{"id":1586,"date":"2016-07-25T16:35:00","date_gmt":"2016-07-25T16:35:00","guid":{"rendered":"https:\/\/www.hln.com\/?p=1586"},"modified":"2024-04-05T06:00:45","modified_gmt":"2024-04-05T06:00:45","slug":"encrypting-data-at-rest-on-servers-what-does-it-get-you","status":"publish","type":"post","link":"https:\/\/www.hln.com\/encrypting-data-at-rest-on-servers-what-does-it-get-you\/","title":{"rendered":"Encrypting Data at Rest on Servers: What does it get you?"},"content":{"rendered":"<div id=\"themify_builder_content-1586\" data-postid=\"1586\" class=\"themify_builder_content themify_builder_content-1586 themify_builder\">\n    \t<!-- module_row -->\n\t<div   class=\"themify_builder_row module_row clearfix module_row_0 themify_builder_1586_row module_row_1586-0 tb_fzky614\">\n\t    \t    <div class=\"row_inner col_align_top\" >\n\t\t\t<div  class=\"module_column tb-column col-full first tb_1586_column module_column_0 module_column_1586-0-0 tb_tu41614\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_30u441    \">\n            <div  class=\"tb_text_wrap\">\n    <p>It is common practice today to encrypt data at rest, that is, data stored on servers. To build off an old adage, no one ever got fired for encrypting their data. But what protection does that really provide? Is just encrypting data enough?<\/p>\n<p>First, let\u2019s distinguish between three methods for encrypting data at rest.<\/p>\n<p><strong>Full-disk encryption.<\/strong> Most modern operating systems (like Linux or Windows Server) provide the capability to encrypt their disks in their entirety. This is accomplished with symmetric encryption whereby there is a key or passphrase that a computer operator has to enter when the disks are encrypted and when the system boots to allow access to the data. Typically, the password must be manually entered on the physical server console, though some virtualized and cloud-based environments offer remote passphrase entry and varying degrees of passphrase management and automation. With full-disk encryption, software installed on the server does not need to know or do anything special to operate normally: the operating system provides transparent access to the encrypted data as necessary with very little performance loss. But note that the initial encryption needs to be done on a new disk (or set of disks) as an existing disk will be wiped clean in the process. So it\u2019s easiest to do this during an initial deployment or migration to a new server.<\/p>\n<p><strong>File system encryption.<\/strong> Physical disks are typically divided into one or more <em>file systems<\/em> by the operating system.\u00a0 As an alternative to full-disk encryption, file system encryption allows administrators to encrypt only selected file systems (or even just selected folders within file systems). This makes it possible to configure a server than can boot without a passphrase; and then require a passphase only after the system is up and running and needs to access its encrypted file systems.\u00a0 Similar to full-disk encryption, the encryption is transparently provided to applications by the operating system.\u00a0 Unlike full-disk encryption, developers and administrators need to be careful not to store sensitive files on non-encrypted file systems.<\/p>\n<p><strong>Database encryption.<\/strong>\u00a0 Another way to encrypt data at rest is at the database level: The database software (Oracle, SQL Server) can provide application-level encryption. Like operating system level encryption, a key or passphrase is entered by an operator when the database starts up, after which all database operations access the encrypted data transparently (hence the name: Both Oracle and Microsoft SQL Server call the feature \u201cTransparent Data Encryption\u201d). For servers that may store sensitive data in files outside the database, this provides less protection than encrypting the entire file system, but likely protects the most sensitive data on the system.<\/p>\n<p>What kind of protection does encrypting data at rest really provide? Here are a few salient points:<\/p>\n<p><em>Benefits of Encrypting Data at Rest<\/em><\/p>\n<ul>\n<li>First and foremost, encrypting data at rest protects the organization from the <em>physical<\/em> theft of the file system storage devices (which is why end-user mobile devices from laptops to cell phones should always be encrypted). While this might sound unlikely, the physical disk devices are only as secure as the data center where they are located. While data center access control policy is usually quite strict, in practice it can be quite lax. Door entry can employ weak precautions (like old push-button unlock devices), and the proliferation of easily-swappable modular disks for quick maintenance makes removing a disk quite easy.<\/li>\n<li>Encrypting data at rest can protect the organization from unauthorized access to data when computer hardware is sent for repair or discarded.<\/li>\n<li>Encrypting data at rest can help to satisfy information security or regulatory requirements such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).<\/li>\n<li>In some deployments, the actual file system where data resides is somewhat disconnected from the server upon which applications are loaded either through the use of a storage area network (SAN) or cloud-based storage. This introduces the possibility that an intruder could break in to the storage subsystem but <em>not<\/em> the rest of the system. Encrypting the storage subsystem can protect against such attacks.<\/li>\n<\/ul>\n<p><em>Limitations of Encrypting Data at Rest<\/em><\/p>\n<ul>\n<li>Encryption of data at rest provides little protection against intrusions in which a hacker gains remote privileged access to a running server in which the passphrase has already been entered.<\/li>\n<li>Even more so, if the <em>applications<\/em> that access the encrypted files or databases (web applications, query systems) are not themselves secured, a hacker who penetrates one of these applications gains access to the data, whether it is encrypted or not.<\/li>\n<li>For database encryption, note that some database management systems only support data encryption in more advanced (read more expensive) versions of the software.<\/li>\n<li>When full-disk encryption is enabled on a physical (non-virtualized) server, remember that an operator \u2013 a human being \u2013 will need to type the passphrase into a console whenever the system starts up. For database-level encryption, the passphrase will need to be entered when the database starts up. While this intervention increases the level of protection, it is at the expense of convenience, as systems cannot reboot automatically without a passphrase or even without someone actually being in the server room which can be especially inconvenient if the system manager is not collocated with the hardware. File system encryption can mitigate some of these startup issues. And, of course, if that passphrase is ever lost your data will be encrypted forever.<\/li>\n<\/ul>\n<p><em>Special Considerations for Virtualized and Cloud-based Environments<\/em><\/p>\n<ul>\n<li>As mentioned, some virtualized and cloud-based environments offer remote passphrase entry and varying degrees of passphrase management and automation for full-disk encryption \u2013 but be aware that there is often a tradeoff between convenience and security with automated solutions. For example, if a cloud provider keeps your passphrase and automatically provides it to the operating system at boot time, the level of security offered by the full-disk encryption solution is largely dependent on how securely the cloud provider manages the passphrase.<\/li>\n<\/ul>\n<p>While encrypting data at rest can be a useful component in a data security toolbox, it must be implemented with a full understanding of the protection it does (and does not) provide. Organizations should consult with their vendors, data security staff, system staff, and application staff to determine an appropriate set of actions to secure institutional data.<\/p>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t    <\/div>\n\t    <!-- \/row_inner -->\n\t<\/div>\n\t<!-- \/module_row -->\n\t\t<!-- module_row -->\n\t<div   class=\"themify_builder_row module_row clearfix module_row_1 themify_builder_1586_row module_row_1586-1 tb_a08y359\">\n\t    \t    <div class=\"row_inner col_align_top\" >\n\t\t\t<div  class=\"module_column tb-column col-full first tb_1586_column module_column_0 module_column_1586-1-0 tb_5efg361\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_ocxr793    \">\n            <div  class=\"tb_text_wrap\">\n    <p><strong>Send us feedback about this blog<\/strong><\/p>    <\/div>\n<\/div>\n<!-- \/module text -->\n<!-- module text -->\n<div  class=\"module module-text tb_rset364    \">\n            <div  class=\"tb_text_wrap\">\n    \n<div class=\"wpcf7 no-js\" id=\"wpcf7-f616-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"616\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"> <ul><\/ul><\/div>\n<form action=\"\/wp-json\/wp\/v2\/posts\/1586?utm_source=PANTHEON_STRIPPED&#038;utm_medium=PANTHEON_STRIPPED&#038;utm_campaign=PANTHEON_STRIPPED&#038;utm_term=PANTHEON_STRIPPED#wpcf7-f616-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<div style=\"display: none;\">\n<input type=\"hidden\" name=\"_wpcf7\" value=\"616\" \/>\n<input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.0\" \/>\n<input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/>\n<input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f616-o1\" \/>\n<input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/>\n<input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/div>\n<p><label><span class=\"wpcf7-form-control-wrap\" data-name=\"first-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Name*\" value=\"\" type=\"text\" name=\"first-name\" \/><\/span> <\/label>\n<\/p>\n<p><label><span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"Email*\" value=\"\" type=\"email\" name=\"email\" \/><\/span> <\/label>\n<\/p>\n<p><label><span class=\"wpcf7-form-control-wrap\" data-name=\"company\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text\" aria-invalid=\"false\" placeholder=\"Company\/Website\" value=\"\" type=\"text\" name=\"company\" \/><\/span> <\/label>\n<\/p>\n<p><label><span class=\"wpcf7-form-control-wrap\" data-name=\"comment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" placeholder=\"Comment\" name=\"comment\"><\/textarea><\/span><\/label>\n<\/p>\n<p><span class=\"wpcf7-form-control-wrap g-recaptcha-response\"><span class=\"wpcf7-form-control\">  <\/span><\/span>\n<\/p>\n<p><input class=\"wpcf7-form-control wpcf7-submit has-spinner\" id=\"submitcomment\" type=\"submit\" value=\"Submit Comment\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t    <\/div>\n\t    <!-- \/row_inner -->\n\t<\/div>\n\t<!-- \/module_row -->\n\t<\/div>\n\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is common practice today to encrypt data at rest, that is, data stored on servers. To build off an old adage, no one ever got fired for encrypting their data. But what protection does that really provide? Is just encrypting data enough?<\/p>\n","protected":false},"author":4,"featured_media":1587,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[15,25,27],"tags":[36],"class_list":["post-1586","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iis","category-planning","category-technology","tag-blog","has-post-title","has-post-date","has-post-category","has-post-tag","has-post-comment","has-post-author",""],"acf":[],"builder_content":"<p>It is common practice today to encrypt data at rest, that is, data stored on servers. To build off an old adage, no one ever got fired for encrypting their data. But what protection does that really provide? Is just encrypting data enough?<\/p> <p>First, let\u2019s distinguish between three methods for encrypting data at rest.<\/p> <p><strong>Full-disk encryption.<\/strong> Most modern operating systems (like Linux or Windows Server) provide the capability to encrypt their disks in their entirety. This is accomplished with symmetric encryption whereby there is a key or passphrase that a computer operator has to enter when the disks are encrypted and when the system boots to allow access to the data. Typically, the password must be manually entered on the physical server console, though some virtualized and cloud-based environments offer remote passphrase entry and varying degrees of passphrase management and automation. With full-disk encryption, software installed on the server does not need to know or do anything special to operate normally: the operating system provides transparent access to the encrypted data as necessary with very little performance loss. But note that the initial encryption needs to be done on a new disk (or set of disks) as an existing disk will be wiped clean in the process. So it\u2019s easiest to do this during an initial deployment or migration to a new server.<\/p> <p><strong>File system encryption.<\/strong> Physical disks are typically divided into one or more <em>file systems<\/em> by the operating system.\u00a0 As an alternative to full-disk encryption, file system encryption allows administrators to encrypt only selected file systems (or even just selected folders within file systems). This makes it possible to configure a server than can boot without a passphrase; and then require a passphase only after the system is up and running and needs to access its encrypted file systems.\u00a0 Similar to full-disk encryption, the encryption is transparently provided to applications by the operating system.\u00a0 Unlike full-disk encryption, developers and administrators need to be careful not to store sensitive files on non-encrypted file systems.<\/p> <p><strong>Database encryption.<\/strong>\u00a0 Another way to encrypt data at rest is at the database level: The database software (Oracle, SQL Server) can provide application-level encryption. Like operating system level encryption, a key or passphrase is entered by an operator when the database starts up, after which all database operations access the encrypted data transparently (hence the name: Both Oracle and Microsoft SQL Server call the feature \u201cTransparent Data Encryption\u201d). For servers that may store sensitive data in files outside the database, this provides less protection than encrypting the entire file system, but likely protects the most sensitive data on the system.<\/p> <p>What kind of protection does encrypting data at rest really provide? Here are a few salient points:<\/p> <p><em>Benefits of Encrypting Data at Rest<\/em><\/p> <ul> <li>First and foremost, encrypting data at rest protects the organization from the <em>physical<\/em> theft of the file system storage devices (which is why end-user mobile devices from laptops to cell phones should always be encrypted). While this might sound unlikely, the physical disk devices are only as secure as the data center where they are located. While data center access control policy is usually quite strict, in practice it can be quite lax. Door entry can employ weak precautions (like old push-button unlock devices), and the proliferation of easily-swappable modular disks for quick maintenance makes removing a disk quite easy.<\/li> <li>Encrypting data at rest can protect the organization from unauthorized access to data when computer hardware is sent for repair or discarded.<\/li> <li>Encrypting data at rest can help to satisfy information security or regulatory requirements such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).<\/li> <li>In some deployments, the actual file system where data resides is somewhat disconnected from the server upon which applications are loaded either through the use of a storage area network (SAN) or cloud-based storage. This introduces the possibility that an intruder could break in to the storage subsystem but <em>not<\/em> the rest of the system. Encrypting the storage subsystem can protect against such attacks.<\/li> <\/ul> <p><em>Limitations of Encrypting Data at Rest<\/em><\/p> <ul> <li>Encryption of data at rest provides little protection against intrusions in which a hacker gains remote privileged access to a running server in which the passphrase has already been entered.<\/li> <li>Even more so, if the <em>applications<\/em> that access the encrypted files or databases (web applications, query systems) are not themselves secured, a hacker who penetrates one of these applications gains access to the data, whether it is encrypted or not.<\/li> <li>For database encryption, note that some database management systems only support data encryption in more advanced (read more expensive) versions of the software.<\/li> <li>When full-disk encryption is enabled on a physical (non-virtualized) server, remember that an operator \u2013 a human being \u2013 will need to type the passphrase into a console whenever the system starts up. For database-level encryption, the passphrase will need to be entered when the database starts up. While this intervention increases the level of protection, it is at the expense of convenience, as systems cannot reboot automatically without a passphrase or even without someone actually being in the server room which can be especially inconvenient if the system manager is not collocated with the hardware. File system encryption can mitigate some of these startup issues. And, of course, if that passphrase is ever lost your data will be encrypted forever.<\/li> <\/ul> <p><em>Special Considerations for Virtualized and Cloud-based Environments<\/em><\/p> <ul> <li>As mentioned, some virtualized and cloud-based environments offer remote passphrase entry and varying degrees of passphrase management and automation for full-disk encryption \u2013 but be aware that there is often a tradeoff between convenience and security with automated solutions. For example, if a cloud provider keeps your passphrase and automatically provides it to the operating system at boot time, the level of security offered by the full-disk encryption solution is largely dependent on how securely the cloud provider manages the passphrase.<\/li> <\/ul> <p>While encrypting data at rest can be a useful component in a data security toolbox, it must be implemented with a full understanding of the protection it does (and does not) provide. Organizations should consult with their vendors, data security staff, system staff, and application staff to determine an appropriate set of actions to secure institutional data.<\/p>\n<p><strong>Send us feedback about this blog<\/strong><\/p>\n<p>[contact-form-7 id=\"616\" title=\"Post Comment\"]<\/p>","_links":{"self":[{"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/posts\/1586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/comments?post=1586"}],"version-history":[{"count":2,"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/posts\/1586\/revisions"}],"predecessor-version":[{"id":3508,"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/posts\/1586\/revisions\/3508"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/media\/1587"}],"wp:attachment":[{"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/media?parent=1586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/categories?post=1586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hln.com\/wp-json\/wp\/v2\/tags?post=1586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}