Securing data at rest vs. data in transit

Data in transit -- especially data traversing the Internet -- is not the big security risk it's made out to be. However, it seems that most organizations and security product vendors are still focused on securing data as it travels across the wire. I often hear things like, "we're using transport layer security (TLS) on our e-mail gateway so everything's encrypted and safe as it goes across the Internet" and "our Web site is highly secure because it uses 128-bit encryption when clients connect to it." It won't hurt to secure these types of communications if you desire, but it's not the best way to lock down your organization's crowned jewels.

From a hacker's point of view, data at rest -- the data in your databases and file systems stored on your NAS, SAN and file servers -- is what's much more attractive. It's where the "money" is -- that is, credit cards, social security numbers, intellectual property, financial information and so on. The things we can't afford to lose are what the malicious hackers and rogue employees are trying to take from us.

The belief that you must secure data in transit in order to be secure likely predates Ethernet ...

Don't get me wrong, data in transit is certainly not without its vulnerabilities, and network managers who want to encrypt internal network traffic are not crazy, especially if they want to get a percentage point or two closer to "guaranteed" security. Attackers can convert Ethernet switches into hubs via address resolution protocol (ARP) spoofing/poisoning attacks by running a program such as dsniff or ettercap. This allows them to plug in a sniffer anywhere on the network (not just directly into a switch) and see all traffic with ease. I suppose there's also the highly unlikely chance an attacker will break in and install a sniffer and glean network traffic remotely.

But even with these risks, those types of hacks are simply not happening enough for this to be at the top of your security priority list. The bad guys are going to go down the path of least resistance to get to their destination and that certainly isn't sniffing network traffic.

For whatever reasons (most likely resistance to change, added system complexity, fear of a drain in server processing power and costs involved), we're not seeing much of a shift in our way of thinking. There is still a hugely disproportionate amount of effort being placed on preventing that once-in-a-blue-moon occurrence compared to common sense security protecting data at rest.

Given the insecure configurations of Web applications, operating systems and networks in general, it's a lot easier for the bad guys to gain access to data at rest than try to obtain access to the network long enough to install and run a sniffer. On top of that, an attacker would have to capture enough packets, sift through the contents and hope that he's captured the right packets at the right time to find that proverbial needle in the haystack. He or she would certainly see a ton of non-confidential packets that wouldn't really matter.

But wait! Let's step back and look at the bigger picture here. If you've got a person inside your building -- either electronically via a remote hack or physically due to poor physical security -- you've got a much bigger security problem on your hands!

Focus your efforts and spend your money on security controls that will have the greatest impact. Some safeguards to consider protecting your data at rest are database encryption (think third-party encryption appliances, add-on software, SQL Server 2005, etc.), host-based IPS, whole-drive encryption for laptops or other physically insecure systems, as well as common sense file access controls on shared data.

Try to look at what matters from a real-world perspective (this is happening all the time) rather than from a theoretical perspective (well, this could possibly happen if the stars are properly aligned). Perform a mini-risk analysis in your mind -- ask yourself what the chances are of someone accessing and gleaning your organization's sensitive data in transit versus hacking a Web application, gaining direct database access or simply performing a text-based search for the good stuff directly off your hard drives. The chances of the latter happening are much greater.

For more information:

Securing the tape custody chain

About the author: Kevin Beaver is an independent information security advisor with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Data storage management,   Secure data storage,   Data Protection,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data storage management Is cloud data storage right for your IT infrastructure? Optimizing enterprise data storage capacity and performance to reduce your data footprint Is data deduplication right for your primary storage infrastructure? Fail-in-place systems: Avoiding hard disk drive failures Data storage resources needed to implement a virtual desktop infrastructure Storage encryption essentials Addressing storage performance bottlenecks in enterprise data storage Data archiving: Three key elements Archiving data to cloud storage: How to choose the right cloud storage provider How to buy a blade server Secure data storage Throwing caution to the clouds Storage encryption essentials Vendors take steps to lock down cloud storage services Encryption Special Report: Key management stumbling block to securing data What you need to know about storage encryption products Isilon targets enterprise NAS with Backup Accelerator, N+2:1 parity Storage Decisions Chicago 2009 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (Chicago 2009) Storage Decisions Session Downloads: Data Retention & Retrieval Track (Chicago 2009) Data on the brink RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.