When Data at Rest Encryption Works—And When it Doesn’t
A growing number of our clients are specifying that Ensono provides data at rest encryption, which we believe is a cornerstone of a strong security program. However, it isn’t enough.
What is data at rest encryption?
This type of encryption does exactly what it says, but no more: The 1s and 0s sitting in the mainframe subsystems are scrambled. But as soon as you read a block of data from that disk, that data is in motion, so it’s unencrypted. If you are replicating your storage it’s sent in the clear across whatever lines you are using. This security problem occurs whether someone is accessing the data on a laptop or a company is replicating it at a backup site.
Here’s what happens: The decryption key is generally supplied to the individual hard drives when the storage system goes through an initial microcode load (IML) power-on sequence, either from a key-store in the system control unit or from an external key-store. When the subsystem is connected to the CPU and properly IML’d, the data is no more or less secure than on a non-encrypted subsystem.
Best practices for data at rest
Best practices call for encryption along the entire data path, including encrypting data at the router or switch. The lack of encryption is potentially less of a problem if you are using dedicated fiber optic cables (FICON) or virtual private networks (VPNs). But encryption is essential if the data is traveling along public carrier networks.
What does data at rest encryption protect you against?
Data at rest encryption protects against several scenarios:
If a hard drive fails and is removed, nobody can recover useable data from that drive, assuming the failure left any readable data on the drive in the first place.
If you’re going to dispose of an older storage subsystem that has data at rest encryption, you can delete the decryption key from the key-store and any residual data on the system will be un-readable. This may allow you to avoid having to utilize secure data erasure procedures that might have previously been required.
Despite its real benefits, encrypting data at rest remains the exception. According to a recent Spiceworks study of 600 IT professionals in North America and EMEA, only a third or fewer use data at rest encryption on computers, servers or the cloud.
Ensono applies a full range of security practices to protect mainframe data and systems. Contact us today to learn how we help clients secure their data.