Chief Security Officer Barak Engel doesn't store many customer credit card numbers at San Francisco-based Loyalty Lab Inc., which runs customer loyalty programs for retailers. But he protects those numbers fiercely.
A vulnerability scanning and remediation service from Qualys Inc. scans Loyalty Lab's network perimeter for weaknesses, while two-factor authentication from RSA Security Inc. verifies its users' identities. Tripwire Enterprise from Tripwire Inc. audits changes to the company's environment for signs of misuse, Nessus software from Tenable Network Security scans for vulnerabilities on servers, and SecureDB from nCipher PLC encrypts the data itself.
That's a lot of defense for less than a few hundred megabytes of credit card numbers. But customers, regulators and investors are requiring that companies do whatever it takes to protect "data at rest," whether that data is in a structured database, on a backup tape, on a storage-area network or in a spreadsheet on a notebook computer.
For Engel, one of the key drivers is the Payment Card Industry (PCI) data security standard. It specifies 12 requirements for all companies that accept credit cards, including encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, and activity monitoring and logging. To meet such requirements, organizations must determine what sensitive data they own, where it is stored, how it is used and the likely attacks it faces. They must then defend it using tools such as access control and authentication systems, vulnerability scanners, data access monitors and encryption.
Know the Threat
Threats may come from disgruntled employees using legitimate access rights to prowl for data, forgetful users whose data-rich notebooks are stolen, and dishonest employees who sell information to the highest bidder. Even if you trust (or are) the database administrator, many regulations require a "separation of duties" that limits which information a database administrator can view.
Data at rest is information that is stored, even temporarily, as opposed to data in transit over a network. It most often refers to structured data, such as the rows and columns of a relational database, but it can also include unstructured data created by other applications, such as word processing, spreadsheet and e-mail programs.
Without an upfront information assessment, organizations often encrypt too little or too much data or fail to build defenses against the most likely threats, says Gartner Inc. analyst Rich Mogull. Some vulnerability scanning and ¿database access tools can help customers find databases they didn't know they had, as well as track where sensitive data is kept and how it's being used. These tools make it easier to identify which information to protect and where encryption and decryption will be required.