Identify Threats. Secure data. Reduce risk.

www.stealthbits.com | 201-447-9300

White Paper

Data At Rest: The Pragmatic Approach to Data Security

Table of Contents

Introduction .......................................................................................................... 3

Finding File Threats: Finding Needles in the Needle Stack .................................... 3

Where to Set Your Sights for Data Security ........................................................... 5

About StealthSEEK® ............................................................................................... 6

About STEALTHbits................................................................................................ 7

Learn More ........................................................................................................... 7

Data At Rest: The Pragmatic Approach to Data Security 2

Introduction

Data explosion is a fact of life now. We are creating more data with every step we take and

every time we click or press. What’s slightly surprising is that a huge amount of this data still

ends up in unstructured form.1 It sits in files like spreadsheets

and documents stored in traditional folders. People are still

attaching these files to emails, and at the same time they are

sharing the files via instant messaging, collaboration platforms,

cloud based file sharing, and in even more ways. It’s good that

people are creating information and sharing it. That process is

creating a ton of value for organizations. New ideas translate

directly into new revenues. But there are also risks associated to having all that data spread

throughout the IT ecosystem. Every file is a potential threat. What we will discuss here is how

to understand the risks associated with your data, how people have approached those risks,

and why we feel that getting a handle on your data at rest can get you the security results you

desire.

Finding File Threats: Finding Needles in the Needle Stack

With so much unstructured data in the organization, simply finding a place to start can be

very daunting. Regulations like PCI DSS and HIPPA place organizations in the position of being

responsible if bad things happen with data they are supposed to be handling. Of course,

regulations aren’t the only motivation. Most businesses are creating data in service of

building and leveraging their intellectual property. They may also be handling the IP of others.

Protecting themselves against losses through exposing their own IP and damages if they

expose the IP of others is also very motivating. In large part, these concerns drove the growth

of DLP (Data Leak Protection/Prevention). Instead of targeting controls on data, DLP promised

to post guards at the gates so that the important stuff couldn’t get out regardless of what

form it took. The idea is sound. Even if we assume that DLP could do the job, though, our

experience talking to our customers is that most DLP deployments are severely delayed or

stalled, and they have been unable to keep up with the mobile and cloud technologies people

are using today. The other problem is that DLP has been very focused on the compliance task

and not well applied to the task of protecting IP. Anton Chuvakin of Gartner found the same

In 2010, Gartner reported

that enterprise data growth

will be 650 percent over the

next five years, and that 80

percent of that will be

unstructured.1

3 Data At Rest: The Pragmatic Approach to Data Security

________________________________

1 “Technology Trends You Can’t Afford to Ignore,” Gartner Webinar, January 2010, slide 8, http://www.gartner.com/it/content/1258400/1258425/january_6_techtrends_rpaquet.pdf

and goes further stating that when it comes to IP protection “content-aware DLP simply

cannot do this job on its own without encryption, access control, log monitoring, application

security, etc.”2 What we would like to suggest is that getting your arms around your

unstructured data at rest can be a very good starting point for meeting these regulatory and

IP protection concerns.

There are several advantages to starting your data protection strategy with data at rest. The

simplest is right in the name. Data at rest isn’t moving. A lot of the complexities in data in

motion approaches come from the fact that there are so many moving parts and so many

new places for data to move appearing every day. Now, that’s not meant to imply data at rest

isn’t dynamic. It’s growing, being shifted around, being spread out over multiple data stores,

being copied into hundreds of places and altered slightly in every one of those places, and

doing a lot of things that defy the label “at rest”. But it’s ultimately stored in places where you

can get to it. That makes it a lot easier to target than stuff being transferred to a hundred

iPhones via Dropbox. Another advantage is that data at rest can still be locked down. If you

find the data as get proper controls around it before it had a chance to make it out the door,

then you cut many major risks off at the pass. Data at rest is also still likely well oriented in

your security model. The permissions on the files will be set using systems your IT security

controls and the access to the files will be controlled via systems where you make the rules.

Lastly, data at rest will sit still long enough for you to get a look at it and understand its

content. This is a key factor. If you can effectively scan and understand the contents of files,

then you can correctly control access to those filed based on proper understanding of

context.

There is another reason mastering data at rest is important. It has to do with a core

assumption that too many people make – even people who are security professionals. People

assume threats only live outside the walls. The rise of insider threats is gaining attention and,

more importantly, racking up huge numbers in costs due to damages. If you need evidence of

this, just look at the headlines. Starts with Snowden giving us the example of the ultimate

insider job, move to Target showing how improper access can be leveraged by bad guys from

the outside to turn your insider issues against you, and finish up with Barclays to show how a

rogue insider can go pro and make a fortune on lax IT security. The Barclays case is

particularly interesting since the perpetrator, who sold off private financial details about

4 Data At Rest: The Pragmatic Approach to Data Security

________________________________

2 “On DLP and IP Theft” by Anton Chuvakin, November 9, 2012 http://blogs.gartner.com/anton-chuvakin/2012/11/09/on-dlp-and-ip-theft/

customers, found all the data he needed to build this profitable venture simply using the

access he had to unstructured data. That data was sitting on the network for the taking; it

only took the right – or maybe the wrong – person to come along and find it.

How can you effectively protect against that insider threat? How can you meet all your data

security goals? It takes a concert of efforts to do it right, of course. One key piece is making

sure you control access to data on the inside. People can’t do the wrong thing with data they

can’t access. This is easy enough to say, but it returns us to where we began: where to start?

Even if you know you will start with your data at rest, that’s no small task either. Data at rest

lives in every nook and cranny of your infrastructure from the lowliest desktop to the beefiest

data center. You can scan and analyze it all, but how to you prioritize where to turn your

attention first? This is where understanding content comes in. In each case we find, data

breaches are a concern because the data itself was sensitive in some way. Sensitive data can

be obvious, e.g. PII (Personally Identifiable Information like a Social Security Number), but

sensitive data can be very specific to your business as well (e.g. the exact chemical formula

for your new drug or the exact combination of supplier part numbers for your upcoming

product). Every organization can easily make a list of what data they know they don’t want

getting into the wrong hands. If while you scan all your data you’re also looking for that kind

of content, you’ll immediately have the criteria you need to assess relative risk, and make a

prioritized list of where you should focus your time and attention.

Where to Set Your Sights for Data Security

Hopefully it’s now clear that data at rest is a pragmatic starting point for your data security

efforts. You can approach it in a number of ways, and you can use the content of the data

itself to prioritize your efforts. If data at rest is a starting point, where does that get you in

terms of your overall goals? Getting data at rest right means that you reap many benefits

down the road. Well organized and secure data at rest is less likely to become the source of a

leak. Controlling where your sensitive data lives and who has access to it means you will need

less of the burdensome data in motion controls. Data at rest solutions also tend to have a

much less complex implementation cycle. You can achieve results faster that way and make

progress on data security goals rather than simply sitting and watching projects drag on in the

deployment phase while your IP exits stage left. Your ultimate goal should be to have

effective, context sensitive controls applied to all settings where your data is in the hands of

users for any purpose. Understanding the nature of your data from content scans while that

5 Data At Rest: The Pragmatic Approach to Data Security

data is at rest can help make that a reality. Because your controls are only effective when they

are properly applied. How do you know when to apply DRM or use DLP to block things when

you don’t have a full understanding of the context content can provide? Having a solid

understanding of your content and a well-defined approach to access gives you these

practical answers down the line. That is why mastering your data at rest is a pragmatic start to

all of your data security efforts.

About StealthSEEK®

StealthSEEK® is the missing piece in any organization’s DLP tool arsenal, providing high-scale,

light-weight sensitive data discovery capabilities for unstructured data. With no agents to

provision, dozens of built-in and customizable criteria sets, and surgical accuracy, StealthSEEK

is able to identify and secure sensitive content across desktops, servers, and network file

shares in minutes, proactively safeguarding data subject to compliance scrutiny and security

breach.

6 Data At Rest: The Pragmatic Approach to Data Security

©2015 STEALTHbits Technologies, Inc. | STEALTHbits is a registered trademark of STEALTHbits

Technologies, Inc. All other product and company names are property of their respective

owners. All rights reserved. WP-DAR-0615

STEALTHbits Technologies, Inc.

200 Central Avenue

Hawthorne, NJ 07506

P: 1.201.447.9300 | F: 1.201.447.1818

sales@stealthbits.com | support@stealthbits.com

www.stealthbits.com

About STEALTHbits Technologies, Inc.

Identify threats. Secure Data. Reduce Risk.

STEALTHbits is a data security software company. We help organizations ensure the right

people have the right access to the right information. By giving our customers insight into

who has access and ownership of their unstructured data, and protecting against malicious

access, we reduce security risk, fulfill compliance requirements and decrease operations

expense.

Learn More

Attend a Demo - http://www.stealthbits.com/events

Browse the Resource Library - http://www.stealthbits.com/resources

Ask us a Question - http://www.stealthbits.com/company/contact-us

Request a Free Trial - http://www.stealthbits.com/free-trial

Visit the Official STEALTHbits Blog - http://www.stealthbits.com/blog

7 Data At Rest: The Pragmatic Approach to Data Security