Protect Data at Rest

All of the information that your company holds is important – otherwise, it would be purged. You need to keep a variety of data safe from loss because, without certain records, your company can’t continue. Similarly, you need to be sure that records can’t be tampered with to create false information, and you don’t want critical information to be disclosed to competitors.

Data protection is necessitated by legislation, which is rolling out all over the world. For example, in the USA, industry data security standards such as Payment Card Industry Data Security Standard (PCI DSS) for the credit card payment sector and Health Insurance Portability and Accountability Act (HIPAA) for the healthcare sector are enforced by legislation. There are also geographical restrictions to the use of data. This type of obligation is most notably imposed by the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

What data needs to be protected?

Data protection standards specifically relate to the personal information of individuals. It doesn’t concern data about companies or the people that work there in their capacity. However, there is a fine line between what is considered to be personally identifiable information (PII).

An example of data considered PII is an employee contact sheet in personnel records that includes the employee’s name, home address, personal email address, and telephone number. However, a database of company contacts that consists of that same person’s name and contact details at their place of work is not considered PII.

The extent of data privacy standards

You might not be in the business of taking care of people’s health, and you might not be based in the EU. However, data privacy standards ripple through the IT supply chain, so businesses that aren’t directly involved in a controlled industry or operate in an area covered by legislation might find they need to comply anyway.

In almost all cases, data security standards are related to PII. There is one exception, which is the Sarbanes – Oxley Act (SOX), which refers to records of the financial transactions of businesses. If your business is never going to touch on the storage of PII, then you have nothing to worry about.

In the IT industry, the supply chain of services means that businesses that serve other companies, your PII, will probably need to comply with just about every data security standard out there. This is particularly the case with managed service providers (MSPs) and cloud services.

Data protection standards require that the primary business that collects and uses PII is responsible for all data disclosure events no matter where they occur. So, companies looking for services will only give contracts to providers who conform to the required standard. If you run a cloud service with a global reach, you will lose out on a large section of potential customers if you don’t comply with all of the significant data security standards.

Securing data

Apart from the legal issues surrounding PII, there will be other types of information that you don’t want others to find out. For example, if you consider buying another company, that information needs to be kept private, mainly publicly traded. In addition, you don’t want your competitors to know your cost structure or details of current research and development projects.

So, you need to protect the data that your company uses whether or not it pertains to PII. The states of company information fall into three categories:

  • Data in use
  • Data at rest
  • Data in transit

Each of these states has its particular security requirements. For example, protecting data in use includes considerations of appropriate use and access controls. In this guide, we are particularly interested in data at rest. However, many data transfer protocols and services involve data being at rest as well. For example, all email systems involve data being sent to an email server first, from which the recipient’s email client downloads it but not permanently deleted.

Protecting data at rest

Typically, you would expect data at rest to be held in files on file servers. However, there are other storage formats and locations to consider as well. For example, you also need to protect databases, which, ultimately, might also be stored as files. In addition, there are different cloud storage formats to take into account, such as blob storage, which doesn’t have any formal file structure. Finally, consider also that data can be held in temporary files in places that you might not expect, such as in printers and fax machines.

Even if you have an apparent policy of only keeping files in one particular location, your business may well have many other stores of PII that you don’t know about. ERP and CRM systems often keep their separate stores of data.

Data discovery and classification

The first issue when approaching the protection of data at rest is to know precisely where it is. The next step is to determine which data is sensitive either—for example, PII or related independently to trade secrets.

You can then build a strategy to consolidate data stores. In many cases, the applications you use might not lend themselves to the proper removal of temporary files. In those instances, you will need to institute regular administration sweeps to clean up disks by removing those temporary files and shadow copies. Some solutions to data protection are procedural rather than technical.

Access rights management

Proper data protection in use, at rest, and in transit requires very finely tuned user accounts and access rights. In this respect, all three states of data are interlinked. You need to segment off data so that only specific roles in specific departments can access particular data types.

Administrator accounts and technician access can be a particular headache, many devices, such as printers and removable storage, might not be covered by access rights, or they are shipped with default and easily guessed credentials, such as ADMIN/PASSWORD.

File protection measures

The main focus of your security effort will be the protection of files. However, systems that protect file access also deal with the issues of protecting data in use. These are called file integrity monitoring (FIM) services.

FIM systems control access to specific files and also track all actions that are performed on their contents. In some cases, this is just a logging service that records the user account and the date and time of access. In other cases, an FIM includes version control systems that store a complete copy of the file each time a change is made, making it possible to remove those changes by rolling back to a previous version.

In all versions of FIM, a clearly defined set of user accounts is essential to properly tracking activity.

FIM can be enforced by encryption. That encryption can be applied to individual files or entire folders. The encryption system should allow several users to access the same file without knowing the encryption and decryption key. In other words, the access control enforced by encryption should be invisible, allowing access to authorized users without them even realizing that encryption has been applied.

File encryption services are particularly useful in blocking the possibility of malicious activity by IT technicians –  this is essential in MSP activities.

Protection against data disclosure

The corruption of data is mainly a matter for systems that protect data in use. The main objective of services that protect data at rest is to prevent data disclosure. In other words, they need to block data theft. Whether it wants to steal data or why it does, you can shut down those opportunities by controlling all potential exit points.

There are several ways that you can address these data exfiltration points. First, you can flat out disable all disk drives and USB ports and block computers that contain data stores from connecting to a printer.

Protection from unauthorized transfers by attachment in emails or chat apps is harder to implement. Overall, you will need specialized software to implement adequate controls over data exfiltration points.

Data loss prevention

Once you consider specialist software to block exit points, data loss prevention, you will discover that you can implement a more sophisticated security policy very quickly. Most data loss prevention (DLP) packages allow you to implement a series of security policies simultaneously, so you can enable users to access, move, or copy certain types of data but not others. For example, some users will be able to access some data stores while others will not.

The combinations of which users can do what with what type of data are almost infinite. Many DLP systems simplify formulating an appropriate data protection strategy by providing templates that pre-set controls according to specific data privacy standards.

Your DLP system will also need to re-implement your access rights management permissions structure and categorize your data instances in its classification system to operate these templates effectively.

The Best Tools to Protect Data at Rest

Protecting data at rest requires a data loss prevention package.

Our methodology for selecting a security tool for data at rest  

We reviewed the market for data loss prevention systems and analyzed tools based on the following criteria:

  • A system that includes data discovery and classification
  • A service that will reorganize and tighten access rights and user accounts
  • A library of security policies that provide compliance to data privacy standards
  • File integrity monitoring, possibly with file encryption included
  • Graded controls over data exfiltration points
  • An opportunity to assess the system for free
  • Value for money from a tool that provides all DLP functions in one package and possibly also includes threat detection services

With these selection criteria in mind, we have created a list of suitable DLP packages.

Here is our list of the five best systems to protect data at rest:

  1. ManageEngine Endpoint DLP Plus EDITOR’S CHOICE This on-premises software implements data discovery and classification to find the files that your business should be protecting. It then blocks direct access to those files through a containerization mechanism. Once protection is in place, the system will allow access to file contents to specified trusted applications. You set up a list of those permitted software packages in the settings of Endpoint DLP Plus. You should only list applications that themselves requires user credential for access. By this mechanism, data access activity can be traced to a specific user. This also provides insider threat monitoring and the detection of account takeover. Data movements are similarly controlled. Endpoint DLP Plus has a Free edition to monitor 25 computers. The software runs on Windows Server and you can get the paid version for a 30-day free trial.
  2. Endpoint Protector This service combines a data loss prevention system with a threat detection service. The tool includes user and entity behavior analytics (UEBA) to detect account takeover, intrusion, and insider threats. In addition, the package consists of access rights management reorganization, sensitive data discovery, and classification, plus off-the-shelf security policy templates for data protection standards compliance. Other features in this solution offer data exfiltration channel control and a file integrity monitoring service that includes file encryption.
    The package is offered as a SaaS platform, AWS, Google Cloud Platform, and Azure, or as a virtual appliance. Endpoint agents are available for Windows, macOS, and Linux. In addition, CoSoSys offers a demo of Endpoint Protector.
  3. Digital Guardian DLP This is a cloud-based service that implements controls through on-device agents available for Windows, macOS, and Linux. This package includes access rights management auditing, data discovery and classification, and pre-set security policies for data privacy standards compliance. This system searches for and protects intellectual property as well as PII. It controls activities on email systems, USB ports, and printers to block data movements.
  4. Teramind DLP A cloud platform with endpoint agents for Windows and macOS. Agents can also be run over VMs. An on-premises version of the DLP server is also available as a virtual appliance. This package also includes employee productivity tracking, insider threat monitoring, and sensitive data discovery and classification that can scan and document images for data. Exfiltration controls are also included.
  5. Azure Information Protector This is a service on the Azure platform, but it can also control data-related activities on other cloud platforms and your sites. Services include file copy tracking and document watermarking.