Mar 27 2008

Secure Storage

Sensitive data at rest is the most vulnerable data of all. Experts share their suggestions on how and where to protect it.

When a contractor lost a CD containing records of nearly 3 million recipients of its health-care services last April, the Georgia Department of Community Health launched a security crackdown for employees and contractors.

"An employee of the contractor handling the CD full of protected health information violated the policies and procedures that we had reviewed and approved at the time of contracting -- policies that included full encryption of individuals' health information in transit or at rest," says Ruth Carr, security and compliance officer for the Georgia Department of Community Health.

Losses and breaches exposing huge stores of data are occurring all over government systems. As a result, state and local organizations are beginning to mandate best practices in encryption, access control and protection around data at rest.

"Any time data is stored on any device or media, such as a notebook computer, PDA, USB drive, external-storage drive, or backup tape, it is considered to be ‘at rest,' " says Larry Ponemon, chair and founder of the Ponemon Institute, a research group in Traverse City, Mich.

Assuming the basic PC security measures are in place, what more can you do? State IT leaders offer targeted advice for securing sensitive data residing in databases, on end-points and in storage.


Databases have long been considered rich targets for human-resource records and citizen account information that can be used for profit. Bernard C. Soriano, deputy director and CIO for the California Department of Motor Vehicles in Sacramento, is acutely aware of this challenge.

"We collect and store several different data types, all very personal to our customers," says Soriano. "And we take very seriously our responsibility to secure and protect that data. In addition, we are continually being tasked, through legislation, to expand the data sets. An example of this is the Real ID Act [of 2005], which calls for the collection of data and images of several documents, including birth certificates."

Basic best practices for securing data in databases include identifying the data that needs protection, and controlling and monitoring access to that data, the latter of which is critical for compliance audit reports, Soriano says. His agency, which includes 600 IT staff, guards the safety, security and integrity of vehicle-licensing and citizen ID data through a combination of customized programming, commercial security tools and tools native to California DMV's database-management systems.

Strong access controls -- those that involve regularly changed alphanumeric passwords -- are hard for employees to grasp, says the Georgia Department of Community Health's Carr. She suggests teaching users how to develop and remember complex passwords that sound like phrases -- and to prepare them for the eventuality of multifactor authentication. Part of her agency's best practices include security training for employees and contractors, as well as bringing together a privacy oversight group made up of representatives from various business units.

Encrypting sensitive data inside the database, whether achieved via full database encryption or by identifying and encrypting sensitive fields, is another necessity, Soriano adds. His agency parses data so that only public portions are available and private portions (full names, Social Security numbers, account numbers, addresses and other identifiers) are scrambled and encrypted to such an extent that they can't be located and put back together. This is accomplished through an elaborate system using different encryption packages and customized management tools.


Secure end-point management is another best practice that applies to protecting data in databases, and of course on the end-points themselves, says Walter Wilson, assistant director, network security services for the State of Texas Department of Information Resources (DIR). A variety of commercial network access control (NAC) end-point management tools by Check Point Software Technologies, Cisco Systems, Enterasys Networks, Hewlett Packard, Juniper Networks, McAfee, Symantec and others enable this level of end-point management by checking the integrity of a computer against basic security rules before granting access. If systems don't pass inspection, they're denied access and directed to a remediation site.

"For end-points, you need strong access controls, and you've got to protect the end-points by remotely managing them," Wilson says. "You also need full-disk encryption to protect mobile devices because [notebooks] are disappearing like crazy."

About half of the state government-related security breaches reported in the first two months of the year involved lost or stolen notebooks, according to figures from the Privacy Rights Clearinghouse. And encryption vendor Utimaco Safeware reports a notebook computer goes missing every 12 seconds.

The only sure protection for data on these devices is a secure boot with full-disk encryption, adds Carr. Others, including Wilson, agree. But Wilson notes that all of these encryption applications start adding up.

"You can encrypt anything. Encryption's gotten cheap," he says, citing the enterprise licensing rate of $28 for using encryption by PGP, which is one of the options his agency is considering for full-disk encryption on its notebooks later this year. "The problem is managing all the keys."


One option is encrypting everything using backup-software encryption, entire-device encryption and tape-library encryption, says Jeff Boles, an analyst with the Taneja Group in Hopkinton, Mass.

Wilson is right about the difficulty of managing keys for so many encrypted applications, Boles says, adding, "When you're encrypting data at the device level, all of a sudden you're handling all these storage keys."

In a large organization, keys for data at rest in applications across departments -- combined with keys for encrypting data over a virtual private network (VPN), in e-mail and elsewhere in transit -- can add up to more than a hundred proprietary key sets that need to be managed, says Gordon Arnold, an IBM strategist for security and storage in Cary, N.C. This makes a strong argument for centralized key management.

"Metadata associated with the keys should also be centrally managed, especially to provide audit trails and compliance reports around encryption practices," Arnold adds. "You'll also want to integrate security and policy management with encryption-key management over time."

Tivoli Identity Manager, Access Manager and Compliance Insight Manager support these functions. Along with support for a dozen third-party keys and plans to support more key types, these tools also include management of the archiving and destruction of stored data, which Soriano, Wilson and Carr all say should be another best practice for protecting data.

"You need a consistent set of rules to manage the data retention period," Arnold says. "If your retention rule is three years for a certain type of data, you need to ensure that the data's going away when it should. And if there's a lawsuit I need to respond to, I need to make sure I put a legal hold only on those records germane to the case, and nothing more."

Everywhere Else

Don't overlook data on portable media, on paper, in copy memory caches and elsewhere in your data-protection practices, say Arnold, Wilson and Carr. Papers stolen from the Colorado Board of Dental Examiners in December contained sensitive information on more than 100 dentists and their patients.

"The real key for implementing best practices is getting everybody on board," says Carr. "We aim to get our staff, our contractors and executives to care about data security by making it personal to them. Then they all help the mission a great deal."

It's the Law

State bills are mandating best practices for securing data at rest. Most put management for these best practices into the hands of the state information technology agencies, making them a good resource to reach out to when building your security best practices around data at rest.

  • Data classification: State of Arkansas, SS-70-001 Data and System Security Classification Standard, provides a framework through which Arkansas state agencies can classify data and systems.
  • Encryption: Arizona's House Bill 2785 mandates encryption of privacy-protected data at state agencies, managed through the Arizona Government Information Technology Agency.
  • Access controls: Texas House Bill 3112 mandated the Texas Department of Information Resources (DIR) to conduct a user-access control study and develop recommendations for Texas state agencies. The resulting study contains a three-layer access classification pyramid and a breakdown of rules to apply to specific user types (authorized, authorized with privileged access, nonemployee users, business partners, remote users and unauthorized users).

Smart Security Strategies

Wherever data at rest is located, a core set of standard best practices applies.

  • Data classification;
  • Encryption and key management;
  • Access controls and security on end-points;
  • Safe handling and destruction of physical media and paper-based data;
  • Training, rules and enforcement.

Each best practice might not apply to each location. For example, data classification is irrelevant in the case of storage where experts recommend full-device encryption. But in the case of data on end-points and in databases, data classification is a critical first step in deciding what to encrypt, what level of access controls to deploy, and what further controls are needed to ensure the integrity of end-points before granting access.

A Sampling of Incidents

Improper Exposure

Jan. 4, 2008

Maryland Department of Assessments & Taxation, Baltimore

The organization's Web site may have exposed Social Security numbers because the system did not have the necessary certificate to encrypt the information before it was sent out over the Internet. Roughly 900 people used the system that day to apply for property tax exemptions.

Accidental Disclosure

Jan. 8, 2008

Wisconsin Department of Health and Family Services, Madison, Wisc.

A contract vendor mistakenly printed Social Security numbers on 260,000 informational brochures sent to recipients of Medicaid, SeniorCare and BadgerCare programs.

Stolen PC

Feb. 15, 2008

Los Angeles Department of Water & Power, Fullerton, Calif.

A computer containing the personal information of all 8,300 employees of the municipal utility was stolen from an outside vendor. The data included names, Social Security numbers, dates of birth, employee identification numbers, salaries and deferred-compensation balances.

Pilfered Paperwork

Feb. 25, 2008

Mecklenburg County, Charlotte, N.C.

A county employee's vehicle was stolen. The trunk of the car housed a printout of bank-draft transactions by the Park and Recreation Department, which didn't turn up when the car was recovered. The affected transactions (rumored to number 400) were from January, February and June 2006.