in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

What Is Data At Rest Encryption? (Updated)

Data at rest encryption basically means protecting data that's not moving through networks.  The protection in this case is offered via encryption.

The easiest way to answer this question is to explain what "data at rest" means.

Data at rest refers to data that is not "moving."  For example, information on your laptop is considered data at rest.  Sure, your laptop is a mobile device, so it's natural that the laptop and its content will be moving at some point.  However, as long as the data is not moving off the laptop's hard disk drive, it's considered data at rest.

If you copy the data to a USB memory stick, then you've got two sets of data at rest: one on the laptop's hard disk, one on the USB memory stick. 

Conversely, data moving through networks are not considered to be data at rest.  For example, if you send an e-mail, that's not data at rest.  If the e-mail is received and archived, then it's data at rest.

As you can see from the above example, whether data is at rest or not depends on what that data is doing.

Why the classification?

Not quite sure why data is classified as at rest or otherwise(Updated 24 May 2011: see below, next section).  It may be because, depending on what type of encryption you use, your data may not be adequately protected.

Take full disk encryption as an example.  Full disk encryption encrypts the hard drive completely: Anything saved on an encrypted hard drive will be protected automatically...as long as it resides on the drive.

To clarify that last point, if you copy a file off the encrypted hard drive or e-mail it to someone, that information will not be encrypted anymore.  A copy of the file left behind will still be protected, since it's still on the hard drive; however, the new file that was copied over will not be.

If you will, it's like paper documents: a classified report placed in a locked vault is protected.  Take it out and it's not so much.

If you'd like encryption that moves with the file, you need to use file encryption software.

So, depending on whether your data is at rest or not, you'll need to invest in the right type of encryption software.

Data at Rest: That's What NIST Calls It

Eureka! (I have found it)!  While I still don't know where the term "data at rest encryption" came from, it seems that it is terminology used by the NIST.  The Department of Human and Health Services, which is charged with implementing the Breach Notification Rule under HITECH has this to say (emphases mine):

We also received several comments asking for clarification and additional detail regarding the forms of information and the specific devices and protocols described in the guidance. As a result, we provide clarification regarding the forms of information addressed in the National Institute of Standards and Technology (NIST) publications referenced in the guidance.

We clarify that "data in motion" includes data that is moving through a network, including wireless transmission, whether by e-mail or structured electronic interchange, while "data at rest" includes data that resides in databases, file systems, flash drives, memory, and any other structured storage method.

"Data in use" includes data in the process of being created, retrieved, updated, or deleted, and "data disposed" includes discarded paper records or recycled electronic media. [Breach Notification for Unsecured Protected Health Information; Interim Final Rule -- Federal Register Vol.74, No. 162]

And this as well, in an earlier publication:

Data comprising PHI can be vulnerable to a breach in any of the commonly recognized data states: "data in motion" (i.e., data that is moving through a network, including wireless transmission); "data at rest" (i.e., data that resides in databases, file systems, and other structured storage methods; "data in use" (i.e., data in the process of being created, retrieved, updated, or deleted ); or "data disposed" (e.g., discarded paper records or recycled electronic media). PHI in each of these data states (with the possible exception of "data in use") may be secured using one or more methods. In consultation with information security experts at NIST, we have identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: encryption and destruction. [Federal Register Vol.74, No. 79]

That's right: encryption and destruction. Of the two, only one is useful when you need to reference data, again and again.

 
<Previous Next>

File Encryption Woes At Wiltshire County Council

Laptop Encryption Software Not Used In Missing Chicago Ambulance Laptop?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.