Security Advisor

Data at Rest Is a Sitting Duck

Recommendations for reducing risk to your stored data, whatever its form.

• By Roberta Bragg
• 03/01/2005

As data becomes more widely accessible, it also becomes more vulnerable to attack. Reports of source code for commercial software being stolen and the loss of customer, employee and client data are so commonplace that we no longer find them shocking. In addition to these information crimes, issues like distributed storage and distributed access are converging to make data storage security an increasingly important concern.

Data is now stored in more distributed locations. For years, security for data at rest (meaning stored in a database or another medium that’s not traversing the network) meant locks on the data center doors. Data storage was primarily attached storage, or carefully guarded tape libraries and backups. Today data is accessible to hundreds if not thousands of computers on corporate LANs, and possibly millions via remote access—including the Internet.

Critical and sensitive data is distributed across desktops and network attached storage (NAS) devices. It's also carried outside the physical boundaries of the organization on laptops, PDAs and portable hard drives the size and shape of pens, watches, key fobs and other ordinary artifacts. Employees, contractors and consultants may even carry sensitive data on their own personal computers.

Data access is also more distributed. Whereas certain data storage may be centralized in storage area networks (SANs), companies allow widespread access to that data. That trend is projected to increase. IDC reported that 45 percent of storage was directly attached in 2002, but predicted that by 2007 only 22 percent will be directly attached, while about 59 percent will be kept on SANs and 18 percent on NASes.

Early adopters of SANs could rely on some "security through obscurity." Five years ago Fibre Channel was so obscure few people knew what it was, let alone how to hack into it. That's not true today. Some SANs also use IP communications. That means everyone can have access to advanced storage, but with that access comes increased risk.

There’s another risk factor to consider with SANs. When data was distributed in isolated or even connected data dumps across an enterprise, a breach might mean loss of data. However, when data is centralized in massive SANs, unauthorized access could mean a potential loss of all data. While safeguards like firewalls, intrusion detection and prevention systems, file system permissions and other controls can prevent most unauthorized access, much data at rest lies largely unprotected once the perimeter controls are compromised.

Data Management and Transaction Outsourcing
IT outsourcing is another emerging trend that affects data management and data transactions. Data can certainly be kept just as secure in places other than the corporate data center, but that requires a new risk-management model. Will organizations that weren't capable of doing good security when its data was managed internally do any better at hiring someone outside to do it?

Whether or not you choose to outsource the job, it's more important than ever to secure your data at rest. It's not simply a matter of good business practice. More and more, it's becoming the law, with an increasing number of regulations covering data at rest. These regulations generally include the following requirements:

Allow only authorized users to access specific systems and then only the information they're authorized to access.

• Maintain data privacy.
• Maintain data integrity.
• Maintain auditable records to demonstrate that privacy and integrity are upheld.

Legal compliance requires new ways of thinking about securing data at rest, because traditional techniques are becoming increasingly obsolete (see "Traditional Security Methods and Their Inadequacies" below).

A Proposed Standard
What should be done to protect data at risk, for both security and legal accountability reasons? Before we launch yet another security initiative where some standards body takes up the call and engages in endless rounds of debate, let's agree on some basics. Here’s a reasonable list of minimum security standards that you can implement right now:

• Enforce proper due diligence as to application, host and network hardening.
• Provide access controls for storage devices.
• Encrypt data on data storage devices.
• Use the Encrypting File System (EFS) on personal computers where possible and where it fits your risk model. EFS is based on user identity; the encryption keys, while protected, are stored on the disk with the data. Note that EFS can’t be used to provide full disk encryption.
• Provide options for full disk encryption, dependent on evaluated risk. Full disk encryption encrypts data, applications and operating systems.
• Provide secured, centralized management to ensure efficient policy implementation across the board.
• Security operations should be reasonably transparent to the end user. Security shouldn’t be difficult.
• Separate data access from data management. Those who need to view and access data should be distinct and kept separate from those who need to manage it, i.e. applying controls and performing backups.
  
  

  Traditional Security Methods and Their Inadequacies

  Physical Security

  This includes access cards, locks, guards and gates. Data is distributed. There aren’t enough solid physical security methods, and many are unwilling to use available methods. Data access is also distributed and physical security can’t protect data flowing over a network except from physical attacks.

  Permission Setting

  These are complex arrangements designed to allow only authorized access. They are difficult to implement and use. Different operating systems use different permission methods. Access is ultimately based on user ID and password. If the thief has that information, he is authorized.

  Physical Security for Tape Backups

  When security was considered, it meant locked racks and armored trucks. Concerns about data on tapes (such as backup tapes) focus more on reliability and availability than confidentiality. Also, it’s more difficult to know when a tape has been copied, accessed or altered.

  Disaster Recovery

  Remote backup sites may be provisioned with physical security and perimeter controls. Remote backup sites, data vaulting and disaster recovery efforts are concerned with recovery—not the security of the materials, processes and data used to obtain the recovery.

  Port Zoning and Logical Unit Numbers (LUN) Masking

  Zoning, a SAN technology, is the use of hardware and/or software to create barriers and partitions on a single SAN fabric to prevent groups and devices from interacting with each other. Members within a zone are identified by port number and worldwide name (WWN) and allowed to interact freely. LUN masking attempts to hide devices by allowing each server to only see the devices (identified by LUN) it’s allowed to see. Port zoning and LUN masking were developed to provide segmentation for better performance, not security. Many systems have no enforcement capabilities. The controls in many cases can be easily overridden. For example, some Host Bus Adapters (HBAs) for SANs provide a feature that allows arbitrary setting of the WWN which in turn allows an attacker to override existing masking.

• Ensure that security features don’t result in performance degradation.
• Minimize latency by handling encryption and key management in hardware.
• Use strong encryption protocols such as AES and 3DES.
• Use strong integrity algorithms such as SHA1 and SHA256.
• Authenticate access from storage device to storage device, and from management or administration device to storage device. This can prevent spoofing attacks as well as foil unauthorized access attempts.
• Use newer zoning applications in which virtual SANs are used to control user and administrator access and enforce isolated environments within a single physical fabric. This means using switches that provide authentication, hard zoning and access controls.
• Use security appliances that centrally manage device authentication and the encryption of data at rest. These appliances segment host networks from SANs. Because all data flowing between the host and SAN network passes through the security appliance, access to SAN data and configuration can be controlled. Data is encrypted and decrypted as it traverses the appliance.
• Use authenticating switches, which are capable of authenticating host-to-switch and switch-to-switch connections, in many cases using secure key-based algorithms.
• Provide management of encryption keys, including hardware-based key storage, separation of keys from encrypted data and key backup or escrow. When data communications are encrypted and the key becomes corrupted, the original data can usually be re-sent. When data is at rest, however, the loss or corruption of keys can mean a loss of data.

Remember that these are generic recommendations. You’ll need to tune them to your specific environment. What you can’t afford to do is put off securing your data at rest. It should be obvious that it’s much harder to hit a moving target than one sitting still.