data), and others. Contains optimised patterns for social security numbers, passport formats, taxpayer IDs, etc.
4. Exact Data Match (EDM)
A structured database of hashed string values. Instead of storing actual sensitive data in the DLP (which creates a new risk), the values are hashed and the hashes are what DLP searches for. Match the hash = found sensitive data. Protects the reference database itself from being a source of leakage.
5. Document Matching
Matches against entire or partial documents using cryptographic hashing. The sensitive PowerPoint presentation is hashed, and DLP watches for that hash trying to leave the network. Partial matching can detect individual slides, images, or sections within a larger document.
6. Statistical / Lexicon
A further refinement of partial document matching using machine learning. Analyses a range of data sources beyond simple hash matching. The system learns what sensitive data looks like and becomes more accurate over time. Handles novel content not covered by static rules.
6

De-Identification — Masking, Tokenisation & Re-Identification Risk

De-identification removes identifying information from data before distributing it, allowing the data to be used for analysis or sharing without violating privacy. Once de-identified, data that was previously private becomes usable again for other purposes. Typically implemented as part of database design.

Data Masking
A generic or placeholder label substitutes for real data, preserving the original format and structure. The substitution is not reversible.
Credit card 4111-2345-6789-0001 becomes XXXX-XXXX-XXXX-0001. SSN 123-45-6789 becomes 111-11-1111 for all records. Format preserved, data erased.
Tokenisation
A unique random token substitutes for real data. Unlike masking, tokenisation is typically reversible — a secure vault maps tokens back to real values. Allows the data to be processed normally while keeping the original values secret.
SSN is replaced with random Student ID 789234. The vault in the secure safe can map 789234 back to the real SSN when needed. Staff see only the token.
Aggregation & Banding
Individuals are grouped and their data is generalised to protect individual identity. Rather than "Subject #42 had no side effects," report "90 of 100 trial participants had no side effects." No individual can be uniquely identified in the aggregate.
Age bands (30–40) instead of exact ages. Report "female, married, 30–40" rather than individual records. Groups large enough to prevent isolation.
Re-Identification Risk
An attack that combines de-identified datasets with other available data sources to uncover individual identities. Small populations make re-identification much easier — age band + sex + marital status in a 10-person company uniquely identifies one person. Scale matters: what's safe at 400 employees may not be safe at 10.
Survey response: female, married, 30–40. In a 10-person company = only one match. In a 400-person company = 50+ matches. The same data can be safe or unsafe depending on population size.
7

DRM & Watermarking

DLP prevents data from leaving your network. But what about data that has to leave — your product is digital? Digital Rights Management (DRM) protects digital content after it leaves your control by making it technically difficult to copy, share, or use without authorisation.

Hardware DRM
Requires an authorised playback device. PlayStation games only work on PlayStation hardware. Early DVDs were region-coded — a US disc wouldn't play on an Asian player. Hardware enforcement means the content literally cannot be played without the right device.
Software DRM
Uses a software viewer or authentication system. Digital textbooks viewable only through the publisher's website or app. Authentication to the server happens at playback — the content cannot be read offline or shared. The viewer controls access, not the file itself.

Watermarking

Watermarking applies a unique, anti-tamper signature to a copy of a document, image, or file to identify its owner or track its distribution.

Visible watermarks
Large, obvious overlays on images or documents — "CONFIDENTIAL," a company name, or "NOT FOR REDISTRIBUTION." Shutterstock's "Shutterstock" overlay on preview images is a visible watermark. Deters casual copying. Easily removed from physical watermarks by cropping but forensic watermarks survive cropping.
Forensic watermarks
A hidden digital signature embedded in the file — invisible to the user but detectable by the issuer. May encode the recipient's identity, IP address, or a unique file ID. Survives cropping, resizing, and format conversion. Example: Axelos textbooks emailed to partners have the recipient's name on every page — if leaked, the source is immediately identifiable.
When to use DRM vs. DLP vs. watermarking
DLP = prevent data from leaving your network. DRM = protect digital products that must leave your control (movies, courses, textbooks). Watermarking = track and attribute content after it leaves — not prevention, but forensic attribution if it's misused. All three can be used together for layered protection.

Exam

Quick Reference Cheat Sheet

Access controls & file systems
ACL = list of permissions; ACE = individual entry in an ACL. ACL-capable file systems: NTFS (Windows), EXT3/EXT4 (Linux), ZFS (Linux/enterprise). Database: more granular — table/view/record/field level + SQL statement permissions (SELECT/INSERT/UPDATE/DELETE). Geographic blocking = restrict by country/region when user base is defined and local.
Windows permissions (icacls)
N=No access. F=Full control. R=Read only. RX=Read & execute. M=Modify. W=Write. D=Delete. Share permissions = simple, apply over network (usually permissive full control). NTFS permissions = granular, apply locally (usually more restrictive). Best practice: permissive share + restrictive NTFS. OI=Object Inherit, CI=Container Inherit flags.
Linux permissions (rwx/octal)
r=4 w=2 x=1 (add them: rwx=7, rw=6, rx=5, r=4, none=0). Three sets: owner, group, world/other. Example: 755 = rwxr-xr-x (owner full, group/world read+exec). chmod = change permissions (chmod 755 file OR chmod g+x,o-r file). chown = change owner (chown jason file). 777 = dangerous (all permissions for everyone).
Encryption by data state
At Rest = stored on disk. Protection: BitLocker, VeraCrypt, AES-256 disk encryption, database encryption. In Motion/Transit = crossing network. Protection: TLS/HTTPS, IPSec/VPN, WPA2/3 WiFi, SSH. In Use = in RAM/CPU. Hardest to protect. Protection: Intel SGX Secure Enclaves, AMD SEV, Trusted Execution (Ch.28). Encryption = risk mitigation for when access controls fail.
DLP components & actions
3 components: Policy Server (central rules), Endpoint Agent (enforces when offline), Network Agent (boundary appliance). 4 actions (escalating severity): 1 Alert (log only, copying allowed), 2 Block (copying prevented, access maintained), 3 Quarantine (original file access denied, often encrypted), 4 Tombstone (file replaced with policy violation message). Scans structured (CSV/JSON) and unstructured (email/Word) data.
DLP discovery methods (6)
1 Classification (uses data labels/tags). 2 Dictionary (word/phrase/regex patterns). 3 Policy Template (regulatory presets — PCI DSS/HIPAA/GDPR). 4 Exact Data Match/EDM (hashed database of sensitive values). 5 Document Matching (hashes of entire or partial documents). 6 Statistical/Lexicon (machine learning + partial matching). For exam: know all six names and a one-sentence description of each.
De-identification methods
Data Masking = replace with placeholder preserving format (not reversible). Tokenisation = replace with random token, reversible via secure vault. Aggregation/Banding = group individuals so no single person is identifiable. Re-identification risk = combining de-identified data with other sources can reveal individuals — risk is higher in small populations. What's safe in a 400-person company may not be safe in a 10-person company.
DRM & watermarking
DRM = copyright protection for digital media leaving your control. Hardware DRM = requires authorised playback device (PlayStation, region-coded DVDs). Software DRM = requires authorised viewer/app. Visible watermarks = obvious overlays (Shutterstock preview, CONFIDENTIAL). Forensic watermarks = hidden digital signature that survives cropping/resizing, enables attribution after a leak. DLP prevents leaving; DRM protects after leaving; watermark tracks attribution.