Data at Rest, Data at Risk?
By Steve Tsai, Managing Editor, Internet Journal
As the security landscape changes and data privacy regulations are driving
enterprises to seriously protect data at rest. However, the security measures that enterprises employ to secure data at rest have many challenges to overcome.
Increasing Data Breaches
Data security breaches are occurring on an increasingly frequent basis, and have reached pandemic
proportions -- more than 100 million Americans have been exposed to potential identity theft, according to the . Also, more than 50 percent of companies reported data loss incidents in the last year, according to the
2006 Global Security Survey by .
Data breaches seemingly happen every week and there are even more highly publicized data breaches recently. In January 2007, retailer TJX Cos., the parent company of
T.J. Maxx, Marshalls and several other retailers, revealed that it has been hit by a wide-reaching security breach that may leave its customers around the world exposed to fraud and identity theft from transactions that
date back to 2003.
TJX's data breach exposed credit and debit card numbers and personal details of 45.7 million people. People familiar with the matter said the number of exposed cards could exceed 40
million that were made vulnerable to fraud nearly two years ago in a breach involving CardSystems Solutions, Inc.
There was another data breach incident reported in the same month. About 1,300 debit-ATM
cards issued by Fitchburg Savings Bank were deactivated in January 2007, after the bank was told by Visa USA that a "large-scale data compromise" may have included its check cards.
It appears that Visa has
notified a number of banks in Massachusetts that a large-scale retailer has had a problem with some of its customer data. Quite a few banks are replacing cards or notifying customers to be extra vigilant in
monitoring their accounts.
Regulations Compliance Challenges
What's more, as the security landscape changes, sensitive data loss poses a real threat to every business. Those recent
high-profile data breaches affecting millions of consumers are not the only reason for many enterprises to seriously address the need of protecting the sensitive data in the enterprise environment.
vertical mandates, such as data privacy regulations put further pressure on enterprises to ensure data security. A range of privacy regulations and guidelines now are driving enterprises to take a more proactive stance
on protecting data from breach.
Those regulations include the European Union's Data Privacy Directive, Japan's Personal Information Protection Act, U.S. state breach notification laws ( e.g.
California Senate Bill 1386), Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI/DSS).
All of those have been around for several years now and require different
organizations to continue strengthening its IT infrastructure for data loss prevention to support regulation compliance. For example, GLBA is a federal privacy regulation which mandates security and privacy
best-practices for financial institutions.
Whereas the PCI/DSS is a set of security practices set forth by American Express, Discover, Japan Central Bank, MasterCard, and VISA to protect cardholder data.
It is an industry-established policy requiring compliance by all merchants and service providers that store, process, or transmit cardholder data.
Not surprisingly, data loss prevention is now the top
category of promising new security technology, cited by 40 percent of respondents in the December 20, 2006, CISO Survey Results by Merrill Lynch.
At Rest or In Motion
government organizations have to safeguard sensitive information — whether it is located on servers, desktops, laptops and removable devices (data at rest) or exiting the network via email, web, FTP or other Internet
protocols (data in motion).
In other words, the data security breaches may come from:
- data in motion
- data at rest
Enterprises must move from perimeter and infrastructure protection to protecting the data itself, regardless it is data in motion or data
at rest. These include the protection of customer data, corporate data, intellectual property and other sensitive information.
Data in motion protection is to secure the data travels over unprotected
network, for example customer's such as personal data transmit via e-Mail, Web HTTP/HTTPS, FTP, IM, or generic TCP/IP.
On the other hand, data at rest protection is to secure the data when it is not traveling over
the network, including protect data stored on file servers, desktops, and laptops. It also includes securing and controlling over confidential data on removable media.
Data at Risk
SSL, VPN and
SSL/VPN are often used to protect data in motion, and they are very effective techniques to secure the data. Application and message level security, such as Web Services Security, take one more level up to further
protect the message end-to-end.
As the technologies are more matured in protecting data in motion, data in motion is not the weakest link in the chain for most of cases; instead the data at rest represent
higher risk if proper protection is lacking.
An enterprise's sensitive data can be housed or located on data storage devices within the enterprise in any place where data reside. These include the following:
- At the application-level
- Within data repositories, such as content management systems, relational databases, or SQL database server
- In files and operating systems
- On laptops and mobile devices
- On removable media, including USB drives/ memory sticks, CD-ROMs, iPods, and other removable media
- In data storage and tape backup
In today's data-centric enterprises, data mobility, storage consolidation and replication have dramatically increased the exposure of data at rest -- a single breach can now compromise terabytes of data, and millions
Traditional data protection approach focus on the network and the perimeter of systems. There are many perceived limitations in this approach that limit the adoption of more effective technologies in the
data at rest world. This makes data at rest become data at risk.
Encrypt Data at Rest
To secure data at rest in an enterprise environment, data encryption is often the first technology
considered. However it can be challenging due to its significant impact on the application systems. These concerns include performance implications, cost, and key management issues.
For example, social security
numbers are sensitive customer data. When store in the database, they should be protected from data breaches. However, the social security number is often used as the primary key in many applications. If the social
security number column is encrypted, then many applications need to be redesign or rewrite.
Costly redesign application system is not the only issue. Encryption/decryption will impact system performance. The biggest
issue is the key management. All encryption/decryption methods require key. Which key to use to encrypt which document and how to keep those keys secure are tough questions to be addressed.
In other words,
how to effectively and efficiently manage encryption keys generated by disparate enterprise applications, and how to ensure the seamless flow of protected data at rest is a big challenge.
When adopting an enterprise-wide approach to data protection, in addition to application redesign, systems performance and key management challenges, there are more challenges to overcome.
Other challenges include the following:
Sensitive Data Discovery: as the sensitive data at rest could be stored in many different locations, automated tool is required for enterprises to discover
confidential data stored in any where within the enterprise.
Metadata on Data at Rest: the inventory of metadata of data at rest should be maintained, so that in the case of data breach,
incident responders can rapidly gain visibility into metadata on exposed data at rest, such as file owner, Access Control List (ACL) privileges and date last modified.
Policy Management: the
access control policy for all data at rest should be established and managed. This includes who can access what in where and when, as well as how to access the data at rest.
: Once the policy is established, the policy enforcement should be in place. Only the people has the privilege to assess the data at rest can grant the access right. The illegal access attempt should be alerted and
monitored at the central site
Data Not At Risk
The need to protect data at rest cuts across companies large and small, within every industry. To ensure the data at rest is not the data
at risk, the proper protection to the confidential data must be in place.
Enterprises must move from perimeter and infrastructure protection to protecting the data itself. Strategy and solution that enable
enterprises to implement the necessary controls to protect confidential data from unintended exposure must be in place.
Simple data encryption is not the solution to the problem. Instead, the whole
end-to-end solution for protecting data at rest that includes key management, access control and policy management must be adapted.
About The Author
Steve Tsai is the Managing Editor of the Internet Journal http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any
comments about Internet Journal, please send email to email@example.com.