Ready to Start Your Career?

Encryption For Data At Rest

Staford Titus S's profile image

By: Staford Titus S

July 16, 2021

Prelude

A star-scanted, gloomy night sky, an eerie haze over the stone-paved streets, and tall tales of witchcraft and black magic just about summed up Mortem Town's actuality. A secluded, quaint old manor, atop the Phantom Hill overlooking the cove's ghastly-gleaming waters unsettled only by the treacherous rocks below, was the town's prime attraction! Coming to think of it, it was indeed a brilliant idea that StronX had assembled their data centers at the Mansion. Who would ever want to go to a haunted mansion? Better yet, who would, in their right mind, go to Mortem Town? Nobody!! But, this did not deter Nix, a small-time identify thief and hacker. It was time to test his skills and test it hard! Having learned to pick locks during his brief stay at Roscoe's, getting into the manor was a breeze. He had not, though, expected a state-of-the-art laser system, which seemed to taunt him. After several back-breaking aerobic moves and preventing beads of sweat from triggering the alarms, he finally made it through to the server room. Woah, it was huge! Over 2000 top-of-the-line model T56 servers arranged in meticulous three-row, two-column stacks were a sight to behold. Wasting no more time, he quickly plugged into the switch server and began running a custom brute force software. In only over two minutes, he was in! The icing on the cake, though? With utter negligence to the possibility of someone smart enough to bring down their defenses, StronX had taken no initiative to secure the data within their database. A quick search through the database raised a red flag! It was supposed to contain customer-sensitive data, but it had something else. What was going on? Why did a local company, with no known foreign ties whatsoever, have classified files on FBI and CIA agents? On further digging, to his utter horror, Nix learned that StronX wasn't just an eCommerce giant. It was a front for a secret criminal organization involving multiple federal, state, and local agencies. Just as he tried processing the altitude of his findings, he felt a gush of air over his head closely followed by a severe sting over his noggin, a sudden high-pitched ringing in his ears, and hazed-out vision leading to oblivion. Well, what if it was a legitimate company into which Nix had hacked his way? He could have retrieved their customers' credit card info or even their SSNs. Or worse, if the database contained the admin credentials, he could have utilized it to wreak havoc.

Data at Rest?

Data essentially stems into two broad categories in terms of its state; data in use and data at rest. Data in use refers to data under process, traversing the network, or temporarily residing in any non-persistent, digital form such as RAM, CPU-cache, function variable, etc. Data at rest refers to all digitally stored data. Digital storage could range anywhere from databases or data warehouses to cloud storage or file hosting services. Data at rest usually contains archival data or persistent (long-term) storage files that require storage for quite a while. Thus, in a web application, the data at rest would be the data stored in the database, while the data in use would be the data transferred over the network. Long-term storage of data often proves efficient; all data can be stored and retrieved when required, all data stored is stored within immediate reach of the web application, thereby easing the access.

Why Encrypt it, though?

Taking the response time into consideration, storing and retrieving data is indeed very efficient. Unfortunately, this does come with several consequences as such data stores are the prime targets for hackers. Hackers are more attracted to data at rest since they are more valuable than single packets of data traversing the network. The icing on the cake, though? Most of that is usually unprotected and in plaintext. Hence, if an attacker were to gain access to the data store or the database, they would have far more valuable and sensitive information than they could have obtained, capturing single packets over the network. The attackers needn't have any access to edit or format the data; viewing the data in itself provides them ample avenues to misuse it. Hence, if the stored sensitive data were to be encoded/encrypted, it would prevent, or in the least, indefinitely delay the disclosure of the sensitive information. Storing passwords and server-sensitive information in plaintext could lead to information leakage, or worse, server-wide root account takeover. It could further lead to a loss of millions of dollars in assets. Encrypting the data proves exceptionally competent when storing customer-centric information where the liability of the safety of such information lies with us. Exposure of customer-sensitive information like Social security numbers, credit card info, passwords, etc., could cost millions of dollars in policy violations, contravention of standards, and court cases. Hence, encrypting them could prevent catastrophic situations and reinforce much-needed trust. Encrypting the data provides an extra layer of security and confidentiality that enhances the data's integrity and availability.

Hashing over Encrypting? What's the big deal?

All this talk about encoding the data! How would one go about doing it? There are two comparable-to-a-degree but distinct methods: encryption and hashing. Hashing and Encrypting are almost entirely different functions though they have several similarities. Encryption is a two-way function where any data in plaintext can be converted into unintelligible or unreadable ciphertext using an encryption key by passing it through an encryption algorithm and where ciphertext can be converted back to plaintext by a decryption algorithm and key. The process of encryption is shown in Fig 1.

Encryption/Decryption Mechanism
Figure 1: Encryption/Decryption Mechanism

Hashing is a one-way function where a hashing algorithm is applied on the plaintext to obtain a hash key incapable of reverting to plaintext. Introducing salts (random bits) into the hashing process could enhance the unpredictability of the outcome and thereby reinforce security. The hashing function is as shown in Fig 2.

Hashing Mechanism
Fig 2: Hashing Mechanism

Encryption and Hashing both have equal importance in regards to data at rest. Encryption usually aids in encrypting data stored in the database for a long time with lower retrieval latency or comparison possibility. Such data would only be provided once by the user. Here, an example would be the user's name, credit card info, social security number, etc. The most common encryption algorithms are Triple DES, RSA, Blowfish, AES, and Twofish. However, hashing reigns where the likelihood of data comparison and indexing is pretty high. The correlation of user-provided passwords with the hash values of the corresponding passwords stored in the database is an example. The most common hashing algorithms are MD5, SHA-1, SHA-2, and NTLM. It is advisable, though, to avoid using MD5 as the primary hashing technique due to the presence of collisions. Collisions meant that attackers could create files or text matching the hashes of the sensitive files or text, thereby rendering any integrity validation or comparison null.

Better Yet? Use Digital Vaults!!

The internet, in addition to cloud technology, has ushered in novel methods of securing sensitive data. Digital vaults, akin to physical vaults, are secure storage units online that let one store any data ranging from passwords and tokens to images and documents. For example, one could store any information such as:

  1. Login data including passwords, Access Tokens, Passkeys, etc.
  2. Digital files such as images, voice recordings, documents, etc.
  3. Sensitive Customer data such as Social Security Number, Credit Card information, security answers, etc.

Digital vaults usually use the highest standard of encryption available such as AES. Thus, the need for manually setting up encryption and managing the data is off the table, easing the already overburdened average human being. They also provide add-on security features like Two-Factor Authentication for accessing the data that enhances the security landscape. They are a Godsend to application developers and programmers who previously used environmental variables to store sensitive tokens that lead to frequent compromise. The best part about these digital vaults? One could manage and share the data amongst various trusted users. Hence, Digital Vaults aid one to secure the data while reducing the management and availability responsibilities.

Conclusion

Protecting data regardless of its state of usage is pertinent to upholding the principles of the CIA triad. Hopefully, this article proved to articulate the importance of securing stored data and the various methods of implementing such security. In tandem with the phrase, "Better safe than sorry," it is always better to take steps to prevent an attack than deal with its repercussions.

Resources

Data at Rest: https://en.wikipedia.org/wiki/Data_at_rest Encryption: https://us.norton.com/internetsecurity-privacy-what-is-encryption.html Hashing: https://en.wikipedia.org/wiki/Hash_function Digital Vaults: https://www.freewill.com/learn/comparing-digital-vault-platforms

Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry