Blog 5 mins reading time

Understanding the Problem of Data at Rest

Welcome to the first article in our Series on Securing Data at Rest. Over the course of this series, we’ll explore the challenges of managing sensitive data and how Datasafe by adorsys, a Java-based encrypted record management tool, provides an innovative solution for managing secure data storage and sharing , tackle them with cutting-edge encryption techniques.

This series is tailored for decision-makers, risk managers, and IT professionals aiming to strengthen their data protection strategies.

Introduction

In the world of data management, securing information goes beyond network firewalls and user authentication.

A critical yet often overlooked layer of protection lies in securing data at rest data stored in databases, backups, and storage devices. This article delves into the vulnerabilities of data at rest, focusing on relational database architectures, backup practices, and other risks that decision-makers and risk managers must address.

1. The Architecture of Relational Database Systems

At the heart of modern business systems lies the relational database management system (RDBMS), which structures data into interconnected tables. These systems rely on key components for their functionality:

a. Database Files: These store the actual data in structured formats.

b. Redo Logs: A crucial feature of transactional systems, redo logs capture all changes to the database, ensuring recoverability in case of crashes or power failures.

While these components enhance reliability and functionality, they also introduce vulnerabilities if not properly secured.

Datasafe’s Approach: Datasafe addresses these challenges by integrating client-side encryption, ensuring that database files and associated logs are encrypted before they leave the application layer. This minimizes the risk of exposure, even in scenarios where physical or system-level access is compromised.

2. The Vulnerability of Database Backups and Storage Devices

A significant threat to data security arises from the mishandling of backups and storage devices, which often bypass the strict access controls of the main database.

a. Backup Files

  • Backups frequently contain unencrypted copies of sensitive data.
  • When stored on tapes or external devices, these backups are at risk of unauthorized access.

b. Magnetic Tapes and External Storage Devices

  • Vulnerable to theft or loss, leaving sensitive data exposed.
  • Lack of encryption allows unauthorized access in such events.

c. Third-Party Storage Providers

  • Using cloud or offsite storage without encryption exposes data to potential breaches.

Datasafe’s Solution: Datasafe supports encrypted backups by leveraging modular encryption layers that seamlessly integrate with different storage backends. Whether using local disks or cloud-based providers like AWS S3 or CEPH it ensures that data remains encrypted and secure across all mediums.

3. Transactional Systems, Necessity or Overkill?

Transactional systems like those supported by RDBMS ensure consistency and reliability but are not always necessary for every use case.

a. Where They Make Sense

  • High-stakes environments like banking or systems requiring ACID guarantees.

b. Where They’re Overkill

  • Storing static, unstructured data, such as media or archives.

Datasafe’s Value Proposition: Datasafe complements transactional systems by focusing on data encryption at rest and in transit, making it adaptable for both high-stakes transactional use cases and simpler, unstructured storage solutions.

 

4. Other Risks Associated with Data at Rest

a. Residual Data on Decommissioned Devices

  • Even after deletion, traces of sensitive data may remain on storage devices.

b. Insider Threats

  • Employees with access to backups or storage infrastructure can exploit unencrypted data.

c. Natural Disasters and Data Integrity:

  • Floods, fires, or mishandling can lead to breaches if physical media is not encrypted.

d. Shared Storage Systems

  • Misconfigurations in cloud environments can lead to cross-tenant data leaks.

Datasafe’s Mitigation: Datasafe employs strong encryption for all files, metadata, and paths, reducing the risk of residual data exposure. It also protects against insider threats by making data inaccessible without the corresponding decryption keys.

 

5. Why Encryption at Rest Is Essential

The risks outlined above highlight why encryption at rest is not just a best practice but a necessity.

a. Protecting Backups

  • Datasafe ensures backup files are encrypted using symmetric and asymmetric cryptography.

b. GDPR Compliance

  • By encrypting data and supporting key management policies, Datasafe enables secure deletion practices aligned with regulatory requirements.

c. Minimizing Insider Threats

  • Encrypted data cannot be exploited without proper keys, even if accessed internally.

 

Conclusion

Datasafe’s architecture directly addresses the challenges of data at rest by providing end-to-end encryption, modular support for multiple storage backends, and a secure way to manage both private data and shared files. As the series progresses, we’ll explore Datasafe’s specific implementations and how it tackles encrypted databases, ensuring that sensitive data remains secure against modern threats.

If you found this article insightful, please share it with your network to help others understand the importance of securing data at rest.

Stay tuned for our next article, where we’ll dive into encrypted database indexing challenges and the trade-offs between efficiency and security.

Keen to explore how adorsys can guide your company into this world? Reach out to us here, our team will be delighted to discuss tailored solutions for your organisation.

Written by Assah Bismark, Fullstack Software Engineer at adorsys.