What to think about when considering data-at-rest encryptionby John Grange
In our previous post in our security best-practices series we addressed data-in-flight encryption, what it means, and offered some tips for implementing it in your environment. Like data-in-flight, many compliance regulations require your data-at-rest to be encrypted as well. Data-at-rest is the inactive data that’s being digitally stored on your servers. While keys, access policies and audits are also critical, encryption is the front line in protecting your data-at-rest.
Encrypting your your data while it’s at-rest can be a much more complex and costly operation than encrypting your data-in-flight. Often times, and depending on a number of factors, encrypting the the data you’re storing can require changes to physical hardware or adjustments to your application to interact with an encrypted file system.
By 2017, two-thirds of all workloads will be processed in the cloud. Protecting that data is challenging because the popular cloud hosting platforms vary in their security practices, customization, and capabilities. Understanding your data footprint and the available encryption options are key to avoiding a costly data breach and meeting compliance regulations. Ensuring your cloud hosting vendor offers compliance options that include encryption of your data-at-rest is a good way to find a vendor that has a strong orientation around security and compliance.
Here are a few things to consider when looking to encrypt your data-at-rest:
If possible, use Self-Encrypting Drives (SED’s)
A SED is a self-encrypting drive that has a built-in ability to encrypt any data coming in and decrypt any data going out. Self-encrypted disks are easy to implement and their use is essentially invisible to users. Because the encryption is native to the disk itself, you can achieve very high performance despite the encrypting and decrypting of data being written and read. SED’s are more expensive than regular drives but are a sure-fire way to protect your data.
Choose software-based full-disk encryption wisely
There are countless full-disk encryption packages out there and some are better (much better) than others. Make sure to choose software from a vendor that’s stable and will continue to support their product. Also, your solution should use industry standard encryption algorithms and not proprietary one’s and provide key management. Finally, if you need to encrypt data that’s already there, be sure to choose an option that doesn’t require a re-partitioning of the server (something Microsoft’s Bitlocker requires). Software-based full-disk encryption is a less expensive proposition than SED’s but they degrade server performance and introduce complexity.
Native solutions are your best bet
Native solutions are implementations of encryption that are “built-in” to a system. A SED is a native solution in that the encryption is actually built into the disk itself, this is why SED’s perform well and provide simpler implementation. There are also encryption options that are a component of the file system your Operating System is using. While these implementations can require additional software, NTFS (Windows) and ext4 (Linux) are common file systems that have native encryption capabilities. The act of encrypting and decrypting data as it’s being written or read creates performance overhead and the closer that process is happening to the actual disk the better performance you get.