Choosing an encryption solution when data-at-rest is poorly defined
Data breaches have become a daily occurrence in many countries around the world. Malicious actors break into databases, networks, and various other systems, stealing huge amounts of valuable information, such as trade secrets and credentials. And their attacks are increasingly sophisticated and frequent.
Regulators require data-at-rest to be encrypted
To counter this threat, authorities enacted a number of security-related measures but were especially keen on regulating the handling of sensitive data. They adopted laws that require companies to improve their digital defenses and protect customer information. Failure to do so could lead to dire consequences. Businesses would not only be at risk of being hacked and losing reputation, but they would also get hit with heavy fines for violating data privacy laws. And some regulators adopted stricter rules than the others.
The New York State Department of Financial Services (DFS), for instance, is enforcing a set of regulations known as the NYDFS Cyber-security Regulation (23 NYCRR 500). It requires financial services companies, ranging from banks and insurers to consumer lenders and money transmitters, to protect nonpublic information they collect and use. The rule also instructs businesses to encrypt data-at-rest. And although this is good news for consumers, DFS didn’t clarify some important details. For example, the regulation doesn’t define what data-at-rest actually consists of, which puts companies in a dilemma when deciding which encryption method to choose.
The hard task of defining data-at-rest
Data-at-rest is usually defined as inactive data stored physically in databases, file systems, hard drives, laptops, and other types of persistent storage. But when data is accessed by an application to run the file a user is currently using, it becomes data-in-use at that very moment in time.
The definitions of two types of data might appear clear at first. However, there are issues that are yet to be clarified. Take, for example, the situation when a user is logged into a computer. At which point do files get considered as data-in-use instead of data-at-rest? The answer might seem simple – when a legitimate user accesses those files using appropriate software.
Far from solving a problem, this answer actually leads to additional concerns. The encrypted file system (EFS) is a case in point. This encryption method keeps files encrypted until a user clicks on them. Once that happens, files are decrypted instantaneously with the system unable to confirm whether a user is legitimate or a malicious intruder. User or administrator credentials are thus all it takes to access highly sensitive data.
This means that although EFS keeps files encrypted until they are accessed, the entire setup is just form over function. Such encryption provides protection only if a device is physically stolen, which happens less often than online hacks.
Considering an EFS as encryption for data-at-rest is clearly a liberal take on DFS rules. Getting this issue right requires encrypting data at the file level and creating a system in which only legitimate users can decrypt certain documents instead of anyone who has taken control of the computer. One way to do that - as inconvenient as it sounds - would be to password encrypt every file.
For instance, frequently used data-at-rest can, in some cases, be considered as data-in-use. But DFS didn’t clarify the imprecise nature of the term ‘frequently’, which has led to different definitions of data-at-rest. Some companies opted for a lax approach, while others were more conservative.
Those in the first group define data-at-rest as information stored on a user’s computer with the device powered off. Once the computer is powered on, data is considered as data-in-use, and hence not subject to DFS’ encryption rules. A conservative approach, however, is to consider data-at-rest as any data stored on a user’s device even when it’s powered on, Windows is started, and a user already entered a username and password. Also, a conservative position is to consider information stored on NAS, SAN, and other network storage as data-at-rest regardless of whether users are logged in or not.
Choosing the proper encryption solution
Companies then choose an encryption tool that reflects their definition of data-at-rest. Some businesses opt for full-disk encryption. This method encrypts all files on the disk when users are not using the system and the device is turned off. Users that want to encrypt data when the computer is powered on but before Windows boots can use Microsoft BitLocker or similar solutions.
The adoption of cloud, however, has made it even harder to define and protect data-at-rest. Should businesses consider data stored in a cloud storage provider, such as Box or OneDrive, and linked with a computer through ‘smart sync’ as data-at-rest? And if yes, should the definition apply when the user is logged in or logged out of the cloud storage provider? Also, what about data stored on a computer and mirrored in the cloud? Encryption at the cloud offers some protection but is far from an effective solution.
A conservative interpretation is the safest one
Having in mind these dilemmas, it’s becoming increasingly clear that a conservative interpretation of data-at-rest is safest. Regulators are yet to clearly define this issue. Until that happens, businesses that encrypt a wide range of information will not only avoid large fines but will also ensure they’re well protected against cyber-attacks. And strong defenses are critical for avoiding data breaches, leaking sensitive information, and losing reputation.
That’s why Atakama has developed an encryption solution that enables businesses to comply not only with DFS’ encryption rules but also those considered by regulators around the world. The company’s product will satisfy even companies with the most conservative interpretation of data-at-rest. It encrypts files continuously and distributes their 256-bit AES key across several devices. And approving access to the protected files is as easy as taping your phone and requires no usernames, passwords, or one-time codes. The software also enables users to keep protected files in sync with major cloud storage services, including Box, Dropbox, and Google Drive.
Avoiding data breaches and the loss of reputation
Customers and regulators expect companies to protect sensitive data. Achieving that goal is not always easy though, as cyber-criminals come up with ever more sophisticated and powerful attacks. But the chance of successful data breach can be greatly reduced by encrypting as much data as possible. And although governments are not always clear on the scope of their regulations and the definition of specific terms, a conservative interpretation of laws is safest and will ensure businesses avoid fines and data breaches. To that end, security solutions provided by companies such as Atakama are an invaluable asset that seamlessly protects companies without impacting existing workflows or imposing unnecessary restrictions.