Data at rest protection (DARP) refers to protecting data that is not actively moving from one location to another and is instead persisted on some storage medium. This includes data stored on hard drives, solid state drives, magnetic tapes, optical discs, cloud storage and any other medium designed for longer term data storage. DARP is an important aspect of an organization’s data security and privacy strategy as data at rest can often contain sensitive information that needs to be protected from unauthorized access or exposure.
Some key reasons why DARP is important:
– Data breaches often target data at rest since it represents a “stationary target” compared to data in transit. Cybercriminals look for insecure servers, databases, archives and other repositories of data at rest to attack.
– Data at rest often contains sensitive information like intellectual property, customer/employee records, financial data and more that can expose an organization to compliance violations, lawsuits and reputational damage if compromised.
– Regulations like HIPAA, PCI DSS, GDPR and various data privacy laws around the world mandate protection of sensitive data at rest through encryption or other controls. Failure to protect data at rest can lead to stiff regulatory penalties.
– Data at rest persists for long periods of time and may remain exposed or vulnerable even after perimeter defenses like firewalls are upgraded unless specific DARP controls are implemented.
– Advanced persistent threats (APTs) and malicious insiders often target weakly protected data at rest to establish a long-term infiltration point and exfiltrate data over time.
So in essence, DARP is about implementing robust defenses around data that does not move and sits in an organization’s core IT infrastructure and assets, acting as the last line of protection for critical information assets.
Common DARP security controls and best practices
Here are some key mechanisms and best practices to implement effective DARP:
– **Encrypt data at rest** – Encryption converts plaintext data into ciphertext that is unreadable without the decryption key. It provides a strong control against unauthorized access to data at rest. Solutions like full disk encryption, file/folder encryption and database encryption leverage cryptographic ciphers to protect data.
– **Limit data access** – Access controls like file permissions and database account privileges limit which users and applications can access protected data at rest. Data should only be accessible on a need-to-know basis.
– **Secure backups** – Backups create additional copies of data at rest and must also be properly secured. Encrypt backups and appropriately manage and control media like tapes and drives.
– **Key management** – The decryption keys for encrypted data at rest must be securely stored and managed to prevent unauthorized access. Leverage hardware security modules (HSMs) for robust key protection.
– **Sanitization** – Data deletion should fully overwrite storage media to prevent remnant data recovery when repurposing drives and devices. Degaussing and disk wiping are common sanitization techniques.
– **Physical security** – Data centers, servers, media and other data-bearing devices must be physically protected through locks, surveillance, alarms, etc. to prevent theft and tampering.
– **Strong access policies** – Policies enforcing least privilege and separation of duties for data access are important controls. Background screening personnel to limit insider threats.
– **Regular audits** – Audit logs, configuration scans and access reviews will help detect DARP gaps and violations for timely remediation. Maintain updated auditable DARP configurations.
– **Data discovery & classification** – Discover all data at rest locations and classify appropriately based on sensitivity to determine protection requirements. Unidentified data often lacks appropriate controls.
DARP solutions
There are many commercial and open source solutions available to implement DARP controls like encryption, access management, key management and auditing. Capabilities are often integrated into broader data security platforms. Examples include:
– Hardware security modules (HSMs) – Provide robust key management and crypto operations like encryption/decryption offloading
– Full disk encryption (FDE) – Encrypts all data on hard drives used in endpoints and servers
– Cloud encryption gateways – Encrypt data stored in cloud platforms like SaaS, IaaS and PaaS
– Database encryption – Protects data at rest in relational and NoSQL database environments
– File & folder encryption – Selectively encrypts data at the filesystem level
– DLP tools – Discover sensitive data at rest and enforce access controls
– Key management systems (KMS) – Centralize encryption key lifecycle management
– Backup encryption – Encrypts data in backups and protects media
– Tokenization – Derives masked substitutes for sensitive data fields
Implementing a comprehensive DARP program
Here are key steps to implement a holistic DARP program:
Discovery
The first step is identifying all locations where sensitive data comes to rest within the organization. This includes databases, file shares, log data, archives, backups, cloud storage, containers, mobile devices and more. Discovery using data classification tools and interviews with IT teams will map the enterprise data at rest landscape.
Classification
Next, classify discovered data based on levels of sensitivity using policy definitions or data classifications. This enables identifying the highest risk data at rest that should get prioritized for stronger protections.
Risk analysis
Conduct a risk analysis of identified data at rest repositories, assessing factors like the impact of compromise. Analyze locations hosting sensitive data and gaps in existing controls.
Targeted protection
With risks identified, design protection plans to implement encryption, access management, auditing and other controls tailored to DARP risk levels. Deploy new DARP protections in priority for at-risk data.
Management & reporting
Define responsibilities for ongoing DARP program management and reporting to executives on program maturity. Maintain validated DARP configurations through audits and automation.
Response planning
Develop incident response plans for DARP breach scenarios like unauthorized encryption key access. Test ability to rapidly change keys/passwords after revocation.
DARP for top data locations
DARP controls should be tailored based on the type of data at rest environment:
File servers
Encrypt sensitive file shares and limit access through file permissions and rights management. Enable file access auditing and log monitoring.
Databases
Implement database encryption and masks for sensitive fields like PII. Restrict database account privileges and monitor all admin activity.
Endpoints
Require full disk encryption on all employee laptops and devices. Enforce strong local file permissions and other data leak controls.
Cloud storage
Enable encryption on cloud storage like S3 buckets. Control access through IAM roles and monitor permissions. Use data loss prevention.
Big data
Anonymize sensitive fields in big data lakes using masking/tokenization. Encrypt data prior to ingest and implement column-level encryption where possible.
Backups
Encrypt backup data and encrypt backups media like tapes if transported offsite. Log all backup user activity and access. Physically secure and audit tapes.
Containers
Leverage container image signing to protect data at rest on container registries. Enable Kubernetes encryption providers for etcd, secrets and persistent volumes.
DARP challenges
Some common challenges in implementing DARP include:
– **Scoping** – Identifying all data at rest locations and keeping discovery updated as new storage emerges
– **Legacy compatibility** – Supporting DARP controls like encryption across heterogeneous legacy systems
– **Performance** – Encryption introduces processing overhead that may impact performance if not designed properly
– **Cost** – Potential costs of new encryption, key management and other DARP platforms
– **Complexity** – Increased operational complexity from new platforms to integrate and manage
– **Key management** – Securing, backing up and governing encryption keys throughout their lifecycle
DARP metrics & reporting
To track DARP program maturity, relevant metrics and reports include:
Encryption metrics
– Percentage of servers/devices using full disk encryption
– Percentage of databases encrypted
– Percentage of file shares/NAS encrypted
– Percentage of backups encrypted
– Percentage of cloud data encrypted
Access control metrics
– Percentage of sensitive data stores with access restrictions enforced
– Users with admin access removed/reviewed for sensitive data stores
– Average IAM policy breadth (number of resources accessible per policy)
Audit metrics
– Frequency of DARP configuration auditing
– Backup logs reviewed monthly
– Percentage of access logs monitored for anomalies
Governance metrics
– Time to revoke access for terminated employees
– Frequency of encryption key rotation
– DARP policies updated in last year
DARP program reporting
– Dashboards tracking DARP metrics
– Monthly/quarterly reports to executives on DARP status
– Notifications of major DARP milestones or roadmap progress
Data Type | Protection Controls |
---|---|
File servers | Encryption, permissions, DLP, monitoring |
Databases | Encryption, masking, account controls, auditing |
Cloud storage | Encryption, IAM controls, anomaly detection |
Backups | Encryption, media controls, physical security |
Conclusion
Protecting sensitive data at rest through robust controls like encryption, access management, key management, auditing and governance is critical for information security. A comprehensive DARP program requires discovery of data at rest, tailored protection based on classification and ongoing management and reporting. When properly implemented, DARP can significantly reduce the risk of damaging data breaches by “hardening” data that persists in an organization’s infrastructure and assets. With rising data volumes across heterogeneous environments, dedicated focus on DARP will continue to be a priority for defense-in-depth data security.