The Ins and Outs of Securing Data at Rest

Because data spends tenfold more time being stored rather than in transit, technology executives recommend focusing on its protection there as well

Kevin Donnellan, Screen Actors Guild--Producers Pension and Health Plans

With globalization and laptop deployment booming, technology executives have grown accustomed to securing data when it's in transit, whether across the office or across a dozen time zones. But in any aspect of risk management, it's important to look at percentages. It turns out that data spends far more time-ten times as much, experts suggest-waiting to be accessed ("at rest" in industry parlance) than it does in transit.

Focusing on data transmission security without paying equal attention to where data spends most of its time, is a lopsided tactic. It's like hiring bodyguards to protect your kids on the way to school, but leaving the doors unlocked when the tykes are home. Technology executives note that, as with all the other layers in your security framework, there are three components governing data at rest: software, hardware, and policies.

Software As part of any security application protecting data in databases or files servers, you need software that has both preventive and detective monitoring capabilities. Stephen Davis, senior director of security and compliance for Kaplan Inc., a leading international provider of educational and career services for individuals, schools and businesses, says, "Monitoring helps you set a baseline of normal traffic behavior." Such a baseline helps you focus on events beyond certain thresholds. "That way, you're not chasing a lot of false positives." It's better to prevent unauthorized data access, certainly, but it's also important that your software be able to detect and analyze inappropriate access.

Hardware One of the problems with data at rest-particularly on desktops and laptops - is that malcontents can too easily disturb its slumber. At the Screen Actors Guild–Producers Pension and Health Plans (SAGPH) in Burbank, Calif., assistant CIO Kevin Donnellan has compiled a comprehensive plan dealing with both data in transit and data at rest. Regarding the latter, he worries about someone hijacking data about its clients simply by plugging a thumb drive into a USB port and walking out the door with it. "Our concern is that someone might sell that information to the tabloids. It's their job to find dirt on actors, and health problems can always become headlines."

His recommendation: make the USB ports accessible only through password-protected thumb drives whose data is automatically encrypted. Inject the thumb drives with a "kill" command so that the data is automatically erased after three access attempts with an incorrect password.

Policies Finally, you need consistent security policies not only for all devices, but also for all employees-"everyone from the staff auditor up to the CEO," says Donnellan. Under no circumstances, even when they are accessing data that isn't going anywhere, should employees be able to bypass security procedures-even executives who complain that said procedures affect either their productivity or the system's performance.

At the same time, CIOs should set up systems that require employees to rotate their passwords on a regular basis-Donnellan's policy is 180 days-always employing so-called "strong" (difficult to guess) passwords that include a combination of letters, numbers, and symbols.

CIOs need to apply the same rigor to policies governing their own employees as well, both for reasons of security and for compliance. Just as the CFO requires two C-level signatures for checks over a certain amount to prevent malfeasance, CIOs should make sure that database administrators don't have the same access rights as security personnel.

"As part of our Sarbanes Oxley compliance, we need to prove to our external auditors that no one directly updated data in our database in an inappropriate way," notes Stacey Halota, director of information security and privacy for the Washington Post Company (parent company to both the newspaper and Kaplan Inc.). Thus, it's important to delineate roles and responsibilities. When one person does the work, another person should audit the work, and neither should be able to do the other's tasks.

Arguably, the idea of protecting data at rest constituted the initial efforts toward security IT (or MIS) staff took in the early days of computing. But, with employees and business partners accessing data from almost anywhere, and new regulations regarding compliance, it is important that you bring your policies and technologies for protecting that data up to date.