You get the most bang for the buck by locking down user-access privileges and requiring users to authenticate with two factors, National Defense University's John Rossi says.

Jul 24 2008

At Rest — On Guard

If you want to let data idle, make sure you have protections in place to secure those files at rest.

It happened again: government records exposed because of a notebook computer theft.

The most recent breach — a notebook containing 2,500 patient records nabbed from a researcher’s car on the National Institutes of Health campus — is just the latest in a string of high-profile incidents. Although the NIH notebook was password-protected, the personally identifiable information wasn’t encrypted.

Securing data at rest, a top federal priority, remains complex. The number and type of encryption algorithms are confounding, the security technology is still maturing, and policies are still evolving. Even so, say several experts, protecting data at rest should not be dismissed as an insurmountable challenge.

Layer by Layer

The ultimate solution involves several steps: knowing what you have, knowing what’s vulnerable, classifying your data, keeping track of your devices, determining how best to encrypt your data and hardware, and assigning appropriate privileges.

But it’s the combination of actions that’s the crucial factor, says John Rossi, professor of systems management and information assurance at the National Defense University (NDU).

View each step as another layer of security, say Rossi and other security experts, making penetration and data tampering by would-be attackers more difficult and time-consuming to perpetrate. Here are their pointers on how to succeed at protecting data at rest, step by step:

Start with the basics. Multifaceted security technologies can go a long way toward protecting data at rest. But before diving in, do some basic blocking and tackling, says David Hollis, program manager and co-chairman of the Defense Department Data at Rest Tiger Team. DARTT manages blanket purchase agreements for data-at-rest encryption products.

Essentially, inventory your systems and identify your vulnerabilities, and then take them on one at a time, he says. “Some agencies haven’t even started encrypting their mobile devices, and that’s key because the environment is becoming more and more mobile.”

Adds DARTT Technical Director Robby Carter: “It’s about taking care of what we can, based on what’s most vulnerable today, while the government determines resources and funding and technologies to support the infrastructure.”

Inventory your data. Before you even think about securing data at rest, you have to know where it resides. “It’s not as easy as it sounds because data is everywhere, and you really have to rely on the people who own the data to help identify where it is. And then you have to consolidate it and map where it’s going — all before you can adequately secure it,” says Patrick Howard, chief information security officer at the Nuclear Regulatory Commission and former CISO for the Housing and Urban Development Department.

Keep track of your devices. The ability to copy or move sensitive data onto small portable devices has increased vulnerability dramatically. One way to conquer that issue is through device discovery. Often provided free with security systems, device-discovery applications let users assess and determine what types of devices are connecting to the network. The information provided by each assessment hinges on the particular user’s administrative authority.

“That way, they have the information they need to determine the data leakage threat in their organization,” says Dave Vergara, product marketing director for data security at Check Point Software Technologies. “If a lot of employees are copying business data to personal USB thumb drives or other removable media, including some things maybe they shouldn’t be taking with them, you’ll know that, and can then determine how best to take back control of it.”

Classify your data. If you haven’t set up a classification system for data based on its importance, sensitivity and value, it will be impossible to ensure that new data is properly protected. “For example, if a certain type of data is classified as secret, it should be assigned this classification no matter if it’s at rest or in motion; and anything created within these content parameters should be classified as secret,” explains John Bordwine, senior director of security engineering at McAfee.

Encrypt your data. The pinnacle for data protection is confidentiality, integrity and availability to those authorized to access the data. A conflict, however, arises between confidentiality and availability — the more stringently data is protected, the more difficult it is to access, even by authorized users. And passwords simply don’t cut it; they are reasonably easy to decipher, hard to remember and, in the case of the Defense Department, must change every three months and can’t match any of the previous 24 passwords that you’ve used.

“There are many problems with passwords in general,” says NDU’s Rossi. “You can hash them, but if you lose the keys you won’t be able to unlock it. And because passwords have to change so often, they become almost impossible to remember.”

So what’s the solution? Use a combination of something you know (a password), something you have (a smart card or token) and something you are (a biometric). “If we did just that, we would be 80 percent there,” he says.

For portable hardware, media encryption and port protection make sense. The technology, which combines port and device management, content filtering and centralized auditing with media encryption, plugs potential leads and logs data movement to and from devices. “If the device isn’t approved, it won’t allow the user to write data to it. If it is an approved device, policy settings can ensure that the data is protected by forcing encryption of the data when it’s copied to the device,” Vergara says.

Be picky about privileges. Try to limit access to those who really need it, and if granted, employ the concept of “least privilege” by authorizing the fewest number of privileges to accomplish essential tasks.

Segregate, whenever possible and practical, critical information system components, and limit network access to secondary storage devices containing highly sensitive information.

“It’s about having a well-designed systems architecture and implementing a defense-in-depth protection strategy,” says Ron Ross, FISMA Implementation Project leader at the National Institute of Standards and Technology. “If you do it that way and your system is breached, the attacker’s access can be significantly limited.”

Want more security suggestions? Read the Best Practice on the Federal Desktop Core Configuration.

<p>Photo: Randall Scott</p>