Data at Rest, Data at Risk
Mobile Comm
Global e-Business
News & Insights
Contact Us


Security breach at Target part 2
FIDO Alliance Seminar
Security Breach at Target
Myth on Web Service Security
End-to-End Security for Cloud Computing
Optimize Security Services in the Cloud
Data at Rest, Data at Risk
Data Security Best Practices
DOD Common Criteria
Need for Information Security Professionals
Protect Social Security Info
Virtual VPN Gateway
Don't Hack the Ox!
6 eSecurity Pitalls
Data Security at Risk
CCNA Certification
NAC Forum
eSecurity Market
eSecurity Philosophy
PC Security
eSecurity Facts
Encryption Tool
Checking Security
Identity Theft
Home PC Security
eSecurity Training
Security Software
eSecurity & You
Web Security
Browser Security
Spyware & Viruses
448 Bit Encryption
Vital PC Security
Spyware Security
What's PC Security
Optimize eSecurity
Delete Cookies
Basic SB Security
eSecurity 101
Email Security

Data at Rest, Data at Risk?
By Steve Tsai, Managing Editor, Internet Journal

As the security landscape changes and data privacy regulations are driving enterprises to seriously protect data at rest. However, the security measures that enterprises employ to secure data at rest have many challenges to overcome. 

Increasing Data Breaches 

Data security breaches are occurring on an increasingly frequent basis, and have reached pandemic proportions -- more than 100 million Americans have been exposed to potential identity theft, according to the . Also, more than 50 percent of companies reported data loss incidents in the last year, according to the 2006 Global Security Survey by .

Data breaches seemingly happen every week and there are even more highly publicized data breaches recently.  In January 2007, retailer TJX Cos., the parent company of T.J. Maxx, Marshalls and several other retailers, revealed that it has been hit by a wide-reaching security breach that may leave its customers around the world exposed to fraud and identity theft from transactions that date back to 2003.

TJX's data breach exposed credit and debit card numbers and personal details of 45.7 million people. People familiar with the matter said the number of exposed cards could exceed 40 million that were made vulnerable to fraud nearly two years ago in a breach involving CardSystems Solutions, Inc.

There was another data breach incident reported in the same month. About 1,300 debit-ATM cards issued by Fitchburg Savings Bank were deactivated in January 2007, after the bank was told by Visa USA that a "large-scale data compromise" may have included its check cards.

It appears that Visa has notified a number of banks in Massachusetts that a large-scale retailer has had a problem with some of its customer data.  Quite a few banks are replacing cards or notifying customers to be extra vigilant in monitoring their accounts.

Regulations Compliance Challenges

What's more, as the security landscape changes, sensitive data loss poses a real threat to every business. Those recent high-profile data breaches affecting millions of consumers are not the only reason for many enterprises to seriously address the need of protecting the sensitive data in the enterprise environment.

Regional and vertical mandates, such as data privacy regulations put further pressure on enterprises to ensure data security. A range of privacy regulations and guidelines now are driving enterprises to take a more proactive stance on protecting data from breach. 

Those regulations include the European Union's Data Privacy Directive, Japan's Personal Information Protection Act, U.S. state breach notification laws ( e.g. California Senate Bill 1386), Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI/DSS).

All of those have been around for several years now and require different organizations to continue strengthening its IT infrastructure for data loss prevention to support regulation compliance. For example, GLBA is a federal privacy regulation which mandates security and privacy best-practices for financial institutions.

Whereas the PCI/DSS is a set of security practices set forth by American Express, Discover, Japan Central Bank, MasterCard, and VISA to protect cardholder data.

It is an industry-established policy requiring compliance by all merchants and service providers that store, process, or transmit cardholder data.

Not surprisingly, data loss prevention is now the top category of promising new security technology, cited by 40 percent of respondents in the December 20, 2006, CISO Survey Results by Merrill Lynch.

At Rest or In Motion

Business and government organizations have to safeguard sensitive information whether it is located on servers, desktops, laptops and removable devices (data at rest) or exiting the network via email, web, FTP or other Internet protocols (data in motion).

In other words, the data security breaches may come from:

  • data in motion
  • data at rest

Enterprises must move from perimeter and infrastructure protection to protecting the data itself, regardless it is data in motion or data at rest.  These include the protection of customer data, corporate data, intellectual property and other sensitive information.

Data in motion protection is to secure the data travels over unprotected network, for example customer's such as personal data transmit via e-Mail, Web HTTP/HTTPS, FTP, IM, or generic TCP/IP.

On the other hand, data at rest protection is to secure the data when it is not traveling over the network, including protect data stored on file servers, desktops, and laptops. It also includes securing and controlling over confidential data on removable media.

Data at Risk

SSL, VPN and SSL/VPN are often used to protect data in motion, and they are very effective techniques to secure the data.  Application and message level security, such as Web Services Security, take one more level up to further protect the message end-to-end. 

As the technologies are more matured in protecting data in motion, data in motion is not the weakest link in the chain for most of cases; instead the data at rest represent higher risk if proper protection is lacking.

An enterprise's sensitive data can be housed or located on data storage devices within the enterprise in any place where data reside. These include the following:

  • At the application-level 
  • Within data repositories, such as content management systems, relational databases, or SQL database  server
  • In files and operating systems
  • On laptops and mobile devices
  • On removable media, including USB drives/ memory sticks, CD-ROMs, iPods, and other removable media
  • In data storage and tape backup  

In today's data-centric enterprises, data mobility, storage consolidation and replication have dramatically increased the exposure of data at rest -- a single breach can now compromise terabytes of data, and millions of records.

Traditional data protection approach focus on the network and the perimeter of systems. There are many perceived limitations in this approach that limit the adoption of more effective technologies in the data at rest world. This makes data at rest become data at risk.

Encrypt Data at Rest

To secure data at rest in an enterprise environment, data encryption is often the first technology considered. However it can be challenging due to its significant impact on the application systems. These concerns include performance implications, cost, and key management issues.

For example, social security numbers are sensitive customer data. When store in the database, they should be protected from data breaches. However, the social security number is often used as the primary key in many applications. If the social security number column is encrypted, then many applications need to be redesign or rewrite.

Costly redesign application system is not the only issue. Encryption/decryption will impact system performance. The biggest issue is the key management. All encryption/decryption methods require key. Which key to use to encrypt which document and how to keep those keys secure are tough questions to be addressed.

In other words, how to effectively and efficiently manage encryption keys generated by disparate enterprise applications, and how to ensure the seamless flow of protected data at rest is a big challenge.

More Challenges 

When adopting an enterprise-wide approach to data protection, in addition to application redesign, systems performance and key management challenges, there are more challenges to overcome. Other challenges include the following:

Sensitive Data Discovery: as the sensitive data at rest could be stored in many different locations, automated tool is required for enterprises to discover confidential data stored in any where within the enterprise.  

Metadata on Data at Rest: the inventory of metadata of data at rest should be maintained, so that in the case of data breach, incident responders can rapidly gain visibility into metadata on exposed data at rest, such as file owner, Access Control List (ACL) privileges and date last modified. 

Policy Management: the access control policy for all data at rest should be established and managed. This includes who can access what in where and when, as well as how to access the data at rest. 

Policy Enforcement : Once the policy is established, the policy enforcement should be in place. Only the people has the privilege to assess the data at rest can grant the access right. The illegal access attempt should be alerted and monitored at the central site

Data Not At Risk

The need to protect data at rest cuts across companies large and small, within every industry. To ensure the data at rest is not the data at risk, the proper protection to the confidential data must be in place.

Enterprises must move from perimeter and infrastructure protection to protecting the data itself. Strategy and solution that enable enterprises to implement the necessary controls to protect confidential data from unintended exposure must be in place.

Simple data encryption is not the solution to the problem. Instead, the whole end-to-end solution for protecting data at rest that includes key management, access control and policy management must be adapted.

About The Author
Steve Tsai is the Managing Editor of the
Internet Journal Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any comments about Internet Journal, please send email to


[Home] [eMarketing] [eSecurity] [Mobile Comm] [Global e-Business] [News & Insights] [Contact Us]