Database Backups 101: At-Rest Encryption Basics

Database Backups 101: At-Rest Encryption Basics

Sarojini Devi Nagappan
11 February 2020

Automated data collection has enabled the collection of massive amounts of data in a short span of time. While having access to this data offers many benefits for the data analytics field, it has also raised concerns about data security. 

Data security methods differ based on its data state. If the data is stored, it’s in a ‘Rest’ state and if it's being exchanged between transactions such as email, or chats, it’s in a ‘Transit’ state. Data encryption is a method used to protect data during both of these scenarios. Encryption can be slightly different for at-rest data and in-transit data, as they have slightly different types of risk profiles. Data at-rest is usually a prime target for hackers or ransomware attacks. 

This blog takes a look at the available encryption methods employed to protect data at-rest.

What is Data-at-Rest?

Data that is stored in a system (hard drives, databases, external media, clouds) is known as data at-rest. Stored data is less vulnerable to threats, but has a higher security risk due to the nature of what type of data is available. 

This type of data is often dormant and best protected using encryption. Data at-rest encryption ensures that an organisation’s valuable data is not as vulnerable to external threats. This is extremely important when talking about user data or where sensitive information is stored. 

Data-at-Rest Encryption

Encryption uses a computer algorithm to convert text to unreadable code or jumbled text. You would need an encryption key to decode the encrypted text. Encryption can be applied to the folder, the entire hard disk or to the database where the data is stored. 

Remember though, encryption on a file or folder might be lost if it is copied to another device where that type of encryption is not supported. 

An alternative option is to encrypt the whole hard disk. Encrypting an entire database should be done with caution since it can result in a serious performance impact. It is therefore wise to encrypt only individual fields. Encryption methods differ based on the location of the stored data. The following sections give an overview of the type of encryption commonly employed to protect the stored data or data at rest.

Full Disk Encryption (FDE) 

Full disk encryption is a common way to automatically encrypt the computer harddisk and any data stored into it. The encryption is also applied to data copied from the disk. This is usually done using a disk encryption software or by hardware installed on the drive during manufacturing. Any unauthorised users will not be able to access the data even if the harddisk is transferred to another machine. 

With FDE, the software installed on the computer does not need to know how the encryption works, as long as there is authorised access the operating system will provide the data to the software with little information loss. 

This is a relatively simple encryption method, but it offers high performance as its a hardware-based encryption method. 

This method, however, lacks full protection against external hackers or advanced persistent threats. FDE should not be the only encryption method to have in a data center or cloud environment.

File Level Encryption

File level encryption is a method to encrypt files or data at the volume level and is very suitable for databases. The data stays encrypted, even if it’s copied from the destination. 

Encryption is done by software agents installed on the operating system, where it decides which data is to be encrypted or decrypted based on the policy. 

The advantage of this type of encryption is its ability to encrypt structured and unstructured data. It also offers a high level of compliance with regulation and prevents any abuse by privileged users. 

The software agents for this encryption are operating system specific. It is important to select a solution which works well with Windows, Linux, or Unix platforms. 

From a database protection view, the file level encryption can protect databases that are stored as a file on the operating systems. For large databases, volume level encryption method is a good option. In any case, you should be careful, as using this method could also affect performance.

Database Level Encryption

Encryption at the database level protects either a subset of data or the entire database using a tool or solution provided by a database vendor. This is commonly known as transparent data encryption (TDE). 

TDE safeguards the database from many malicious threats as well as unauthorised users. These solutions are vendor specific so the encryption settings can’t be applied to multiple databases in an environment. 

This encryption only protects the columns and tables of a database, other configuration files or logs are still visible for potential security attacks.

Application Level Encryption

Applications are often added with logic to encrypt and decrypt data stored within the app. This encryption is done at the application layer, so data can be encrypted before it is stored. Because of this, development resources are required to program the required encryption method into the application. It can be used to protect a specific subset of data and databases and gives a high level of security (like protection against SQL-Injection attacks).

The Benefits of Data-at-Rest Encryption

Encrypting data-at-rest protects the data from physical theft of hard drives or file storage systems. 

It also prevents unauthorised data access when the disk drives leave the organisation for any maintenance services. 

Data-at-rest encryption also complies to data security regulations, especially if there is financial or health data stored on the filesystem.

Limitations of Data-at-Rest Encryption

Data-at-rest encryption is not a bulletproof method, it has several limitations. 

  • Full data encryption on a disk drive is protected by a passphrase, therefore as long as the operator enters the passphrase via a console the system will be made available for full access. The threat to this encryption is the human access privileges which have to be addressed at the organisation data security policy level. There is also a possibility of losing access to encrypted data if the passphrase is lost. 
  • Encryption at the database level is vendor specific and (usually) it’s available only as an expensive feature for advanced database management systems. 
  • As for the data encryption at the application-level, firstly the application needs to have security access. If there is no security access for the application, any hacker can easily have access to the encrypted data in these applications. 
  • Lastly, data-at-rest encryption offers minimal protection against remote user access, so it’s back to the organisation’s data security policy on how the access privilege is granted for data at rest access.

Conclusion

It is important to know what type of at-rest data exists in the organisation before selecting the encryption method to be employed in the environment. 

Protecting data may seem to look like a complicated process, but there are numerous software solutions out there to help protect the data stored within an organisation. 

Since encryption methods differ based on where the data resides, it's good to decide which are the data storage points that require high data security. Then pick a solution which offers data encryption at different levels such as harddisk, applications, and guarantees minimal data loss during any data security attacks.