Data at rest…it’s a prime target for attackers. Whether it’s on the local hard drive of the server they pwn, or stored on the laptop that grew wings and landed in their hands, or the USB key they filch when you’re not looking, or the network share that has too many permissions set…that data is worth its digital weight in gold!
What’s in it? It could be your customers’ NPI including all the details needed for a nice round of identity theft. Maybe it’s just credit card numbers…yeah, just credit card numbers. Or perhaps it is some trade secret your business depends upon, or even emails that you’d really rather your clients not learn about (think Sony!). Maybe it’s just internal business plans for the next quarter. It really doesn’t matter what data is syphoned. There is a reason you aren’t posting it on your public website, and there’s also a reason you are keeping it. So if you keep it, encrypt it!
Data at rest
Data at rest is any data that is stored. That could be files on a network share, or stored on a local hard drive, or even on a USB key. But that can also be data on backup tapes, or mailbox databases. Really, anything that at any time is stored, and that persists after a reboot, constitutes data at rest.
When an attacker has either network or physical access to the storage media, whatever it is, then the attacker has the ability to get to the data. Most applications store data in the clear. Also called “cleartext,” it’s data that can be read by other programs, and that doesn’t enforce permissions against alternative means.
Take a file. You can set permissions on the share, which will require authentication and only permit authorized users to access it, as long as it is in that share! But if an authorized user copies the file from the share to a USB key, then anyone with physical possession of that USB key can access the data. A backup tape holds all kinds of juicy bits. Anyone who has that tape and the tape drive to access it can restore that data to an alternate location, and access the files.
The same holds true for email. Exchange databases enforce permissions, but these databases are just files. If you can grab a copy of the file, you can restore it to another server you control and then you can access the data. A user running Outlook with an OST file and a handful of PST files has a copy of all their email right on the local hard drive. If their laptop gets pinched, then the bad guys have all their email. How much sensitive data is sitting in that email?
Encryption protects data from unauthorized access…even when other protections like permissions or physical access don’t exist. You can encrypt data stored on drives or tapes or you can encrypt entire drives and tapes. You can even add encryption to file types using digital rights management technologies so that, even when a file leaves the storage you control, you can still protect it by restricting who can do what with it.
Encryption comes in a number of forms. Let’s start from the broadest and work through to the narrowest.
Whole drive encryption
Many operating systems offer built-in capabilities for encrypting an entire drive. The most well-known of these is Microsoft Windows’ Bitlocker, but Linux and Mac both offer encrypting file systems, and there are third party products that can also encrypt entire drives. Whether applied to a laptop or to a server’s drives, these systems ensure that if someone gains physical access to the drive, such as through theft, they cannot access the data on the drive unless they have the key (or recovery key) to decrypt the drive. System drives’ keys are stored within the operating system.
Whole drive encryption should be applied to all system, but must be applied to any system that is portable, like laptops, or that lacks strong physical security, like many desktops.
Backup tapes go missing. It’s a fact. When those tapes go missing, all of the data on them is at risk…unless you are encrypting your backups. Then, without the passphrase or certificate used to decrypt them, they are useless to anyone who comes across them, on eBay or in a shadowy back alley.
Tape encryption should be applied to all backup tapes-no exceptions.
Portable drive encryption
These technologies can also be applied to portable media, like USB keys, so that when they get lost – and you know they will – whoever finds them can only format them to reuse. The data remains inaccessible. Portable media usually require a password or passphrase, and as a result, are only as resilient as the password is strong. But with good password policies and user education, this is a very effective way to protect data from theft or loss.
Encrypting portable media must be a requirement for all external storage, whether that is external hard drives, USB keys, SD cards, or even mobile devices. If it is portable, encrypt it. No exceptions.
You can password protect individual files, like Office documents, PDFs, or PST files, but it’s better if they are stored on encrypted media. The password protections for Office, PDF, and PST files are not as robust as drive encryption, and there are lots of third party software packages purpose built to break the encryption on these files. Digital Rights Management schemes like Microsoft’s Rights Management Services can be applied to supported file formats and enforce restrictions on files so that even when they are moved to insecure media, or transferred to third parties, access and use are protected.
The bottom line
If you keep it, encrypt it. It’s a pretty simple philosophy that is incredibly easy to follow, incredibly important to stick to, and incredibly dangerous to discard. Each and every year, we hear about laptops that are stolen which contained PII on hundreds of thousands of customers, or databases containing credit card data that was exfiltrated by a hack. We don’t hear as much about the USB keys that are lost, or the backup tapes that go missing, but ask around the office. Encryption is the best, and easiest way, to apply a layer of security to all that data your company holds dear.