Concerns about Data at Rest
Because of its nature Data at Rest is of increasing concern to businesses, government agencies and other institutions. Mobile devices are often subject to specific security protocols to protect Data at Rest from unauthorised access when lost or stolen and there is an increasing recognition that database management systems and file servers should also be considered as at risk; the longer data is left unused in storage, the more likely it might be retrieved by unauthorized individuals outside the network.
Protecting Data at Rest - Encryption
Data encryption, which prevents data visibility in the event of its unauthorised access or theft, is commonly used to protect Data in Motion and increasingly recognised as an optimal method for protecting Data at Rest.
The encryption of data at rest should only include strong encryption methods such as AES, RSA, and SHA-256. Encrypted data should remain encrypted when access controls such as usernames and password fail. Increasing encryption on multiple levels is recommended. Cryptography can be implemented on the database housing the data and on the physical storage the databases are stored. Data encryption keys should be updated on a regular basis. Encryption keys should be stored separately from the data. Periodic auditing of sensitive data should be part of policy and should occur on scheduled occurrences. Finally, only store the minimum amount of sensitive data as possible.
Protecting Data at Rest - Federation
A further method of prevented unwanted access to Data at Rest is the use of Data Federation especially when data is distributed globally (e.g. in off-shore archives). An example of this would be a European organisation which stores its archived data off-site in the USA. Under the terms of the USA PATRIOT Act the American authorities can demand access to all data physically stored within its boundaries, even if it includes personal information on European citizens with no connections to the USA. Data encryption alone cannot be used to prevent this as the authorities have the right to demand decrypted information. A Data Federation policy which retained personal citizen information with no foreign connections within its country of origin (separate from information which is either not personal or is relevant to off-shore authorities) is one option to address this concern.