Data At-Rest Encryption

Statement

• Citing one of the websites you joined in week 1:
  • discuss the need for data-at-rest encryption.
  • how it protects our data from being disclosed or destroyed
  • discuss a current product that provides such a service.

Answer

• Data at rest is data in its permanent storage; this data has multiple characteristics (Lutkevich, n.d):
  • Hardly ever changed.
  • Access is infrequent.
  • May refer to archived data or old backups.
  • The organization must keep this data for regulatory or legal reasons.
  • Can be stored on a disk, database, mobile device, cloud storage…etc.
• This data is of great value to the history of the organization, hence it may be a target for hackers.
• It is easier to secure such data as compared to data in motion or data in use, but it is still a challenge.
• One of the ways to secure data at rest is to encrypt it; even if the bad actors reached the data, they can not do anything without the deciphering key.
• Data At Rest encryption can help in the following scenarios (PhoenixNap, 2021):
  • Data Breach.
  • Data Loss due to devices being stolen or lost.
  • Inadvertent password sharing.
  • Accidental permission granting.
  • Data Leakage.
• The main difference between encrypting data-at-rest and encrypting data-in-motion is that the former is ciphered once and may not be deciphered for a long time, while the latter is ciphered and deciphered immediately after reaching its destination.
• Types of Data at Rest Encryption (PhoenixNap, 2021):
  • Application-level encryption. The application encrypts the data before it is stored on the disk; then the application can decrypt the data when it is needed.
  • Database encryption. The entire database (or part of it) is encrypted.
  • File System encryption. Some files on the system are encrypted; so that the system can boot up; but accessing the encrypted files requires the decryption key.
  • Full disk encryption. The entire disk is encrypted; the system can NOT boot up without the decryption key.
• Oracle and IBM DB2 both support encryption of data-at-rest out of the box.
• Oracle provides table-space and column-level encryption. Default table space encryption AES128 is implemented for Oracle Enterprise Edition systems. Data encryption is provided through an encryption wallet. An encryption wallet is a container that is used to store authentication and signing credentials, such as passwords, master keys, PKI private keys, certificates, and trusted certificates that are required by SSL (IBM, 2021).

References

• PhoenixNap. (2021). Data Encryption at Rest Explained. https://phoenixnap.com/blog/encryption-at-rest#:~:text=What%20is%20Data%20at%20Rest%20Encryption%3F,to%20use%20the%20decryption%20key
• Lutkevich, B. (n.d). Data at rest. TechTarget. https://www.techtarget.com/searchstorage/definition/data-at-rest
• IBM (2021). DARE for Oracle. https://www.ibm.com/docs/en/strategicsm/10.1.1?topic=encryption-dare-oracle