When it comes to protecting confidential information, we find that clients require different approaches or pose different protection needs. Some clients need to protect information on mobile or portable equipment to prevent problems if they are lost or stolen. Others want to keep their documents protected in file servers, so that they can even be protected for improper access by IT staff. Sometimes, due to compliance policies, some customers need to protect the documentation when it travels attached in emails because they use managed email services in the cloud. Others require protection for documentation that is sent to third parties or even internally in order to minimize the possibility that this can be copied, unprotected or accessed by users without the right permissions.
In this series of blog articles we will try to explain the different stats of information and what protection possibilities can be used in each case. We can consider three states for information or data:
- Data at rest: Information stored in hard drives, file servers, Databases, etc.
- Data in transit or in motion: Information that travels through email, HTTP, instant messaging or any other type of public or private communication channel.
- Data in use: When information is opened and consumed by an Application or accessed by the users.
Regulations such as FACTA or HIPAA in the scope of health services also refer to data “disposed”, i.e. physical documents or digital data that must be to be destroyed where physical or electronic data disposal procedures are used to make sure that the files are securely removed or over-written in hard drives, or that physical documents are properly destroyed.
We begin in this first article of the series talking about the protection of data at rest. With this term we refer to information that is not being accessed and that is stored in physical or logical media. Examples include files stored on file servers, database records, documents on flash drives, etc. This data can be regarded as “secure” when it is encrypted (so that an unfeasible amount of time in a brute force attack is required to be decrypted), and the key is not present on the media itself, not present on the node associated with the media, and is of sufficient length and randomness to be functionally immune to a dictionary attack.
In this scope we can find different information protection technologies such as:
- Full-disk encryption or Device encryption: Full-disk encryption allows that if the laptop or computer is lost, for example, the information stored in it cannot be accessed by simply inserting the hard-drive on another machine or Device. They have the advantage of being “transparent” to the user, because if the user has logged in correctly in the computer he can access to encrypted documents in the same way he would do it in an encrypted computer. However, if any other user is logged in the computer or the file server is accessible by the administrator, nothing prevents a dishonest user to access the data, copy, forward it, etc. The data is protected while residing on the device or hard drive but they become unprotected once they are extracted from it (copied to another device, sent by email, etc.).
- File-level encryption: Instead of encrypting a partition or the whole disk only individual files or folders (folder-level encryption) are encrypted. Public key or symmetric encryption allows encrypting files. Files are not only encrypted when they are stored in the hard-drive, but they are also protected in transit when they are sent i.e. as attachments in an email. In this case there is not “transparent” access by the user and also the transparent protection is lost. With PGP for example it is necessary to have the public key of the person whom I want to share the protected file with, and the recipient will need my public key to be able to decrypt the file. Furthermore, once the document has been decrypted by the recipient, it can be stored or sent unprotected.
- Database encryption: Database Systems such as SQL Server or Oracle use TDE – Transparent Data Encryption to protect the data stored in Databases. The TDE technologies perform real-time encryption and decryption operations with the data and log files. This allows application developers to work with encryption data using AES or 3DES without needing to modify the existing applications. This encryption technology protects data at rest in the database, but not once they have been accessed and extracted by the corresponding application.
- Encryption using Digital Rights Management: IRM technology (Information Rights Management) allows the encryption of documentation applying a persistent protection to the files. The documentation at rest is encrypted and only accessible by the users with the right permissions. I.e. with SealPath, based in AD-RMS (Microsoft Active Directory Rights Management Services) the documents are encrypted with 128 bits / 256 bits AES algorithm using 1024 bits / 2048 bits RSA keys. Unlike file-level encryption the receiving user can access it to read and modify it but cannot decrypt the entire file (unless the user has full-control permissions over the file).
Challenges of protecting data at rest:
Currently IT departments face many challenges when they want to protect the information at rest:
- Information can be stored in different formats and devices: The critical documentation is not only stored in the file servers or document management systems, but there can be copies of the documents in the users’ PCs, USB devices, etc.
- BYOD and storage in mobile devices: Mobile and tablets have spread to the corporate environment and they are a working tool that may contain important documents at rest that must be protected. Additionally, many of the mobile devices where the critical information is stored are not corporate but personal and beyond the control of IT departments.
- Inability to control the cloud storage: Many storage system providers offer encryption and protection of the data at rest they manage. However the encryption keys are owned by the storage providers themselves and not by the companies that use the services, so the control of the documentation stored in these clouds is lost.
- Need to comply with various data protection regulations: Depending on the vertical market where the company operates, there can be data protection regulations that affects to the way the company stores data from employees, customers, or any other third party. For example, the patient data in the health sector or customer data in the financial sector are protected by regulations such as the Data Protection Act, HIPAA, PCI, etc. depending on the territory. These regulations impose policies on protecting data at rest regardless of whether they are stored in a database on a file server or on mobile devices.
To overcome these challenges, IT departments must analyze the main risks they face when it comes to managing their data at rest and select the technology or technologies prioritizing those that enable them to remove or mitigate the most probable risks and/or with the most impact to their organization.
In the following chapters of this series of three articles we will analyze the data protection technologies at rest and in use.