A technique of isolating the data became very popular from the moment of the foundation and is used today. Developers won’t let us lie because the cost of data breaches could be up to $4 million in 2022. It depends on the company and the protection level, but who wants to make tests and lose money?
To give a better understanding of what is data isolation and how it helps users to protect their system from attacks. Keep reading, and you will find lots of useful information.
Data isolation allows you to isolate the storage area of data in the address space layout. You can manage access for different isolation areas, which automatically protects the data from manipulation.
One of the most complicated things about data isolation is its structure. Beginners may face difficulties while trying to understand how this technique works. So, we will provide a description for each category and each level. After reading our article, the data isolation definition won’t be so problematic for you.
The main idea of the software-based isolation is to create a segmentation. With it, you have access to the memory in the operating system. Moreover, segmentation allows you to get the settings of a specific segment (address, size, and access permission). The access permission could be made in two modes: kehler mode or the user mode. This allows you to isolate the operating system and user applications to avoid unnecessary troubles.
An example is IBM Watson Query that provides an architecture that isolates customer data and compute from other customers or other resources groups. It uses separate Kubernetes namespaces for each resource group you provision the service into, with seperate worker nodes for each of these namespaces. Each provisioned system also has separate encrypted block storage as well as seperate cloud object storage buckets.
The main idea of this type of isolation is in creating extended page tables (EPT) that are configured by the hypervisor for memory virtualization facilitation. How does it work? Let’s say we have a readactor, which is an example of hardware-based data isolation that performs the execution of the pages via extended page tables. If the code or data wasn’t previously read, you can execute it, thwarting JIT-ROP attacks. However, it’s not the only option for hardware-based isolation.
Another kind of hardware-based isolated data is a memory protection extension (MPX). The main idea is to divide the user's address space into two regions: the regular region and the secret one. Each region gets strong access isolation, allowing developers to avoid uninvited users in their space.
Data could be isolated into 4 levels. The higher level you have, the higher system settings and resources you may need to make the isolation real. Now, we will quickly run through each level.
Combining data isolation with other methods of protection will help you to create a strong defense of your system and keep your data safe. However, to perform a proper installation you may prepare well, and some operations may be complicated for users. It doesn’t mean you should give up - just ask for help. Our team is ready to help, and if you need to deal with something else (for example, perform a risk assessment or something with isolation in cyber security), give us a call!
For your convenience, we’ve divided our blog on cyber security into several categories so that you can find necessary articles fast and effortlessly. Just choose the category that evokes your interest and enjoy reading.