Data at Rest Encryption


Dataat Rest Encryption

Dataat Rest Encryption

Dataat rest encryption is the term used in Information Technology, whichrefers to the inactive data being physically stored using any digitalmechanism including database tools such as spreadsheets, datawarehouses, mobile devices, tapes, archives, and off-site backups,among others. On the other hand, data at rest encryption is referredto as the protection of inactive data using network tools. The dataat rest encryption provides the key addressed of Storage Area Network(SAN) in order to the security needs of the particular enterprise.For many years, SANs have been the backbone framework of ensuringthat the enterprise get all information needs required in their datacenters. Traditionally, SANs are considered to be physically securedue to their physically isolated and closed location inorganizations’ data centers. The isolation of physical datanetworks can lead to critical security and breaches throughunauthorized access and unauthorized hosts due to their arousal ofpotential security risks. The encryption of data at rest has beenimproved over the years due to the technological advancements in themodern days. The technological improvement has led to the adoption ofhi-tech technologies such as server virtualization, virtual orphysical servers in the organizations’ data centers. Thesetechnologies have led to the growth of data centers throughacquisitions and mergers, thereby leading to the increased securityand safety concerns.

However,this research paper aims at demonstrating various aspects of data atrest encryption, especially in consideration to the securitytechniques of the SAN environment due to their increased usage incarrying out the IT operations of a particular enterprise. Suchtechniques address the major security threats encountered by the ITstorage administration and include LUN masking and zoning. Inaddition, the research paper also discusses the way encrypted data invarious media devices help in addressing the security risks faced bySAN. The paper also achieves its purposes by highlighting thealternative approaches of data at rest encryption as well as thechallenges of the future challenges of the adopted modern securitynature of modern data centers.

Thesecurity breaches of SAN are very expensive since one can spendmillion dollars in recovery charges. In this regards, several statesin the U.S. have enacted data privacy legislation that giveprovisions that the organization does not need to report on the caseswhere encrypted data is breached. This is due to several challengesthat result from the emerging business approaches and practices, aswell as the regulatory compliances. As such, the determination ofdata at rest encryption requires a formidable understanding about thepotential threats and the source of any vulnerability. The bestexample to explain data at rest is the information stored in thelaptop. Even if the laptop can be regarded as a movable device, theinformation stored on it can be regarded as immovable, especiallywhen the data remains in the hard disk drives or on the USB memorysticks. However, the data being transferred through networks such asinformation sent via emails is not considered as data at rest.

Thestrategic development of SAN requires the data administrators to haveunderstanding and knowledge about key vulnerabilities in the storagedevices, as well as the potential risks and threats that may arise.For example, the potential threats that may arise includeunintentional errors, malicious attacks such as rogue users andhackers, and non-authorized access where data privacy may beinfringed. Authorized uses as system administrators, employees,database administrators may access the confidential or sensitive dataof the company if no data encryption. As such, various techniques areadopted to control unintentional errors by the authorized usedincluding virtual fabrics, zoning, LUN masking, Access Control Lists(ACL), and switch authentication strategies. Such techniques simplifythe security enhancement of data, especially from potential threatscaused by authorized users.

Dataat rest administration involves integrating diverse products to comeup with a business solution that protects the information in the SANfrom any unauthorized access. It involves linking together allaspects related to administration to achieve the security objectives.The aspects include hardware, software, corporate policies, networks,users, and the surrounding business environment. Networking is partof system administration, which refers to the process or act offorming business connections and contacts through informal socialmeetings. In data computing, networking refers to the interconnectionof two or more networks in two or more places. Networking is apotential medium through which data encryption is enhanced usingprotection solutions that control its movement from the storageinfrastructure to the users. It is the practice of linking computingdevices with hardware and software. This linkage supports datacommunications across these devices. However, data administrator is aperson responsible for maintaining the data storage systems andresponsible for all activities happening in the storage area network.Such activities include updating, inserting, and deleting data. Theadministrator is also responsible for installing, upgrading, andmaintaining the security solutions in the SAN to avoid potential dataloss or any other threat that may occur. The administrator is alsoresponsible for backing up the servers and secures the server datafrom unauthorized access.

Inaddition, administrator performs various standards in data at restencryption including maintain and secure system, define accountcreation and removal procedures. The standards for systemsadministration provide the standards solutions operations includingincident management, exception handling, data integrity, and changerequest management. Others include upgrade, cause analysis, eSOAreadiness, remote affordability, change control management, solutiondocumentation, and finally business process, and interfacemonitoring. During the data encryption, it is the work of theadministrators to carry out procedures that prevent the spreading ofthe virus and allocates space for mass storage.

Thereare various techniques used to enhance or standardize the SANsecurity. One is the use of fibre channel adapters that helps inensuring data authentication using security protocols technique. Thistechnique provides a reliable security framework including safeprotocols that help in enhancing SAN security such as authenticationof various devices, secure the data exchange, and securecommunication between SAN systems and devices. In other words, thefibre channel helps in protecting the data that is transitedthroughout the network. Another security technique is the ChallengeHandshake Authentication Protocol (CHAP), which provides a supportiveframework in both hosts to switch and switch-to-switchauthentications. The technique includes a secret-based authenticationusing CHAP algorithms where every entity is provided a secretauthentication details and identified by a unique name. Varioussoftware solutions have been developed that exposes theauthentication features to the end users that provides the datacenter administrators with relevant information about securing theenterprise’s data. This is to enforce effective authenticationbetween the switches and hosts that are connected around the storagearea network.

Anothertechnique that can be used in data at rest encryption is the usage ofSAN information management software that helps in limiting the accessof data. Such solutions achieve its notions by segmenting andpartitioning the storage resources to ensure that every individual iswarranted to access data for his or her department or group. Forexample, in the banking sector, the data can be encrypted in suchthat a teller cannot access the data from credit departments and viceversa. The system provides access controls and limitation inaccessing SAN through zoning techniques, which allow the dataadministrators to specify the communication channels of eachdifferent groups of devices. Zoning can be simply regarded as aconcept of protecting SAN environments from malicious attacksincluding the legitimate access of the data in a protected resource.Zoning is a major technique used to encrypt the data at rest in manyorganizations since it can be easily accomplished using both softwareand hardware. In the modern world, the physical encryption of data atrest in SAN addresses the major threats and risks faced when there isno security measures are adopted.

However,various encryption approaches that help in addressing the threatsfaced by data at rest and the SAN environments, although none of themcovers all challenges. There are different forms data encryptionincluding hardware appliances encryption, host-bases software and theASICS encryption on the switch, hard drives, adapter, and RAIDcontroller. The effective encryption approach is selected inconsideration to costs, latency, performance and interoperability. Inmost cases, the database vendors distribute their solutions togetherwith encryptions packages in their products as a way of securing thespecific database fields. The database administrators are also givenprivileges of encrypting their sensitive data through dataclassifications. Unfortunately, data classification is not beneficialat some instances due to their incapability of identifying all thethreats faced on the sensitive data. Therefore, data at restencryption is very difficult to maintain, especially in protectingthe sensitive and confidential data from a protected SAN to theunprotected destination SAN.

Therehad been a growing concern about the security of data at rest due tothe increased usage of advanced technologies that has resulted to thedevelopment of various systems and devices. For example, mobiledevices require various security protocols in order to protect thedata at rest, especially from the unauthorized access of sensitiveinformation when it is stolen or lost. According to Gartner Research(2014), the file servers and database management systems pose riskythreats from unauthorized access by individuals who can easilyretrieve data at rest, especially if it is stored for a long time.

Thereare various forms of data at rest encryption including the encryptionabove and upstream the file system and adapter. The use of thisapproach includes the encryption at file system, operating systems,applications, and the database, which consists of differenttechniques that addresses all the vulnerabilities that may occur invarious software layers. The hackers can access the sensitive datausing these potential vulnerabilities.

Theother encryption technique is done in the adapter or switch. Itincludes downstream encryption techniques of the database or filesystem that provides full encryption of SAN environments. This isespecially to address the issues in the case where sensitive data isnot captured in the data classification activities. As such, switchor adapter encryptions are formidable techniques to address suchissue, although they require extra equipments such as encryptionengines. These additional equipments act as key managers in creating,storing, and managing the encryption keys.

However,the extension of SAN over the dedicated lines or internet networksusing the IP address creates the needs to adopt the IPSec securitythat are used in protecting sensitive data in the remote links. Suchtechnique also helps in supporting the replication of data sharing ofdata in SAN environments, data backup, and ensuring businesscontinuity. However, the encryption of data at rest in the fabricensures a long-term security solution to the data stored in harddrives as well as the one being transmitted through fabric. It isunfortunate that the method of fabric encryptions decreases thesecurity of data at rest, instead of increasing its security throughexposing the long-lived encryption keys

Thereare various challenges associated with hardware encryption at theadapter or the switch including the complexity of the securitysolutions. It is because they become more complex with the increaseof distance between the SAN and the movement positions of encryptionkeys. Such complexities increase the greater possibilities ofcreating more errors. This scenario can be explained using thevirtualization concepts that note that the more the shared devices,the more those entities share a particular encryption key. Inaddition, the increase of encryption keys leads to a complex,exposing, and increase issues on performance.

Onthe other hand, the use of adapters in on-board ASICs encryptioncauses challenges in the interoperability since some multi-vendoradapters are incompatible to the onboard encryption. This means thatthe encrypted data using adapters can only be read through the sameadapter or the solutions that are developed by the same proprietor.It becomes a challenge, especially by the fact that every databaseadministrators and key managers have different metrics of handlingthe encryption keys, thereby making a difficult interoperability(EMC, 2011). Moreover, the hardware encryption at the switch oradapter levels makes it difficult for data de-duplication andcompression. Therefore, the organizations need to evaluate the bestdata at rest encryption technique in order to protect their sensitivedata from unauthorized access or other implications such as identitytheft and data breaches. Some of the strong encryption methods suchas SHA-256, AES, and RSA need to be included in order to provideoptimal security of the data at rest in the SAN environments. Thegood encryption technique should ensure that the data at rest iswell-encrypted even if the passwords and usernames fail to work.

Someof the assumptions that the database administrators and otherinformation managers need to do is to ensure regular updates of thedata encryption keys. In order to enhance the security of the data,the encryption keys needs to be stored in a separate location fromthe data storage. Other monitoring activities need to be implementedsuch as periodic auditing of sensitive and confidential data andshould be scheduled in order to be part of data management policy.The data administrators are also advised to store the sensitive dataat its minimum amount as possible. As recommended by Brocade (2013),the encryption techniques should be tested before implementing oradopting them in the production environments. This is to make theusers familiarize themselves with processes and equipments that areinvolved in the encryption processes. Such equipments includeencryption device, initiator, Ethernet switch, target, and keymanagement system, amongst others.

Themajor benefits of the data at rest encryption is to protect thesensitive data from the identity thieves and data breaches that mayarise when such information are exposed to the public. Identity theftis a criminal phenomenon where a person steals someone’s personaldetails with the aim of accessing resources or other beneficialprospects. In other words, identity theft is impersonating orassuming another person’s identity, which causes adverseconsequences to the victimized person. It occurs when a person usesidentification details of another person such as name, identificationnumber, address, credit card details, or the related details withouthis or her permission. As such, data at rest encryption helps inprotecting these sensitive data from unauthorized access to avoidfuture implications. Identity theft, usually, occurs when a personintends to commit a crime such as fraud. It is, usually, caused bydata security breach, which is unintentional or intentionaldisclosure of important information to the insecure person orenvironment. Encryption of data ensures that even authorized usershave limited access to the sensitive data of the company, client, andtheir colleagues by the use of zoning metrics as discussed earlier.

Inaddition, the data at rest encryption is important to the modernworld where the advanced technologies have resulted to variouseconomic solutions in the financial markets. For example, theencryptions can protect the identity thieves from stealinginformation contained in credit cards or bank cards, passports,identification cards, and authentication tokens through mail theft,pick pocketing, or housebreaking. Social engineering activities alsoattract the identity thieves to browse personal details from thesocial websites where the users publish their personal details, whichare hard to detect its breaches (McFadden, 2007). As such, the dataat rest encryption plays a major role in ensuring that the sensitiveinformation in the real-time databases is secure from anyunauthorized access.

Consequently,the identity theft and data breaches have a common intention ofdamaging the individual’s reputation or image in the social andbusiness world. This is because the common motives of the identitythieves or hackers are to use other people’s information to commitfraud or other criminal activities such as funding terrorism orrelated crimes. Business competitors also seek unauthorized access intheir rivals’ database to seek confidential business details withthe aim of gaining competitive advantage in the market. They achievetheir notions by gaining the contact information of the client orunearthing the strategic approaches formulated by their businessrivals.

Inconclusion, the data at rest encryption is an important phenomenonthat needs a clear understanding to the users. This is because thesensitive data stored in the SAN have the potential risks ofunauthorized access since it may disclose the confidentialinformation of an organization or an individual. As a result, itcauses a negative impact to the owner’s reputation that may lead tothe incurring of losses. Therefore, the subjected topic is importantto the societies since it creates awareness of the negative impactsof the advancing technologies. This research paper recommends aregular research study on a similar topic since the encryptiontechniques are discovered periodically with the advancement oftechnologies.


Brocade(2013). Data-at-Rest Encryption Scenarios. Brocade CommunicationsSystems, Inc. Retrieved September 29, 2014from GA-TB-100-01.pdf

GartnerResearch (2014). &quotIT Research, Magic Quadrants, Hype Cycles&quot.Gartner. Retrieved September 29, 2014 from

Inmon,B. (2005).&nbsp&quotEncryption at Rest – Information ManagementMagazine Article&quot. RetrievedSeptember 29, 2014from

McFadden,L. (May 16, 2007).&nbsp&quotDetecting synthetic identity fraud.” September29, 2014from

EMC2(March 2011). EMC Symmetrix . EMC Corporation.Retrieved September 29, 2014 from symmetrix-data-at-rest-encryption-wp.pdf