Data Loss Prevention Step 6: Encrypting Data at Rest

Monday, February 06, 2012

Rafal Los


I'm writing a series of posts to follow up on my blog post titled "Data Loss Prevention - Without the New Blinky Boxes" which addressed some of the silliness that comes with believing that DLP comes in a box, or is a product you can buy to solve your DLP needs. Welcome to part 6 (part 1 here) (part 2 here) (part 3 here) (part 4 here) (part 5 here)...

If you've been keeping up you know I'm down to the final 2 recommendations of how to do Data Loss Prevention more rationally, soundly, and without clogging your network closets with more blinking boxes that rarely solve anything as their vendors claim. 

I'm writing this series as a splash of cold water for those of us that are so used to solving every enterprise security problem that exists (or that we perceive exists) by going to a vendor RFI or RFP and solving it by buying more hardware, software or solutions which in fact rarely are.

Look, I have nothing against solutions and vendors who sell them.  In fact, I work for one so you may be asking yourself why I'm writing this series... to be truthful I see a lot of waste in the way that enterprises spend their hard-fought budgetary dollars. 

Lots of technology bought last year goes underutilized, or collects dust in a closet somewhere or in extreme cases (and I know of a few, sadly) the hardware never makes it out of the original packaging before it's time to renew the maintenance agreements.  That's pathetic, so we try to do things more rationally here - let's dive into data at rest.

Encryption is Critical

Sometimes, your critical enterprise information just wants a break from all that processing and moving around it does.  It takes a load off, kicks back with friends, and hangs out in places on your network where no one would ever think to secure it.  Unfortunately, the people who want to steal that data don't really think it appropriate to only look for data in your data silos and file-servers so they'll scour everything to find your weakest data. 

This is where data loss prevention intelligence can actually create a phenomenal value to the organization.  I don't want to alarm you, but if you're doing this part of the DLP idea properly you'll likely be making the Chief Compliance Officer quite happy because you'll be compliant with a whole boat-load of regulations!  More on this in a minute...

I bet you're thinking you know where all your enterprise-critical information is.  You're wrong.

Even if you did know where greater than 50% of your enterprise proprietary or critical information was... you'd probably be powerless to control its sprawl.  Let's face it, systems consume data and then become mobile - which is hardly something you can do anything about in a world where mobility is a key business driver.  Unless you're thinking the way I'm thinking, and the way many Chief Risk Officers and Chief Information Security Officers are thinking...

What if you didn't care where your data took a rest, because everything was encrypted once the power went off.  In case you haven't figured it out yet, I'm thinking about things like file-level encryption, volume encryption and maybe even whole-disk encryption. 

The price tags on these various options range from open source (free) to enterprise (pricey) but let me tell you how much of an insurance policy these things can be!  There are many organizations (mostly in the medical line of business lately) that are finding out just how important encrypting their systems' disks can be.  Laptops, desktops, servers (yes, maybe even servers?) have to have disks encrypted according to risk-management principles.

Whereas we figured it was a good idea to have only mobile devices like laptops encrypted before, lately we've seen that the good 'ol smash-n'-grab works just fine in 2012 and that desktops can have their hard disks stolen with relative ease.  Whether someone is stealing your laptop from the back seat of your car, or an unused disk from a pile in your data center - they're really not asking themselves whether those have been safely sanitized. 

In fact, sometimes they're taking them because they know they're not.  Desktops aren't any different than laptops, I'm afraid ... so encryption makes sense.

Let's face it though, this becomes very difficult on ultra-mobile devices like mobile phones and laptops and we haven't quite figured that out yet.  I'm thinking this will come along quickly as these multi-purpose devices (part personal device, part corporate tool) will shortly become the norm. 

There are already tools which encrypt just the corporate data on a ultra-mobile device so we're most of the way there I think. Manageable encryption is critical in today's enterprise.

Compliance. Yes, Compliance.

Something interesting happens when you encrypt your data at rest.  You magically and mystically become compliant with many of the things that make life hell otherwise.  Wonderful isn't it?

You see, many of the compliance regulations state that you need to report a breach immediately to every authority if that data isn't encrypted.  If you encrypt the data, the issue goes away... and the stolen information is just garbage.  This is of course predicated on the fact that you've managed to not screw up the implementation of encryption - but that's another topic.

But wait, there's more!

Naturally, there are other ways here beyond encrypting disks.  You can encrypt databases, files-on-the-fly, and even the little bits of data themselves like the genius that Heartland Payment Systems have come up with. 

Usable encryption that doesn't destroy the rest of the processes - otherwise known as format preserving encryption - is data-level encryption that doesn't force you to re-do every process from the ground up.  Your business will like that guaranteed.

So all-in-all, data at rest can be tricky.  It's hard to stop data exfiltrating over the wire when it's the hard drive or whole PC that's being thrown onto the back of a pickup truck and driven away from the scene of the crime. 

Think about implementing encryption at varying levels of your organization - even if you don't think you need to - as piece of mind against the "oops, that hard disk was the 1 in the entire organization that had sensitive data on it!" situation.

Good luck!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Encryption Compliance Cloud Security Enterprise Security Budgets Risk Management Storage Data Loss Prevention Intellectual Property DLP Mobility Data Protection Proprietary Information Exfiltration Rafal Los
Post Rating I Like this!
Todd Thiemann Nice summary of the encryption challenge and very relevant in light of news about Zappos and other breaches.

Encryption, if properly implemented, can also provide access control over the data and provide a separation of duties.

One follow-on challenge is encryption key management. Once you start accumulating encryption keys, you need to manage them. Losing a key is equal to deleting the data (not a good thing in most circumstances).

Rafal Los Todd - I completely agree with key management being a challenge. Once we start encrypting (truly doing encryption right) the attackers will focus on the key management systems which, from experience, are so poorly secured/operated it hurts the brain.

Thanks for the comment!
Pallavi Pandey Could someone please help me with basic and crucial steps/procedure of implementing DLP or other security solutions in an enterprise environment?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.