Data at Rest, Data at Risk?
By: Szu Chang, eSecurity Columnist/Editor,
As the security landscape changes and data privacy regulations are driving
enterprises to seriously protect data at rest. However, the security measures that enterprises employ to secure data at rest have many challenges to overcome.
Increasing Data Breaches
Data security breaches are occurring on an increasingly frequent basis, and have reached pandemic proportions -- more than 100 million Americans have been
exposed to potential identity theft, according to the . Also, more than 50 percent of companies reported data loss incidents in the last year, according to the 2006 Global Security Survey by .
Data breaches seemingly happen every week and there are even more highly publicized data breaches recently. In January 2007, retailer TJX Cos., the parent company of T.J. Maxx, Marshalls and several
other retailers, revealed that it has been hit by a wide-reaching security breach that may leave its customers around the world exposed to fraud and identity theft from transactions that date back to 2003.
TJX's data breach exposed credit and debit card numbers and personal details of 45.7 million people. People familiar with the matter said the number of exposed cards could exceed 40 million that
were made vulnerable to fraud nearly two years ago in a breach involving CardSystems Solutions, Inc.
There was another data breach incident reported in the same month. About 1,300 debit-ATM
cards issued by Fitchburg Savings Bank were deactivated in January 2007, after the bank was told by Visa USA that a "large-scale data compromise" may have included its check cards.
that Visa has notified a number of banks in Massachusetts that a large-scale retailer has had a problem with some of its customer data. Quite a few banks are replacing cards or notifying customers to
be extra vigilant in monitoring their accounts.
Regulations Compliance Challenges
What's more, as the security landscape changes, sensitive data loss poses a real threat to
every business. Those recent high-profile data breaches affecting millions of consumers are not the only reason for many enterprises to seriously address the need of protecting the sensitive data in the
Regional and vertical mandates, such as data privacy regulations put further pressure on enterprises to ensure data security. A range of privacy regulations and guidelines now are
driving enterprises to take a more proactive stance on protecting data from breach.
Those regulations include the European Union's Data Privacy Directive, Japan's Personal Information
Protection Act, U.S. state breach notification laws ( e.g. California Senate Bill 1386), Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI/DSS).
those have been around for several years now and require different organizations to continue strengthening its IT infrastructure for data loss prevention to support regulation compliance. For example, GLBA
is a federal privacy regulation which mandates security and privacy best-practices for financial institutions.
Whereas the PCI/DSS is a set of security practices set forth by American Express, Discover,
Japan Central Bank, MasterCard, and VISA to protect cardholder data.
It is an industry-established policy requiring compliance by all merchants and service providers that store, process, or
transmit cardholder data.
Not surprisingly, data loss prevention is now the top category of promising new security technology, cited by 40 percent of respondents in the December 20, 2006, CISO
Survey Results by Merrill Lynch.
At Rest or In Motion
Business and government organizations have to safeguard sensitive information — whether it is located on servers,
desktops, laptops and removable devices (data at rest) or exiting the network via email, web, FTP or other Internet protocols (data in motion).
In other words, the data security breaches may come from:
- data in motion
- data at rest
Enterprises must move from perimeter and infrastructure protection to protecting the data itself, regardless it is data in
motion or data at rest. These include the protection of customer data, corporate data, intellectual property and other sensitive information.
Data in motion protection is to secure the
data travels over unprotected network, for example customer's such as personal data transmit via e-Mail, Web HTTP/HTTPS, FTP, IM, or generic TCP/IP.
On the other hand, data at rest protection is to secure
the data when it is not traveling over the network, including protect data stored on file servers, desktops, and laptops. It also includes securing and controlling over confidential data on removable media.
Data at Risk
SSL, VPN and SSL/VPN are often used to protect data in motion, and they are very effective techniques to secure the data. Application and message level security, such
as Web Services Security, take one more level up to further protect the message end-to-end.
As the technologies are more matured in protecting data in motion, data in motion is not the weakest link
in the chain for most of cases; instead the data at rest represent higher risk if proper protection is lacking.
An enterprise's sensitive data can be housed or located on data storage devices
within the enterprise in any place where data reside. These include the following:
- At the application-level
- Within data repositories, such as content management systems, relational databases, or SQL database server
- In files and operating systems
- On laptops and mobile devices
- On removable media, including USB drives/ memory sticks, CD-ROMs, iPods, and other removable media
- In data storage and tape backup
In today's data-centric enterprises, data mobility, storage consolidation and replication have dramatically increased the exposure of data at rest -- a single breach can now compromise terabytes of data,
and millions of records.
Traditional data protection approach focus on the network and the perimeter of systems. There are many perceived limitations in this approach that limit the adoption of more
effective technologies in the data at rest world. This makes data at rest become data at risk.
Encrypt Data at Rest
To secure data at rest in an enterprise environment,
data encryption is often the first technology considered. However it can be challenging due to its significant impact on the application systems. These concerns include performance implications, cost, and
key management issues.
For example, social security numbers are sensitive customer data. When store in the database, they should be protected from data breaches. However, the social security number is
often used as the primary key in many applications. If the social security number column is encrypted, then many applications need to be redesign or rewrite.
Costly redesign application system is not the
only issue. Encryption/decryption will impact system performance. The biggest issue is the key management. All encryption/decryption methods require key. Which key to use to encrypt which document and how to
keep those keys secure are tough questions to be addressed.
In other words, how to effectively and efficiently manage encryption keys generated by disparate enterprise applications, and how to
ensure the seamless flow of protected data at rest is a big challenge.
When adopting an enterprise-wide approach to data protection, in addition to application
redesign, systems performance and key management challenges, there are more challenges to overcome. Other challenges include the following:
Sensitive Data Discovery: as the sensitive
data at rest could be stored in many different locations, automated tool is required for enterprises to discover confidential data stored in any where within the enterprise.
Metadata on Data at Rest: the inventory of metadata of data at rest should be maintained, so that in the case of data breach, incident responders can rapidly gain visibility into metadata on exposed data
at rest, such as file owner, Access Control List (ACL) privileges and date last modified.
Policy Management: the access control policy for all data at rest should be established
and managed. This includes who can access what in where and when, as well as how to access the data at rest.
Policy Enforcement: Once the policy is established, the policy
enforcement should be in place. Only the people has the privilege to assess the data at rest can grant the access right. The illegal access attempt should be alerted and monitored at the central site
Data Not At Risk
The need to protect data at rest cuts across companies large and small, within every industry. To ensure the data at rest is not the data at risk, the proper
protection to the confidential data must be in place.
Enterprises must move from perimeter and infrastructure protection to protecting the data itself. Strategy and solution that enable
enterprises to implement the necessary controls to protect confidential data from unintended exposure must be in place.
Simple data encryption is not the solution to the problem. Instead, the
whole end-to-end solution for protecting data at rest that includes key management, access control and policy management must be adapted.
About The Author
Szu Chang, CISSP, is the e-Security Columnist/Editor of the of the
Internet Journal. http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If
you have any comments about Internet Journal, please send email to email@example.com.