As businesses start to build larger data repositories for big data analytics, how data at rest is protected is becoming a key concern among security administrators.
Compliance and regulation requirements are designed to protect consumer information, personal data and customer information from unauthorized sources. Those legislative controls have done a pretty decent job at educating IT security on what needs to be protected and how to audit the protection mechanisms in use.
Yet, breaches still occur and data that should be protected gets exposed to threats and interception, which creates a troubling conundrum; If businesses cannot protect data constrained by compliance regulations, how can they protect other data elements (such as intellectual property) from compromise as well?
Undoubtedly, the problem of protecting data that leaves the premise and traverses the cloud is a challenge that must take precedence for today's connected businesses. Yet, protecting data in motion cannot be used as an excuse to fail to protect data at rest, which creates an ever increasing workload for today's security administrators.
Adding additional angst to the situation is that some analysts are estimating by 2017 two-thirds of all workloads will be processed in the cloud and 1.4 zettabytes of data will be flowing over global networks, meaning that the majority of data will be in motion and remain in motion as it traverses clouds.
How that impacts protecting data at rest still remains to be seen, especially since the concept of data at rest is undergoing redefinition. Simply put, data at rest is moving into the cloud - thanks to new services, such as hosted big data analytics platforms, cloud based Hadoop file systems and cloud based backup and disaster recovery offerings - which translates to data no longer residing on the premises and may be motion, a result of how cloud services scale, protect and load balance their storage entities.
Even so, there are still some rules of thumb that can be applied to protect data from compromise, regardless of it being in motion or at a standstill:
Create a minimum level security policy: create a basic security policy that applies to all data across the enterprise and the cloud, ensuring that basic protection is in place and can serve as a foundation for more extensive protection based upon the criticality of the data.
Implement encryption for all data in motion: Using VPNs, SSL and other technologies can protect data from interception while "it's getting there".
- Encrypt data at rest: Encryption is the front-line defense for defending data at rest. It limits access to those with the right keys - locking out anyone who doesn't have them. It also meets a bevy of compliance requirements, removes any worry about retirement of disks and voids the threat of physical compromise of the cloud environment (even if someone walks away with the data drive from the cloud service provider's data center, they won't have access).
- Manage Keys and Policies: Encryption by itself is not the answer; Keys, policies and certificates must be actively managed, making sure those protection devices do not fall into the wrong hands.
- Deny Access to Data: Do not authorize external parties access to the data, including the cloud services providers. Denying cloud provider access to information prevents cloud administrators or compromised cloud admin accounts from accessing the data.
- Employ Directory Services Infrastructures and Group Access Controls: Tie data access policies to a Directory Services Infrastructure and use group access controls to encrypted data from within the organization. What's more, the adoption of directory based controls helps to meet many compliance and regulatory requirements, while tying data access/encryption to a directory services infrastructure helps to further secure on-boarding and off-boarding procedures.
- Synchronize data access and user access controls: Although data access policies tend to have a separate management chain, there are utilities and add-ons that allow those policies to sync to a directory services implementation. Policies can then be set that define what groups and applications have access to what data, under what circumstances and at what times.
- Monitor and Audit: Monitor who, what, where, when and how data is accessed from within databases and applications, as well as at the OS/file system level. Also monitor and collect information on access to sensitive information. Collect and monitor the data for unauthorized access attempts to determine if an attack is underway - alert where appropriate.
Using a holistic approach to encryption and data protection offers proven advantages for securing data, regardless if it is in motion, at rest or even in the cloud. Following some basic protection ideologies can protect data from the outset and establish a secure foundation for building an adaptable security infrastructure that meets both corporate and legislative requirements.