[Last updated September 25, 2019] To prevent confidential data from leaking out of your organization or getting stolen, your cyber security efforts have to be aimed at two areas: securing data-at-rest and securing data-in-motion. In this post, we’ll talk about the former.
What is data at rest?
Data at rest refers to information stored in employees’ local folders, in databases, in on-site and off-site backup tapes, in servers in a SAN (storage area network), and just about any data that isn’t being transmitted through a network (which is then known as to as data-in-motion).
Why it is under threat
A lot of the data being stored in IT systems and devices these days contain sensitive information. This can range from trade secrets and financial data to personal information. These types of information can be highly valuable to competitors and cyber criminals. Competitors can use certain kinds of information to gain an unfair advantage, while cyber criminals can sell certain types of data in the dark web or other shady marketplaces.
But why target data at rest? Well, compared to data-in-motion, which is data that's in transit on a network, data at rest is easier to acquire. If the data is stored in a portable device like a USB stick, a mobile phone, or a laptop, the attacker can simply steal that device. They can even steal an entire hard drive.
Even if the data isn't in a portable device, the prospect of getting hold of a large volume of valuable information from just one place (like a database or a server) is enough motivation to break into systems storing data-at-rest.
Compliance standards impacting data at rest
The growing number of data breach incidents and the ensuing cases of identity theft have prompted legislators to create laws designed for protecting personally identifiable information (PII). Many of these laws impact the way you currently deal with data at rest. That is, if you want to avoid onerous obligations and costly penalties, you will have to adopt better ways of securing PII taking the form of data at rest.
Some of the most prominent laws and regulations that are impacting IT systems are HIPAA, GLBA, PCI DSS, and GDPR.
With maximum penalties of up to $1.5 million per year and possible imprisonment, the Health Information Technology for Economic and Clinical Health Act, which is an amended version of the Health Insurance Portability and Accountability Act, is the most onerous piece of legislation from both an IT and administrative standpoint in the health care industry.
Aimed at preventing unauthorized disclosures of electronic protected health information (ePHI), HIPAA-HITECH is forcing medical practitioners, health care providers, hospitals, and their business associates to review the security of data at rest in their EHRs (Electronic Health Records) and similar IT systems.
While HIPAA-HITECH deals with ePHI, which is basically PII found alongside medical information, the GLBA (Gramm-Leach-Bliley Act), on the other hand, focuses on nonpublic personal information or NPI. This is just the name given to PII found alongside financial information, examples of which include: SSNs, people’s names, addresses, phone numbers, bank account numbers, credit card numbers, as well as income and credit histories.
These information are commonly stored in a typical financial institution’s database. If they end up in the wrong hands, the financial institution in question could end up paying $100,000 per violation, while its officers and directors can be fined with up to $10,000 per violation.
The PCI DSS or Payment Card Industry Data Security Standards is a set of standards aimed at securing cardholder data, such as the Card Security Code (CSC), cardholder's name, expiration date, and (most importantly) the Primary Account Number (PAN), among others. Several organizations that deal with cardholder data, including merchants, processors, acquirers, issuers, and service providers, are all subjected to the data protection requirements of PCI DSS.
In order to meet the requirements, these organizations have to implement a laundry list of security measures on various system components where cardholder data is transmitted, processed, or stored. There are 12 requirements all in all and at least one (Requirement #3 Protect stored cardholder data) specifically caters to securing data-at-rest.
Across the pond, the most onerous data protection law there and perhaps (owing to the fact that the EU is more sensitive about data privacy compared to the US) practically anywhere on the planet is the GDPR or the General Data Protection Regulation. Although crafted by the European Union, the GDPR impacts any company who collects data of EU citizens and residents.
Other laws and regulations that call for better protection of data at rest include the SOX (Sarbanes-Oxley Act) and all those US state/territorial data breach notification laws.
How to secure data at rest
With so many regulations to look out for, the need to seek out better ways of protecting data-at-rest is now more pressing than ever. You can start by implementing good practices, particularly when dealing with sensitive information.
For instance, you can begin by reducing the amount of sensitive data that you collect from employees and customers. Sensitive data that you already have that aren’t really business critical should likewise be discarded in a secure fashion. The objective of both exercises is to reduce the exposure to risks.
Those sensitive data that really have to be retained need to be identified and located. Knowing ‘what they are’ will help you pinpoint which laws and regulations you are answerable to (e.g. ePHI = HIPAA, cardholder data = PCI DSS, although there are usually overlaps). On the other hand, knowing ‘where they are’ will help you carry out your data protection initiatives more effectively and efficiently.
Once you’ve identified which data need protection and where you can find them, you can then implement various data protection schemes such as encryption, authentication mechanisms, access control, and so on. Want some concrete examples on how to secure and protect data-at-rest? You're in for luck. We've got several posts and tutorials about the subject. Here's a link to articles talking about data-at-rest security using encryption.
Does your business operations involve a lot of sensitive data? If so, it's your duty to make sure that data stays secure whether in transit or at rest. One solution that's very capable in helping you meet that responsibility is JSCAPE MFT Server, a managed file transfer server that makes it easy to secure both data in motion and data at rest. Click that link to learn more about it or download the FREE Starter Edition to try it out.