Chief Security Officer Barak Engel doesn't store many customer credit card numbers at San Francisco-based Loyalty Lab, which runs customer loyalty programs for retailers. But he protects those numbers fiercely.
A vulnerability scanning and remediation service from Qualys scans Loyalty Lab's network perimeter for weaknesses, while two-factor authentication from RSA Security verifies its users' identities. Tripwire Enterprise from Tripwire audits changes to the company's environment for signs of misuse, Nessus software from Idealogica scans for vulnerabilities on servers, and SecureDB from nCipher encrypts the data itself.
That's a lot of defense for less than a few hundred megabytes of credit card numbers. But customers, regulators and investors are requiring that companies do whatever it takes to protect "data at rest," whether that data is in a structured database, on a backup tape, on a storage-area network or in a spreadsheet on a notebook computer.
For Engel, one of the key drivers is the US Government-led Payment Card Industry (PCI) data security standard. It specifies 12 requirements for all companies that accept credit cards, including encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, and activity monitoring and logging. To meet such requirements, organizations must determine what sensitive data they own, where it is stored, how it is used and the likely attacks it faces. They must then defend it using tools such as access control and authentication systems, vulnerability scanners, data access monitors and encryption.
Threats may come from disgruntled employees using legitimate access rights to prowl for data, forgetful users whose data-rich notebooks are stolen, and dishonest employees who sell information to the highest bidder. Even if you trust (or are) the database administrator, many regulations require a "separation of duties" that limits which information a database administrator can view.
Data at rest is information that is stored, even temporarily, as opposed to data in transit over a network. It most often refers to structured data, such as the rows and columns of a relational database, but it can also include unstructured data created by other applications, such as word processing, spreadsheet and e-mail programs.
Without an upfront information assessment, organizations often encrypt too little or too much data or fail to build defenses against the most likely threats, says Gartner analyst Rich Mogull. Some vulnerability scanning and database access tools can help customers find databases they didn't know they had, as well as track where sensitive data is kept and how it's being used. These tools make it easier to identify which information to protect and where encryption and decryption will be required.
Encrypting more data than necessary can cripple database or application performance, says Trent Henry, a senior analyst at Burton Group, a research firm. It can also lead to disaster if you can't find the proper decryption keys when you need the data. An information inventory also helps ensure that you are encrypting data at the most likely point of attack.
Many customers use a combination of four protective technologies, chosen to meet their specific needs and budgets. Access control and authentication products verify the identity of users and control which databases, applications and information they can access. Many of these functions are contained within commercial databases, says Mogull, and thus don't require third-party tools. Vulnerability scanners check databases (and sometimes servers) for well-known vulnerabilities, such as default or weak passwords or unnecessary services or processes that are running. They then produce audits or reports listing the results.
Database access monitoring tools track who accessed what data in which databases, when they accessed it and whether and how they changed it. The tools then alert security managers to suspicious behavior, such as a middle-of-the-night query for all customers' credit card numbers. Key features to look for, as with access control and authentication products, include the ability to create and enforce very granular identity and role-based access controls, as well as the ability to produce easy-to- understand audit reports. Some tools also generate reports geared to the requirements of specific regulations that focus on certain types of users, such as database administrators.