In this article, we provide a detailed explanation to the question “What is data encryption at rest?” Businesses are producing data at a fast pace. The amount of information business organizations create and collect are increasing continuously, and whether your organization is small or large, if you do not understand your information, its purpose, its value, and its risks you cannot fully protect it.
The volume of data at local enterprises storage, on the cloud, on backup tapes is huge. Encrypting data at rest is one component in a Data Security program.
Data Security is not just data at rest encryption, it is a total operational program driven by strategies, managed by processes, operated through clear procedures, and monitored by audit process in order to protect information assets; encryption is one piece of data security strategy.
In this article we will touch on cryptographic history and uses, shed some light on regulatory compliance cryptographic mandates and impact.
- History about Encryption
- The Three States of Digital Data
- Data Categories
- Encryption Important Definitions
- Cryptographic Key Management
- Compliance and Security Standards Impact
- Your Enterprise Accountability for Data at Rest
History about Encryption
Encryption origins goes back to 1976, when two Stanford mathematicians, Whitfield Diffie and Martin Hellman invented an advanced mathematical algorithm called asymmetric cryptography, some literature writings prefer to call it mathematical relationship. Diffie and Hellman identified a relationship between large prime numbers pairs whereby data encrypted with one key-pair can only be decrypted by its paired key. The relationship between these large prime numbers create computational difficulty makes it unfeasible to reverse-engineer the relationship. This mathematical relationship later named Diffie-Hellman key exchange.
Asymmetric cryptography is an algorithm that generates two mathematically related key-pair, where a cryptographic software application will use the pairs to encrypt and decrypt a specific data set; the two pair keys gained industry-widely used names as public key and private key; public key for encrypting the data and private key to decrypt it. Public key is the pair-key to use for encrypting data and it is available to more people for the purpose of only data encryption, and only those allowed to decrypt data will know the private key-pair. This process of encryption/decryption accomplishes two goals authentication and encryption, whereby public key is in use to validate data origin and its relationship to the encrypted data, the other goal is to limit decryption process by private key only. The two-pairs are tightly linked together in a way that public key is used to generate the private key.
PKI (Public Key Infrastructure) is another name come along in cryptographic literature, it is based on Asymmetric cryptography, began by the invention of X.509 certificate standard in 1993 with the establishment of RFC 1422 standard. This standard created the concepts of certification authorities, certificate revocation lists (CRL), and certificate trusts that provided the framework for more advanced PKI-based technologies in-use today. PKI originally developed to encrypt data in transit; however due to its power and value adopted widely in encrypting data at rest through PGP protocol implementation.
The Three States of Digital Data
- Data at rest: which is inactive data stored physically in any digital format in persistent storage (disk or tape), e.g. databases, files, backup tapes, offsite backup copies, mobile devices etc. More than 90% of stored data is in dormant state, infrequently used, according to SecurityFirst white paper about (Why Object Storage is in Your Future).
- Data in process: it is an active data in non-persistent digital state in the context of manipulation by an application or resident in volatile memory, sometimes data at rest in frequent change mode also fall in this category.
- Data in transit: it is active data traveling between devices, either through private networks or over public or untrusted network such as the internet. For example emails, and chat data.
Data in transit protection and encryption was a major concern for the technology industry and regulators; the goal of protecting data in transit was the major driver behind encryption schemes invention widely used today. The aim of those schemes was to protect data and prevent man in the middle from reading it. Data at rest cryptographic special solutions evolved at later stages by specialized industry institutions developing and providing solid encryption solutions.
Data available in system storage categorized by its purpose. Business data (e.g. customer profiles, transactions, etc.) is the first category to come in mind. Systems and servers logs comes as of the most important data categories that is mandated by several industry security standards like PCI-DSS and HIPAA to have high-level of protection against tampering. Data categories in the scope of regulation compliance standards are:
- Systems, servers, applications, and network devices logs files or databases
- Systems, servers, applications, and network devices configuration files
- Data objects (text files, pictures, documents, spreadsheets etc.)
- Database files, database journal files, database logs, databases schemas and configuration
Those categories falls under data at rest encryption scope.
Encryption important definitions
Professionals working on the computer and software industry tend to have basic knowledge about encryption; however, it is a black box to many professionals in the industry. Some of them knows a term like encryption key in general, but they will not have a clue about other terms used in cryptographic space and systems. Few terms used in cryptographic solutions are:
- Encryption Key: Also known as, cryptographic key, which is a piece of information generated by cryptographic algorithm. A key specifies the process of transforming plaintext to ciphertext and vice versa.
- Data Encryption Key: an encryption key to encrypt data objects, the purpose of the key is to differentiate it from other cryptographic keys.
- Key Encryption Key: an encryption key to encrypt Data Encryption Key or other special purpose cryptographic keys.
- Master Key Encryption Key: an encryption key that is specifically in-use to encrypt all other special purpose cryptographic keys, such as Data Encryption Key and Key Encryption Key. It is also in-use as the primary key on most sophisticated cryptographic systems, and would require top secrecy handling.
- Cryptographic System: it is a software in computer or a special purpose hardware appliance, used to generate, store, distribute, process and manage cryptographic keys.
- Key Vault: a storage environment specifically designed to store encryption keys within cryptographic system or as an independent component tight closely with the cryptographic system.
- Encryption Key part: single piece of an encryption key split into two parts or more.
- Key ceremony: a process of storing cryptographic keys in a key vault by two people or more based on the number of cryptographic key parts.
Cryptographic Key Management
It is the process of generating cryptographic keys, distributing, storing, and recycling them.
Hardware Security Module (HSM) appliance was and still the de facto standard for military and financial industry cryptographic key management as a key vault system. HSM is hardware appliance that provides highly secured storage of cryptographic keys and uses standard interface protocols such as PKCS#11 or KMIP.
HSM appliances are often tamper-resistance designed to wipe out all stored keys once powered off, or for some devices at level 3 and 4 of FIPS 140-2 standard if it encounters certain level of vibration that might indicate a device in-transfer from its location while powered on.
HSM will generate a master key encryption Key to encrypt all encryption keys stored on the device, software in need to access stored keys cannot read directly, it is instead issue a command to the HSM appliance, HSM appliance will decrypt stored key and send it back to the software requesting it.
SecurityFirst DataKeep support the use of HSM to secure keys, DataKeep Policy Provisioning and Management (PPM) server provides centralized networked service that allows clients to retrieve and use cryptographic keys.
Compliance and Security Standards Impact
Increasingly, companies are coming in scrutiny for their security and compliance policies, and in continuous challenge for data protection measures. Customers, especially B2B companies and service providers often reconsider their relationship with a business as being careless with customer data frequently once a security breach incident show-up on media. For example to do business with any European Union company or individual or to be a subcontractor to a business that does, you have to conform to GDPR. Another example if you want to do business or subcontracting with US government you have to conform to FIPS, FISMA, DoD and other compliance regulations.
Your Enterprise Accountability for Data at Rest
Compliance regulations whether general like GDPR or industry specific like PCI-DSS and HIPAA, hold enterprises accountable for data. Your organization ability to demonstrate compliance is not enough, you have to show the process in place that ensures high-level care and protection to data continuously. Regardless of the relationship of your organization with data, your enterprise as a controlling party collecting and managing data or via service a provider processing data in behalf your enterprise. You have to comply with regulations and be able to show sufficient guarantees to implement appropriate technical, organizational and operational measures to meet evolving regulatory requirements, and prove data protection on regular basis.
The phrase “Processing data” in term of compliance regulations spans to data collection process, data exchange process, data storage, data in-transfer, and in-memory data processing. Data protection measures might include without limitations:
- Data management practices, encryption measures, policies, procedures, and audit processes.
- The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
- A process in-place for testing, assessing, and evaluating the effectiveness of technical and organizational measures ensuring the security of the processing.
Compliance regulations as well mandates data breach notification to supervisory authorities and affected data parties (people or institutions), a data breach in regulation definitions covers unintentional accidents and bad actors incidents. Based on regulatory obligations terms you have to issue a notice to concerned parties (supervisory and local) within certain period of time.
Now that you understand what is data encryption at rest. You can now see why encrypting data at rest is such an important part of your data security strategy. Data protection failures could lead to total business shutdown or at least serious brand damage with big amount of dollar fines. Regulatory exposure to prosecution recently expanded beyond federal government, where district local attorneys can take action at the state level. SecurityFirst DataKeep solution is the technology leader with knowledgeable experts who can provide your enterprise state-of-art and cost effective solution.