No Chance for Data Thieves: Effective Protection Against Hackers and Espionage Through Encryption of Data at Rest

No Chance for Data Thieves: Effective Protection Against Hackers and Espionage Through Encryption of Data at Rest

Today I would like to address a point that goes beyond the data protection requirements of most companies, namely the encryption of data at rest. While most organizations protect their data in backups and before a user logs in, the comprehensive protection of rarely used data sets often remains a secondary consideration, although this is precisely where considerable risks lurk. Often, once a user logs on, the entire database is immediately and unselectively made available on the respective device.

The importance of encrypting data at rest

An excellent measure to prevent espionage and to significantly reduce the impact of unwanted data outflows is the consistent encryption of data at rest. This refers to information that is not actively used on a permanent basis, but cannot be deleted for compliance, evidence or other operational reasons. This can include a wide range of data, from personal data and financial information to important business secrets and intellectual property in research and development.

This measure therefore not only serves to protect company and trade secrets from internal and external threats, but also minimizes the damage in the event of a successful cyberattack (e.g. by ransomware or hackers). If attackers can only steal encrypted data, the immediate benefit for them and the damage to your company is significantly reduced. Modern algorithms such as AES-256 (Advanced Encryption Standard with 256-bit keys) are considered the industry standard here and offer a high level of protection.

Development of a comprehensive crypto concept

It is highly recommended to develop and implement a detailed and company-specific crypto concept. The IT baseline protection module CON.1 “Crypto concept” from the German Federal Office for Information Security (BSI) provides an excellent basis for this. Such a concept should address the following aspects, among others:

  • Classification of data: Which data needs to be protected and with what priority?
  • Selection of suitable encryption methods and products: Consideration of strength, implementation effort and performance.
  • Secure key management: Processes for generating, distributing, storing, rotating and destroying cryptographic keys.
  • Roles and responsibilities: Who is responsible for which aspects of the crypto concept?

As part of this, different, granular encrypted areas (e.g. separate encrypted containers or databases) with individual, strong keys could be used, for example. The assignment depends on the frequency of access, the sensitivity of the data and the respective user rights.

Dealing with vulnerabilities and errors

It should not be forgotten that cryptographic hardware or software can also have vulnerabilities or be implemented incorrectly. For this reason, it may be advisable to diversify the protection mechanisms for particularly sensitive data. This could mean that “encrypted data at rest” is not only stored in encrypted form within the workspace that is encrypted by default (before logging in), but is also protected with a separate application or hardware solution. This additional layer is then not automatically decrypted at system startup or user login. To prevent errors and data loss due to damage, regular, verified data backups of the encrypted data are also essential – ideally triggered every time the archived data is changed.

Strengthening key management

Another critical point is the robustness of key management. The use of key files in addition to passphrases and a high number of iterations for password-based key derivation functions (PBKDFs) significantly increase the effort required for brute force attacks and thus minimize the risk of success for potential attackers. The secure storage of key encryption keys (KEKs), which in turn protect the actual data encryption keys (DEKs) (a principle known as envelope encryption), is of central importance here.

Limits of encryption for advanced persistent threats (APTs)

Despite its effectiveness, encryption of data at rest alone is not a panacea against highly sophisticated, targeted and long-term attacks known as advanced persistent threats (APTs). APT actors often operate in the network over very long periods of time and could wait patiently for a temporary decryption of the archived data in order to then access the keys or the decrypted data directly from a running system. Additional, complementary security measures are therefore indispensable for the comprehensive defense against and detection of APTs. These include in particular

  • Data Loss Prevention (DLP) systems: Monitor and control the flow of data to prevent unauthorized exfiltration of sensitive information.
  • Intrusion Detection/Prevention Systems (IDS/IPS): Detect and block suspicious network activities and known attack patterns.
  • Endpoint Detection and Response (EDR) solutions: Monitor endpoints for signs of compromise.
  • Security Information and Event Management (SIEM) systems: Correlate log data from various sources to identify complex attack scenarios.

State actors

Furthermore, the encryption of data at rest becomes particularly relevant in the context of protection against unauthorized or disproportionate access by authorities, by non-well-meaning states. In scenarios in which state actors or other repressive authorities could attempt to access sensitive data – be it in the context of investigations, spying, APT or through broader surveillance measures – robust encryption, in which the keys remain exclusively under the control of the data owner, represents a significant hurdle.

Such measures can therefore help to protect important data and ensure that access to protected information is only possible on the basis of clearly defined, constitutional principles and not through blanket or technically enforced official access to (unencrypted) data. Encrypting data at rest thus also minimizes the risk of potentially unlawful access by state actors from rogue states.

Your partner for balanced IT security

I will be happy to provide you with comprehensive advice on all IT security issues and help you to implement sensible yet balanced measures that will significantly increase your level of protection. The strategic use of open source software can be a transparent and cost-effective alternative or supplement to proprietary solutions in many areas, as its code is publicly available and is reviewed by a broad community, which can reduce the risk of hidden backdoors.

I look forward to hearing from you so that we can jointly develop a customized security strategy for your company.

Leave a Reply

Your email address will not be published. Required fields are marked *