fbpx
Wikipedia

Data at rest

January 01, 1970

Data at rest in information technology means data that is housed physically on computer data storage in any digital form (e.g. cloud storage, file hosting services, databases, data warehouses, spreadsheets, archives, tapes, off-site or cloud backups, mobile devices etc.). Data at rest includes both structured and unstructured data.[1] This type of data is subject to threats from hackers and other malicious threats to gain access to the data digitally or physical theft of the data storage media. To prevent this data from being accessed, modified or stolen, organizations will often employ security protection measures such as password protection, data encryption, or a combination of both. The security options used for this type of data are broadly referred to as data at rest protection (DARP).[2]

Figure 1: The 3 states of data.

Data at rest is used as a complement to the terms data in use and data in transit which together define the three states of digital data (see Figure 1).[3]

Alternative definition edit

There is some disagreement regarding the difference between data at rest and data in use. Data at rest generally refers to data stored in persistent storage (disk, tape) while data in use generally refers to data being processed by a computer central processing unit (CPU) or in random access memory (RAM, also referred to as main memory or simply memory). Definitions include:

"...all data in computer storage while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated."[4]

 
Figure 2: Data at Rest vs Data in Use.

"...all data in storage but excludes any data that frequently traverses the network or that which resides in temporary memory. Data at rest includes but is not limited to archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and also files stored off-site or on a storage area network (SAN)."[5]

Data in use has also been taken to mean “active data” in the context of being in a database or being manipulated by an application. For example, some enterprise encryption gateway solutions for the cloud claim to encrypt data at rest, data in transit and data in use.[6]

While it is generally accepted that archive data (i.e. which never changes), regardless of its storage medium, is data at rest and active data subject to constant or frequent change is data in use. “Inactive data” could be taken to mean data which may change, but infrequently. The imprecise nature of terms such as “constant” and “frequent” means that some stored data cannot be comprehensively defined as either data at rest or in use. These definitions could be taken to assume that Data at Rest is a superset of data in use; however, data in use, subject to frequent change, has distinct processing requirements from data at rest, whether completely static or subject to occasional change.

The division of data at rest into the sub-categories "static" and "inconstant" addresses this distinction (see Figure 2)..

Concerns about data at rest edit

Because of its nature data at rest is of increasing concern to businesses, government agencies and other institutions.[4] Mobile devices are often subject to specific security protocols to protect data at rest from unauthorized access when lost or stolen[7] and there is an increasing recognition that database management systems and file servers should also be considered as at risk;[8] the longer data is left unused in storage, the more likely it might be retrieved by unauthorized individuals outside the network.

Encryption edit

Data encryption, which prevents data visibility in the event of its unauthorized access or theft, is commonly used to protect data in motion and increasingly promoted for protecting data at rest.[9]

The encryption of data at rest should only include strong encryption methods such as AES or RSA. Encrypted data should remain encrypted when access controls such as usernames and password fail. Increasing encryption on multiple levels is recommended. Cryptography can be implemented on the database housing the data and on the physical storage where the databases are stored. Data encryption keys should be updated on a regular basis. Encryption keys should be stored separately from the data. Encryption also enables crypto-shredding at the end of the data or hardware lifecycle. Periodic auditing of sensitive data should be part of policy and should occur on scheduled occurrences. Finally, only store the minimum possible amount of sensitive data.[10]

Tokenization edit

Tokenization is a non-mathematical approach to protecting data at rest that replaces sensitive data with non-sensitive substitutes, referred to as tokens, which have no extrinsic or exploitable meaning or value. This process does not alter the type or length of data, which means it can be processed by legacy systems such as databases that may be sensitive to data length and type.

Tokens require significantly less computational resources to process and less storage space in databases than traditionally encrypted data. This is achieved by keeping specific data fully or partially visible for processing and analytics while sensitive information is kept hidden. Lower processing and storage requirements makes tokenization an ideal method of securing data at rest in systems that manage large volumes of data.

Federation edit

A further method of preventing unwanted access to data at rest is the use of data federation[11] especially when data is distributed globally (e.g. in off-shore archives). An example of this would be a European organisation which stores its archived data off-site in the US. Under the terms of the USA PATRIOT Act[12] the American authorities can demand access to all data physically stored within its boundaries, even if it includes personal information on European citizens with no connections to the US. Data encryption alone cannot be used to prevent this as the authorities have the right to demand decrypted information. A data federation policy which retains personal citizen information with no foreign connections within its country of origin (separate from information which is either not personal or is relevant to off-shore authorities) is one option to address this concern. However, data stored in foreign countries can be accessed using legislation in the CLOUD Act.

References edit

  1. ^ Pickell, Devin. "Structured vs Unstructured Data – What's the Difference?". learn.g2.com. Retrieved 2020-11-17.
  2. ^ "Webopedia:Data at Rest". 8 June 2007.
  3. ^ "Data Loss Prevention | Norton Internet Security". Nortoninternetsecurity.cc. 2011-03-12. Retrieved 2012-12-26.
  4. ^ a b "What is data at rest? - Definition from WhatIs.com". Searchstorage.techtarget.com. 2012-12-22. Retrieved 2012-12-26.
  5. ^ "What is data at rest? - A Word Definition From the Webopedia Computer Dictionary". Webopedia.com. 8 June 2007. Retrieved 2012-12-26.
  6. ^ "CipherCloud Brings Encryption to Microsoft Office 365". 18 July 2012. Retrieved 2013-11-01.
  7. ^ http://www.gordon.army.mil/nec/documents/BBP%20Data%20at%20Rest.pdf [bare URL PDF]
  8. ^ . Gartner. Archived from the original on May 2, 2004. Retrieved 2012-12-26.
  9. ^ Inmon, Bill (August 2005). "Encryption at Rest - Information Management Magazine Article". Information-management.com. Retrieved 2012-12-26.
  10. ^ "Cryptographic Storage Cheat Sheet". OWASP. Retrieved 2012-12-26.
  11. ^ "Information service patterns, Part 1: Data federation pattern". Ibm.com. Retrieved 2012-12-26.
  12. ^ . Fincen.gov. 2002-01-01. Archived from the original on 2012-12-28. Retrieved 2012-12-26.

January 01, 1970
data, rest, information, technology, means, data, that, housed, physically, computer, data, storage, digital, form, cloud, storage, file, hosting, services, databases, data, warehouses, spreadsheets, archives, tapes, site, cloud, backups, mobile, devices, incl. Data at rest in information technology means data that is housed physically on computer data storage in any digital form e g cloud storage file hosting services databases data warehouses spreadsheets archives tapes off site or cloud backups mobile devices etc Data at rest includes both structured and unstructured data 1 This type of data is subject to threats from hackers and other malicious threats to gain access to the data digitally or physical theft of the data storage media To prevent this data from being accessed modified or stolen organizations will often employ security protection measures such as password protection data encryption or a combination of both The security options used for this type of data are broadly referred to as data at rest protection DARP 2 Figure 1 The 3 states of data Data at rest is used as a complement to the terms data in use and data in transit which together define the three states of digital data see Figure 1 3 Contents 1 Alternative definition 2 Concerns about data at rest 2 1 Encryption 2 2 Tokenization 2 3 Federation 3 ReferencesAlternative definition editThere is some disagreement regarding the difference between data at rest and data in use Data at rest generally refers to data stored in persistent storage disk tape while data in use generally refers to data being processed by a computer central processing unit CPU or in random access memory RAM also referred to as main memory or simply memory Definitions include all data in computer storage while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated 4 nbsp Figure 2 Data at Rest vs Data in Use all data in storage but excludes any data that frequently traverses the network or that which resides in temporary memory Data at rest includes but is not limited to archived data data which is not accessed or changed frequently files stored on hard drives USB thumb drives files stored on backup tape and disks and also files stored off site or on a storage area network SAN 5 Data in use has also been taken to mean active data in the context of being in a database or being manipulated by an application For example some enterprise encryption gateway solutions for the cloud claim to encrypt data at rest data in transit and data in use 6 While it is generally accepted that archive data i e which never changes regardless of its storage medium is data at rest and active data subject to constant or frequent change is data in use Inactive data could be taken to mean data which may change but infrequently The imprecise nature of terms such as constant and frequent means that some stored data cannot be comprehensively defined as either data at rest or in use These definitions could be taken to assume that Data at Rest is a superset of data in use however data in use subject to frequent change has distinct processing requirements from data at rest whether completely static or subject to occasional change The division of data at rest into the sub categories static and inconstant addresses this distinction see Figure 2 Concerns about data at rest editBecause of its nature data at rest is of increasing concern to businesses government agencies and other institutions 4 Mobile devices are often subject to specific security protocols to protect data at rest from unauthorized access when lost or stolen 7 and there is an increasing recognition that database management systems and file servers should also be considered as at risk 8 the longer data is left unused in storage the more likely it might be retrieved by unauthorized individuals outside the network Encryption edit Data encryption which prevents data visibility in the event of its unauthorized access or theft is commonly used to protect data in motion and increasingly promoted for protecting data at rest 9 The encryption of data at rest should only include strong encryption methods such as AES or RSA Encrypted data should remain encrypted when access controls such as usernames and password fail Increasing encryption on multiple levels is recommended Cryptography can be implemented on the database housing the data and on the physical storage where the databases are stored Data encryption keys should be updated on a regular basis Encryption keys should be stored separately from the data Encryption also enables crypto shredding at the end of the data or hardware lifecycle Periodic auditing of sensitive data should be part of policy and should occur on scheduled occurrences Finally only store the minimum possible amount of sensitive data 10 Tokenization edit Tokenization is a non mathematical approach to protecting data at rest that replaces sensitive data with non sensitive substitutes referred to as tokens which have no extrinsic or exploitable meaning or value This process does not alter the type or length of data which means it can be processed by legacy systems such as databases that may be sensitive to data length and type Tokens require significantly less computational resources to process and less storage space in databases than traditionally encrypted data This is achieved by keeping specific data fully or partially visible for processing and analytics while sensitive information is kept hidden Lower processing and storage requirements makes tokenization an ideal method of securing data at rest in systems that manage large volumes of data Federation edit A further method of preventing unwanted access to data at rest is the use of data federation 11 especially when data is distributed globally e g in off shore archives An example of this would be a European organisation which stores its archived data off site in the US Under the terms of the USA PATRIOT Act 12 the American authorities can demand access to all data physically stored within its boundaries even if it includes personal information on European citizens with no connections to the US Data encryption alone cannot be used to prevent this as the authorities have the right to demand decrypted information A data federation policy which retains personal citizen information with no foreign connections within its country of origin separate from information which is either not personal or is relevant to off shore authorities is one option to address this concern However data stored in foreign countries can be accessed using legislation in the CLOUD Act References edit Pickell Devin Structured vs Unstructured Data What s the Difference learn g2 com Retrieved 2020 11 17 Webopedia Data at Rest 8 June 2007 Data Loss Prevention Norton Internet Security Nortoninternetsecurity cc 2011 03 12 Retrieved 2012 12 26 a b What is data at rest Definition from WhatIs com Searchstorage techtarget com 2012 12 22 Retrieved 2012 12 26 What is data at rest A Word Definition From the Webopedia Computer Dictionary Webopedia com 8 June 2007 Retrieved 2012 12 26 CipherCloud Brings Encryption to Microsoft Office 365 18 July 2012 Retrieved 2013 11 01 http www gordon army mil nec documents BBP 20Data 20at 20Rest pdf bare URL PDF IT Research Magic Quadrants Hype Cycles Gartner Archived from the original on May 2 2004 Retrieved 2012 12 26 Inmon Bill August 2005 Encryption at Rest Information Management Magazine Article Information management com Retrieved 2012 12 26 Cryptographic Storage Cheat Sheet OWASP Retrieved 2012 12 26 Information service patterns Part 1 Data federation pattern Ibm com Retrieved 2012 12 26 USA Patriot Act Fincen gov 2002 01 01 Archived from the original on 2012 12 28 Retrieved 2012 12 26 Retrieved from https en wikipedia org w index php title Data at rest amp oldid 1201450401, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.