Security Advisor

Data at Rest Is a Sitting Duck

Recommendations for reducing risk to your stored data, whatever its form.

As data becomes more widely accessible, it also becomes more vulnerable to attack. Reports of source code for commercial software being stolen and the loss of customer, employee and client data are so commonplace that we no longer find them shocking. In addition to these information crimes, issues like distributed storage and distributed access are converging to make data storage security an increasingly important concern.

Data is now stored in more distributed locations. For years, security for data at rest (meaning stored in a database or another medium that’s not traversing the network) meant locks on the data center doors. Data storage was primarily attached storage, or carefully guarded tape libraries and backups. Today data is accessible to hundreds if not thousands of computers on corporate LANs, and possibly millions via remote access—including the Internet.

Critical and sensitive data is distributed across desktops and network attached storage (NAS) devices. It's also carried outside the physical boundaries of the organization on laptops, PDAs and portable hard drives the size and shape of pens, watches, key fobs and other ordinary artifacts. Employees, contractors and consultants may even carry sensitive data on their own personal computers.

Data access is also more distributed. Whereas certain data storage may be centralized in storage area networks (SANs), companies allow widespread access to that data. That trend is projected to increase. IDC reported that 45 percent of storage was directly attached in 2002, but predicted that by 2007 only 22 percent will be directly attached, while about 59 percent will be kept on SANs and 18 percent on NASes.

Early adopters of SANs could rely on some "security through obscurity." Five years ago Fibre Channel was so obscure few people knew what it was, let alone how to hack into it. That's not true today. Some SANs also use IP communications. That means everyone can have access to advanced storage, but with that access comes increased risk.

There’s another risk factor to consider with SANs. When data was distributed in isolated or even connected data dumps across an enterprise, a breach might mean loss of data. However, when data is centralized in massive SANs, unauthorized access could mean a potential loss of all data. While safeguards like firewalls, intrusion detection and prevention systems, file system permissions and other controls can prevent most unauthorized access, much data at rest lies largely unprotected once the perimeter controls are compromised.

Data Management and Transaction Outsourcing
IT outsourcing is another emerging trend that affects data management and data transactions. Data can certainly be kept just as secure in places other than the corporate data center, but that requires a new risk-management model. Will organizations that weren't capable of doing good security when its data was managed internally do any better at hiring someone outside to do it?

Whether or not you choose to outsource the job, it's more important than ever to secure your data at rest. It's not simply a matter of good business practice. More and more, it's becoming the law, with an increasing number of regulations covering data at rest. These regulations generally include the following requirements:

Allow only authorized users to access specific systems and then only the information they're authorized to access.

  • Maintain data privacy.
  • Maintain data integrity.
  • Maintain auditable records to demonstrate that privacy and integrity are upheld.

Legal compliance requires new ways of thinking about securing data at rest, because traditional techniques are becoming increasingly obsolete (see "Traditional Security Methods and Their Inadequacies" below).

A Proposed Standard
What should be done to protect data at risk, for both security and legal accountability reasons? Before we launch yet another security initiative where some standards body takes up the call and engages in endless rounds of debate, let's agree on some basics. Here’s a reasonable list of minimum security standards that you can implement right now:

  • Enforce proper due diligence as to application, host and network hardening.
  • Provide access controls for storage devices.
  • Encrypt data on data storage devices.
  • Use the Encrypting File System (EFS) on personal computers where possible and where it fits your risk model. EFS is based on user identity; the encryption keys, while protected, are stored on the disk with the data. Note that EFS can’t be used to provide full disk encryption.
  • Provide options for full disk encryption, dependent on evaluated risk. Full disk encryption encrypts data, applications and operating systems.
  • Provide secured, centralized management to ensure efficient policy implementation across the board.
  • Security operations should be reasonably transparent to the end user. Security shouldn’t be difficult.
  • Separate data access from data management. Those who need to view and access data should be distinct and kept separate from those who need to manage it, i.e. applying controls and performing backups.

    Traditional Security Methods and Their Inadequacies
    Physical Security
    This includes access cards, locks, guards and gates. Data is distributed. There aren’t enough solid physical security methods, and many are unwilling to use available methods. Data access is also distributed and physical security can’t protect data flowing over a network except from physical attacks.
    Permission Setting
    These are complex arrangements designed to allow only authorized access. They are difficult to implement and use. Different operating systems use different permission methods. Access is ultimately based on user ID and password. If the thief has that information, he is authorized.
    Physical Security for Tape Backups
    When security was considered, it meant locked racks and armored trucks. Concerns about data on tapes (such as backup tapes) focus more on reliability and availability than confidentiality. Also, it’s more difficult to know when a tape has been copied, accessed or altered.
    Disaster Recovery
    Remote backup sites may be provisioned with physical security and perimeter controls. Remote backup sites, data vaulting and disaster recovery efforts are concerned with recovery—not the security of the materials, processes and data used to obtain the recovery.
    Port Zoning and Logical Unit Numbers (LUN) Masking
    Zoning, a SAN technology, is the use of hardware and/or software to create barriers and partitions on a single SAN fabric to prevent groups and devices from interacting with each other. Members within a zone are identified by port number and worldwide name (WWN) and allowed to interact freely. LUN masking attempts to hide devices by allowing each server to only see the devices (identified by LUN) it’s allowed to see. Port zoning and LUN masking were developed to provide segmentation for better performance, not security. Many systems have no enforcement capabilities. The controls in many cases can be easily overridden. For example, some Host Bus Adapters (HBAs) for SANs provide a feature that allows arbitrary setting of the WWN which in turn allows an attacker to override existing masking.
  • Ensure that security features don’t result in performance degradation.
  • Minimize latency by handling encryption and key management in hardware.
  • Use strong encryption protocols such as AES and 3DES.
  • Use strong integrity algorithms such as SHA1 and SHA256.
  • Authenticate access from storage device to storage device, and from management or administration device to storage device. This can prevent spoofing attacks as well as foil unauthorized access attempts.
  • Use newer zoning applications in which virtual SANs are used to control user and administrator access and enforce isolated environments within a single physical fabric. This means using switches that provide authentication, hard zoning and access controls.
  • Use security appliances that centrally manage device authentication and the encryption of data at rest. These appliances segment host networks from SANs. Because all data flowing between the host and SAN network passes through the security appliance, access to SAN data and configuration can be controlled. Data is encrypted and decrypted as it traverses the appliance.
  • Use authenticating switches, which are capable of authenticating host-to-switch and switch-to-switch connections, in many cases using secure key-based algorithms.
  • Provide management of encryption keys, including hardware-based key storage, separation of keys from encrypted data and key backup or escrow. When data communications are encrypted and the key becomes corrupted, the original data can usually be re-sent. When data is at rest, however, the loss or corruption of keys can mean a loss of data.

Remember that these are generic recommendations. You’ll need to tune them to your specific environment. What you can’t afford to do is put off securing your data at rest. It should be obvious that it’s much harder to hit a moving target than one sitting still.

More Information

Products for Securing Data at Rest
Here are some products to look at that can help you protect your data at rest. Please note that I’m not specifically recommending or endorsing these products over others. I'm merely listing some options, places to get started.

Full Disk Encryption

A new product, PGP Whole Disk, provides encryption for use with laptops, desktops and external disks. It can be used to encrypt the entire drive, including the operating system, applications and data files. The use of a passphrase recovery token allows administrators to generate a one-time token for users to allow access to encrypted drives should they ever lose a password. Configuration can be integrated with Active Directory and centrally deployed using Microsoft Systems Management Server (SMS).

Security Appliances

  • The Decru DataFort encrypts data at rest using AES 256, role based access controls, SHA-1 and SHA-256, archive and key recovery, and a cryptographically-signed activity log. Only the data payload is encrypted, which makes the device interoperable with a number of SANs and NASs, but it does work with Cisco’s MDS 900 family of switches.
  • Kasten Chase Applied Research’s Assurancy Secure Data provides 128 and 256-bit SHA-1 authentication, as well as access control between devices using x.509 certificates. Keys are hardware generated and recovery tools are available for key backup and restore.
  • Vormetric’s CoreGuard Software Policy Enforcement Module (PEM) can be installed on hosts with access to sensitive data in order to enforce access controls and work with the Vormetric Security Server appliance cluster. The policies compare the Who, When and Where of access request with the protection policies stored on the security appliance. Data at rest is encrypted with 3DES and hosts are locked down by defining the executable files and related libraries that can run.

Backup Tape Encryption

NeoScale System’s CryptoStor for Tape security appliance provides 3DES or AES on-the-fly tape encryption, role-based secure remote maintenance, random number key generation, encryption key protection, key/media cataloging, key escrow, media authentication, data shredding and smart card authentication. Remote access is protected by either SSL or SSH.

Security Switches and Products

  • Cisco’s MDS 9000 family of multilayer directors and switches provide fibre channel security features such as hardware-based zoning, port security and Diffie Hellman CHAP (DH-CHAP) authentication as well as IPSec. DH-CHAP is used for switch-to-switch and host-to-switch authentication using secure key-exchange and supports MD-5 and SHA-1 based authentication.
  • Brocade Communication’s Secure Fabric OS uses digital certificates to prevent unauthorized configuration changes. It incorporates the FC Authentication Protocol, an emerging standard for authentication of fibre channel devices to a fabric.
  • McData SANtegrity Zoning blocks ports from obtaining access to devices outside user-specified zones. A SANtegrity Secure Management Zone provides management of access to local and remote SAN devices over secure connections. The SANtegrity Authentication product supports DH-CHAP encryption for switch-to-switch and end device-to-switch communication.

—Roberta Bragg

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.


comments powered by Disqus

Subscribe on YouTube