Data at Rest Is a Sitting Duck
Recommendations for reducing risk to your stored data, whatever its form.
As data becomes more widely accessible, it also becomes more vulnerable to
attack. Reports of source code for commercial software being stolen and the
loss of customer, employee and client data are so commonplace that we no longer
find them shocking. In addition to these information crimes, issues like distributed
storage and distributed access are converging to make data storage security
an increasingly important concern.
Data is now stored in more distributed locations. For years, security for data
at rest (meaning stored in a database or another medium that’s not traversing
the network) meant locks on the data center doors. Data storage was primarily
attached storage, or carefully guarded tape libraries and backups. Today data
is accessible to hundreds if not thousands of computers on corporate LANs, and
possibly millions via remote access—including the Internet.
Critical and sensitive data is distributed across desktops and network attached
storage (NAS) devices. It's also carried outside the physical boundaries
of the organization on laptops, PDAs and portable hard drives the size and shape
of pens, watches, key fobs and other ordinary artifacts. Employees, contractors
and consultants may even carry sensitive data on their own personal computers.
Data access is also more distributed. Whereas certain data storage may be centralized
in storage area networks (SANs), companies allow widespread access to that data.
That trend is projected to increase. IDC reported that 45 percent of storage
was directly attached in 2002, but predicted that by 2007 only 22 percent will
be directly attached, while about 59 percent will be kept on SANs and 18 percent
Early adopters of SANs could rely on some "security through obscurity."
Five years ago Fibre Channel was so obscure few people knew what it was, let
alone how to hack into it. That's not true today. Some SANs also use IP
communications. That means everyone can have access to advanced storage, but
with that access comes increased risk.
There’s another risk factor to consider with SANs. When data was distributed
in isolated or even connected data dumps across an enterprise, a breach might
mean loss of data. However, when data is centralized in massive SANs, unauthorized
access could mean a potential loss of all data. While safeguards like firewalls,
intrusion detection and prevention systems, file system permissions and other
controls can prevent most unauthorized access, much data at rest lies largely
unprotected once the perimeter controls are compromised.
Data Management and Transaction Outsourcing
IT outsourcing is another emerging trend that affects data management and data
transactions. Data can certainly be kept just as secure in places other than
the corporate data center, but that requires a new risk-management model. Will
organizations that weren't capable of doing good security when its data
was managed internally do any better at hiring someone outside to do it?
Whether or not you choose to outsource the job, it's more important than
ever to secure your data at rest. It's not simply a matter of good business
practice. More and more, it's becoming the law, with an increasing number
of regulations covering data at rest. These regulations generally include the
Allow only authorized users to access specific systems and then only the information
they're authorized to access.
- Maintain data privacy.
- Maintain data integrity.
- Maintain auditable records to demonstrate that privacy and integrity are
Legal compliance requires new ways of thinking about securing data at rest,
because traditional techniques are becoming increasingly obsolete (see "Traditional
Security Methods and Their Inadequacies" below).
A Proposed Standard
What should be done to protect data at risk, for both security and legal accountability
reasons? Before we launch yet another security initiative where some standards
body takes up the call and engages in endless rounds of debate, let's
agree on some basics. Here’s a reasonable list of minimum security standards
that you can implement right now:
- Enforce proper due diligence as to application, host and network hardening.
- Provide access controls for storage devices.
- Encrypt data on data storage devices.
- Use the Encrypting File System (EFS) on personal computers where possible
and where it fits your risk model. EFS is based on user identity; the encryption
keys, while protected, are stored on the disk with the data. Note that EFS
can’t be used to provide full disk encryption.
- Provide options for full disk encryption, dependent on evaluated risk.
Full disk encryption encrypts data, applications and operating systems.
- Provide secured, centralized management to ensure efficient policy implementation
across the board.
- Security operations should be reasonably transparent to the end user. Security
shouldn’t be difficult.
- Separate data access from data management. Those who need to view and access
data should be distinct and kept separate from those who need to manage it,
i.e. applying controls and performing backups.
Security Methods and Their Inadequacies
|This includes access cards, locks,
guards and gates. Data is distributed. There aren’t enough solid
physical security methods, and many are unwilling to use available methods.
Data access is also distributed and physical security can’t protect
data flowing over a network except from physical attacks.
|These are complex arrangements designed
to allow only authorized access. They are difficult to implement and
use. Different operating systems use different permission methods. Access
is ultimately based on user ID and password. If the thief has that information,
he is authorized.
|Physical Security for Tape Backups
|When security was considered, it meant locked
racks and armored trucks. Concerns about data on tapes (such as backup
tapes) focus more on reliability and availability than confidentiality.
Also, it’s more difficult to know when a tape has been copied,
accessed or altered.
|Remote backup sites may be provisioned with
physical security and perimeter controls. Remote backup sites, data
vaulting and disaster recovery efforts are concerned with recovery—not
the security of the materials, processes and data used to obtain the
|Port Zoning and Logical Unit Numbers
|Zoning, a SAN technology, is the use of
hardware and/or software to create barriers and partitions on a single
SAN fabric to prevent groups and devices from interacting with each
other. Members within a zone are identified by port number and worldwide
name (WWN) and allowed to interact freely. LUN masking attempts to hide
devices by allowing each server to only see the devices (identified
by LUN) it’s allowed to see. Port zoning and LUN masking were
developed to provide segmentation for better performance, not security.
Many systems have no enforcement capabilities. The controls in many
cases can be easily overridden. For example, some Host Bus Adapters
(HBAs) for SANs provide a feature that allows arbitrary setting of the
WWN which in turn allows an attacker to override existing masking.
- Ensure that security features don’t result in performance degradation.
- Minimize latency by handling encryption and key management in hardware.
- Use strong encryption protocols such as AES and 3DES.
- Use strong integrity algorithms such as SHA1 and SHA256.
- Authenticate access from storage device to storage device, and from management
or administration device to storage device. This can prevent spoofing attacks
as well as foil unauthorized access attempts.
- Use newer zoning applications in which virtual SANs are used to control
user and administrator access and enforce isolated environments within a single
physical fabric. This means using switches that provide authentication, hard
zoning and access controls.
- Use security appliances that centrally manage device authentication and
the encryption of data at rest. These appliances segment host networks from
SANs. Because all data flowing between the host and SAN network passes through
the security appliance, access to SAN data and configuration can be controlled.
Data is encrypted and decrypted as it traverses the appliance.
- Use authenticating switches, which are capable of authenticating host-to-switch
and switch-to-switch connections, in many cases using secure key-based algorithms.
- Provide management of encryption keys, including hardware-based key storage,
separation of keys from encrypted data and key backup or escrow. When data
communications are encrypted and the key becomes corrupted, the original data
can usually be re-sent. When data is at rest, however, the loss or corruption
of keys can mean a loss of data.
Remember that these are generic recommendations. You’ll need to tune
them to your specific environment. What you can’t afford to do is put
off securing your data at rest. It should be obvious that it’s much harder
to hit a moving target than one sitting still.
More InformationProducts for Securing Data at Rest
Here are some products to look at that can help you protect your data at rest.
Please note that I’m not specifically recommending or endorsing these
products over others. I'm merely listing some options, places to get started.
Full Disk Encryption
A new product, PGP
Whole Disk, provides encryption for use with laptops, desktops and external
disks. It can be used to encrypt the entire drive, including the operating system,
applications and data files. The use of a passphrase recovery token allows administrators
to generate a one-time token for users to allow access to encrypted drives should
they ever lose a password. Configuration can be integrated with Active Directory
and centrally deployed using Microsoft Systems Management Server (SMS).
- The Decru DataFort encrypts data at
rest using AES 256, role based access controls, SHA-1 and SHA-256, archive
and key recovery, and a cryptographically-signed activity log. Only the data
payload is encrypted, which makes the device interoperable with a number of
SANs and NASs, but it does work with Cisco’s MDS 900 family of switches.
- Kasten Chase Applied Research’s Assurancy
Secure Data provides 128 and 256-bit SHA-1 authentication, as well as
access control between devices using x.509 certificates. Keys are hardware
generated and recovery tools are available for key backup and restore.
- Vormetric’s CoreGuard
Software Policy Enforcement Module (PEM) can be installed on hosts with
access to sensitive data in order to enforce access controls and work with
the Vormetric Security Server appliance cluster. The policies compare the
Who, When and Where of access request with the protection policies stored
on the security appliance. Data at rest is encrypted with 3DES and hosts are
locked down by defining the executable files and related libraries that can
Backup Tape Encryption
NeoScale System’s CryptoStor
for Tape security appliance provides 3DES or AES on-the-fly tape encryption,
role-based secure remote maintenance, random number key generation, encryption
key protection, key/media cataloging, key escrow, media authentication, data
shredding and smart card authentication. Remote access is protected by either
SSL or SSH.
Security Switches and Products
- Cisco’s MDS
9000 family of multilayer directors and switches provide fibre channel
security features such as hardware-based zoning, port security and Diffie
Hellman CHAP (DH-CHAP) authentication as well as IPSec. DH-CHAP is used for
switch-to-switch and host-to-switch authentication using secure key-exchange
and supports MD-5 and SHA-1 based authentication.
- Brocade Communication’s Secure
Fabric OS uses digital certificates to prevent unauthorized configuration
changes. It incorporates the FC Authentication Protocol, an emerging standard
for authentication of fibre channel devices to a fabric.
- McData SANtegrity
Zoning blocks ports from obtaining access to devices outside user-specified
zones. A SANtegrity Secure Management Zone provides management of access to
local and remote SAN devices over secure connections. The SANtegrity Authentication
product supports DH-CHAP encryption for switch-to-switch and end device-to-switch