Data Protection in Mac OS X

Published on May 2016 | Categories: Types, Creative Writing | Downloads: 67 | Comments: 0 | Views: 253
of 4
Download PDF   Embed   Report

Neha Setia1 , Tarun Dalal21M.Tech Scholor, CBS Group of Institutions, CSE DepartmentMDU Rohtak, India2Assistant Professor, CBS Group of Institutions, CSE DepartmentMDU Rohtak, IndiaAbstractAs our lives increasingly go digital, Data Protection hasbecome one of the critical concerns. With data breaches onrise, companies must remain vigilant in safeguarding theirassets. Breaches in data security can appreciably costcompany customers, reputations and significant fines ordamages. OS X is designed from the ground up with an eyetoward providing and maintaining system security in anautomatic and easy-to-use way. Apple strives to ensure thatOS X provides protection to systems, software, and datawithout the need for advanced configuration or specializedtools. Apple also implements many security features designedto protect the confidentiality of both user and corporate data.Some of these features protect data stored on a local orremovable volume (data at rest), while others protect datashared on a local network or traveling across the Internet(data in transit). Many of these technologies are inherent inthe design of the operating system and are active withoutrequiring configuration. Others, such as FileVault, can beeasily enabled and configured by both users and ITdepartments. This paper will explore the features provided byApple in Mac OS X for Data Protection.Keywords: Disk Image, FileVault, Keychains, Mac OS X

Comments

Content

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: [email protected]
Volume 4, Issue 2, March-April 2015

ISSN 2278-6856

Data Protection in Mac OS X
Neha Setia1 , Tarun Dalal2
1

M.Tech Scholor, CBS Group of Institutions, CSE Department
MDU Rohtak, India

2

Assistant Professor, CBS Group of Institutions, CSE Department
MDU Rohtak, India

Abstract
As our lives increasingly go digital, Data Protection has
become one of the critical concerns. With data breaches on
rise, companies must remain vigilant in safeguarding their
assets. Breaches in data security can appreciably cost
company customers, reputations and significant fines or
damages. OS X is designed from the ground up with an eye
toward providing and maintaining system security in an
automatic and easy-to-use way. Apple strives to ensure that
OS X provides protection to systems, software, and data
without the need for advanced configuration or specialized
tools. Apple also implements many security features designed
to protect the confidentiality of both user and corporate data.
Some of these features protect data stored on a local or
removable volume (data at rest), while others protect data
shared on a local network or traveling across the Internet
(data in transit). Many of these technologies are inherent in
the design of the operating system and are active without
requiring configuration. Others, such as FileVault, can be
easily enabled and configured by both users and IT
departments. This paper will explore the features provided by
Apple in Mac OS X for Data Protection.

Keywords: Disk Image, FileVault, Keychains, Mac OS X

1. INTRODUCTION
Mac OS X is a series of Unix based graphical interface
operating systems developed and marketed by Apple Inc.
It is designed to run on Macintosh computers, having been
pre-installed on all Macs since 2002. It was the successor
to Mac OS 9, released in 1999, the final release of the
"classic" Mac OS X, which had been Apple's primary
operating system since 1984. OS X is the powerful Apple
desktop and portable computers operating system. Since
it’s introduction in 2001, OS X has become an
increasingly attractive alternative to other operating
systems because of its combination of innovative
technologies. Apple, third-party developers, and security
experts build OS X on a foundation of open source
components that have been through decades of intense
scrutiny. Apple participates in the open source community
by sharing the development process of many OS X
components with third party developers. OS X is the only
operating system that combines the powerful open source
UNIX foundation with a state of the art – user interface,
offering all the ease of use for which Apple is known.
Further more, Apple provides an exceptional development
platform, as evidence by large section of high-qualitythird-party software tittle available for it. Data Protection
is important concept related to each operating system. In
this paper, various data protection techniques are

Volume 4, Issue 2, March – April 2015

identified which are incorporated in Mac from Apple.

2. DATA PROTECTION
OS X includes easy-to-use methods for ensuring that data
stored on Mac systems is kept in a secure manner. As with
other systems and devices, OS X uses file and data
encryption to ensure privacy. Apple has worked to provide
secure encryption tools that are easy to use and as
transparent as possible to trusted users. In addition, OS X
provides both local and remote methods for secure
sanitization of data on a Mac system, preventing recovery
if a computer is decommissioned, repurposed, lost, or
stolen. The secure erase functionality in OS X meets the
standards for sanitizing magnetic media set by the U.S.
Department of Defense. Data Security is not only
integrated with the online services, which we use but also
with the data that we store on our devices. Data encryption
techniques provide the data security however data loss
prevention is also considered while we talk about Data
Protection. OS X is known for the security features, which
it provides so this paper will explore the features given in
Mac OS X by Apple to provide data protection.
2.1FileVault
FileVault provides full disk encryption for “data at rest.”
This protection can be applied to both internal and
removable drives. FileVault employs XTS-AES-128 data
encryption to secure data on a Mac system should it be lost
or stolen. Enterprise organizations should consider
requiring the use of FileVault to protect sensitive data
stored on Mac systems, particularly on portable systems
like the MacBook Air. FileVault is the full-disk
encryption routine in OS X that will secure all files on the
drive, including OS X system files, applications, caches
and other temporary files; any of which may contain
personal or sensitive information. To ensure security when
you turn on FileVault, other security features are also
turned on. For example, when you turn on FileVault, you
need a password to log in when your Mac is in sleep, or
after leaving the screen saver. After the initial startup,
only users enabled in FileVault can log in; other users
need an administrator to log in first.
To enable FileVault, below steps need to be followed:
 From System Preferences select the Security &
Privacy system preference.
 Go to the Filevault Tab; unlock the preference, and
click Turn On FileVault.

Page 177

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: [email protected]
Volume 4, Issue 2, March-April 2015
 When you do this you’ll be asked to choose the user
accounts that are authorized to unlock the disk.
Click Continue and your Mac will begin encrypting
your drive. This may take a while to do, especially
with large mechanical drives, where both encrypting
and optimizing may take a number of hours to
complete.

ISSN 2278-6856

2.2 Encrypted Disk Image
Unlike images used for system deployment, encrypted disk
images serve as secure containers that can be used to store
or transfer sensitive documents and other files. Disk
images can be encrypted using either 128-bit or 256-bit
AES encryption. Because a mounted disk image is treated
as a local volume connected to a Mac system, users can
copy, move, and open files and folders stored in it. As
with FileVault, a disk image’s contents are encrypted and
decrypted in real time. Users can use
encrypted disk images to safely exchange documents, files,
and folders by saving the encrypted disk image to
removable media, sending it via email, or storing it on a
remote server.
An encrypted disk image works just like a regular disk
image but requires a password to open and become
available ("mount"). You can move files to or from an
encrypted disk image as easily as you can from a nonencrypted disk image.

Figure 1 Enable FileVault
When FileVault is enabled on Mac systems, a preboot
authentication prompts the user for login credentials.
Valid credentials must be entered before continuing the
boot process. Valid credentials must also be entered to
gain access to specialized startup modes, such as target
disk mode. Without valid login credentials or a recovery
key, the whole volume remains encrypted and is protected
from unauthorized access even if the physical drive is
removed and connected to another system. When
FileVault is enabled, initial encryption is fast and
performed unobtrusively in the background. Designed for
balanced system performance, FileVault relinquishes
processor cycles to higher-priority user tasks and
applications. After initial encryption is complete all data
is protected at rest. FileVault ensures that data actively
being used is only encrypted or decrypted at runtime as
needed. During setup, FileVault generates a personal
recovery key (PRK) to allow access to the encrypted
volume should a user’s password be forgotten or otherwise
unavailable. In an enterprise environment, this PRK could
be recorded and securely stored by the IT organization (or
the owner of the computer in a BYOD situation). IT
departments should implement an institutional recovery
key (IRK) to accommodate forensic and electronic
discovery processes if needed.
Full disk encryption is primarily useful for protecting a
stolen Mac. When your drive is unlocked, files on it can
be read. However, before it’s unlocked (ie, your Mac is
shut down), all data on the drive will be scrambled. This
prevents data recovery by unauthorized third parties, who
might try to access it using Target Disk mode on your
Mac or by removing your Mac’s hard drive and attaching
it to another computer.

Volume 4, Issue 2, March – April 2015

Below steps need to be followed to create an encrypted
disk image:
1. Open
Disk
Utility
(located
in
/Applications/Utilities/).
2. Click the New Image button, or choose File > New >
Blank Disk Image.
3. Type a name in the Save As field. This name will be
used for the disk image (.dmg) file.
4. Change the save destination if you wish.
5. Select a size for the disk image file from the Size popup menu.
6. Choose a different volume format if you don't want to
use the default Mac OS X Extended (Journaled).
7. Choose an image format. You can use "sparse disk
image" for a disk image that only uses as much space
as it needs, rather than a set amount of space. If
you're not sure, use "read/write disk image" choice.
8. Choose 128-bit AES encryption (and/or 256-bit AES
in Mac OS X v10.5 or later) from the Encryption popup menu to encrypt the image's contents with a
password. If you don't choose an encryption, your new
image won't be encrypted.
9. Click the Create button.
10. Enter and verify a good password in the dialog
window that appears. This password will be saved in
your keychain by default, or you can deselect
"Remember password (add to keychain)" if you don't
want it saved. You can store the password in the
keychain for convenience.
11. Click OK.

Page 178

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: [email protected]
Volume 4, Issue 2, March-April 2015

Figure 2 Disk Utility
2.3Keychains
OS X offers a secure store known as a keychains.
Keychains provide a convenient and secure repository for
credentials such as digital identities, user names and
passwords, encryption keys, and secure notes. Using
keychains eliminates a user’s need to enter— or even
remember—the credentials for each resource. Keychain is
the password management system in OS X developed by
Apple. It was introduced with Mac OS 8.6, and has been
included in all subsequent versions of Mac OS, including
OS X. Using a unique password for each resource is a
good security practice. This can be a daunting task given
the number of file servers, websites, email accounts,
encrypted volumes, and other password-protected
resources encountered by today’s users.
A keychain can store all your passwords for applications,
servers, and websites, or even sensitive information
unrelated to your computer, such as credit card numbers
or personal identification numbers (PINs) for bank
accounts.
When you connect to a network server, open an email
account, or access any password-protected item that is
keychain-aware, your keychain can provide the password
so you don't have to type it.

Figure 3 Keychain Access

Volume 4, Issue 2, March – April 2015

ISSN 2278-6856

An initial default keychain is created for each Mac user
though users can also create additional keychains for
specific purposes.
In addition to user keychains, OS X relies on a number of
system-level keychains that maintain authentication assets
that are not user-specific, such as network credentials and
public key infrastructure (PKI) certificates. One of these
keychains, the “System Roots” keychain, is an immutable
store of Internet PKI root certificates to facilitate common
tasks like online banking and e-commerce. IT
administrators can similarly deploy internally provisioned
certificate authority (CA) certificates to managed Macs to
aid in the validation of internal sites and services.
2.4Secure Erase
In standard computing models, including OS X, files and
data are only removed from a storage device when another
file is written over the storage used by the “deleted” data.
Many commercial disk management, data recovery, and
forensic tools offer the ability to recover deleted files from
a device. Even if data is partially overwritten, the original
files can often be reconstructed to some extent. This
creates a security challenge for enterprises as well as
individual users. To help ensure data cannot be recovered,
there are two options. The first is to securely encrypt data
and ensure the security of user credentials and recovery
keys for a system or external drive. Even if the physical
media is lost, stolen, or compromised, the data remains
secure provided any credentials for decryption remain
secure.
The second option is to use a sanitization feature named
secure erase. As mentioned earlier, OS X provides tools to
sanitize data by overwriting the original drive contents (or
the portion of the drive marked as free space, which
retains deleted files). There are varying levels of security
offered depending on the number of passes and whether
each path uses a specific data pattern or random data.
Disk Utility in OS X offers multiple sanitization options
for an entire volume or free space. A seven-pass erase
option is available that meets U.S. Department of Defense
standards (DOD 5220-22M). Users can also initiate
sanitization while deleting files using the Secure Empty
Trash command in the Finder. This command overwrites
files as they are deleted using a single-pass erase.
Disk Utility in OS X includes the ability to securely erase
the free space on a hard drive, to reduce the chances of
deleted files being recoverable.
There are multiple erasure options that offer different
levels of security:
 "Zero Out Data" option
This is the quickest free space erasure option, and
provides good security. It writes zeros over the unused
disk space (one pass). This option takes the least
amount of time.
 "7-Pass Erase" option
Writes data over the free disk space seven times. This
provides a highly secure erasure of disk data. A 7Pass Erase takes seven times longer than a Zero Out
Data erase.
Page 179

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
Web Site: www.ijettcs.org Email: [email protected]
Volume 4, Issue 2, March-April 2015
 Advanced: The 7-Pass Erase option conforms to the
DoD 5220.22-M specification. This specification calls
for three passes, but Disk Utility performs seven.
Click here for more details about the specification.
7 pass overwrite data
(DoD 5220.22-M specification)
Data written
Pass
In binary notation
1
11110110
2
00000000
3
11111111
4
Random
5
00000000
6
11111111
7
Random

In hexadecimal notation
0xF6
0x00
0xFF
Random
0x00
0xFF
Random

Figure 4: Multiple Pass Erase
3.5Remote Lock and Wipe
With Find My Mac you can locate and protect your Mac if
it is lost or stolen. To use Find My Mac, simply enable it
in System Preferences. You need to have set up Find My
Mac before your Mac is lost.
If you lose your Mac or think it might be stolen, the option
of Remote Lock and Remotely Erase and Delete option
can be used which is given by enabling “Find My Mac”
feature in iCloud.

ISSN 2278-6856

tools and guidance to IT departments to secure their data
in an Enterprise.
Acknowledgment
My thanks to the expert Mr. Laeeq Humam, Consultant,
HCL Technologies – IOMC who has contributed in the
research work for the development of the paper.

References
[1] Kirk McElhearn, Macworld; “8 Ways to Protect Your
Mac Right now” Feb – 2005
[2] Mark H. Anbinder, Jeffery Battersby, Glenn
Fleishman, Kirk McElhearn, Macworld; “Protect
Your Mac” by June-2006
[3] Amit singh, “Understanding Apple’s Binary
Protection in Mac OS X”; October – 2006
[4] Apple Inc, Apple Technical White Paper “Best
Practices for deploying Filevault 2”; August - 2012
[5] Apple Technical White paper “Security for Mac Computers
in the Enterprise”; October – 2012
[6] Apple Inc, Apple Technical White Paper “Mac
Management Basics 10.8”; September – 2013
[7] Juli Clover, “FTC Questioning Apple about Health
Data Protection Policies”, November - 2013
[8] TheAndy, “Protect your Retina Macbook Pro,
Macbook Air from Theft: Part 2 – Data Protection
and Tracing a stolen Computer”; December - 2014

Figure 5 iCloud Preferences
The OS X Server Profile Manager (as well as some thirdparty MDM solutions) offers a managed method for
remotely locking and wiping a lost or stolen system. Many
MDM solutions include a self-service portal where users
can enroll Mac systems and download approved apps.
Most MDM packages include the ability for users to
remotely lock, wipe, and locate Mac systems and other
devices using that self-service portal without assistance
from IT.

3.Conclusion
Data Protection is an ever-present concern for IT teams in
all organizations. OS X offers a solid set of data protection
components built into every Mac. OS X also integrates
with many industry-standard solutions and meets or
exceeds stringent data protection guidelines from U.S.
federal government agencies. In addition, Apple provides

Volume 4, Issue 2, March – April 2015

Page 180

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close