What are the best practices for securing data at rest?

Data at rest is any data that is stored on a device or a medium, such as a hard drive, a cloud server, a flash drive, or a backup tape. Securing data at rest is crucial for preventing unauthorized access, theft, or leakage of sensitive or confidential information. Data governance professionals need to follow some best practices to ensure that data at rest is protected from internal and external threats. Here are some of them.

1 Encrypt data at rest

Encryption is the process of transforming data into an unreadable format that can only be decoded with a key. Encrypting data at rest makes it harder for attackers to access or use the data without the key. Encryption can be applied at different levels, such as the file, the disk, the database, or the application. Depending on the level of encryption, different keys and algorithms may be required. Data governance professionals should choose the appropriate encryption method based on the type, location, and sensitivity of the data at rest.

Add your perspective

José Javier Hernández González, CDMP

Associate Director, Internal Data Services
Report contribution
Along with three encryption method that needs to be defined, ensure your process is comprehensive, sometimes if your algorithm for encryption is incorrect, you are going to have lots of troubles un encrypting your data for analytical purposes. Make sure to include a solid testing strategy when implementing your encrypting solution.

Like

2 Manage encryption keys

Encryption keys are the secrets that enable encryption and decryption of data, so managing them is essential for securing data at rest. Data governance professionals should follow key management best practices, such as storing keys separately from data in secure storage systems, rotating and revoking keys regularly, implementing access control policies and audit logs, and backing up keys with a recovery plan. Failing to do so can result in data loss or exposure.

Add your perspective

3 Implement data masking

Data masking is a technique of replacing sensitive data with fictitious or anonymized data that retains the original format and structure. It can be used to protect data at rest from unauthorized disclosure, while still allowing it to be usable and functional. Data governance professionals should use the right data masking tools and methods for the specific data type and use case, such as static data masking, dynamic data masking, and format-preserving encryption. The former applies masking to a copy of the data before it is moved or accessed, while the latter applies masking on the fly as the data is requested or queried. The latter also encrypts the data with a key that preserves its original format and length.

Add your perspective

Sabahat Hussain
Report contribution
Dynamic Data Masking allows authorized users to view the original data while concealing the sensitive data from unauthorized users. This technique is used to protect sensitive data from being exposed to those who do not have the required permissions to view it. for such case we can use specific tools that allow masking on fly.

Like
M. T.

Data Engineer- | Informatica | IDQ | EDC | SSAS | SSIS | ETL | Cloudera |SFPC | KIKF | Power BI | Tableau| SSRS | SQL| MES POMS| Life sciences
Report contribution
I as a data engineer, have a greater responsibility to mask the PI/SI fields while creating the data stream pipelines. i use some Hash function within the given environment or if i am using any object oriented ETL tool so i would use specific transformations to mask the Important data and then dump it into the target tables.

Like
Deborah Akinbinu

Health Promotion and Welfare @ Dbegotin Educational Foundation | MSc Infection and Prevention Control
Report contribution
In my own view, Data masking is more or less an inauthentic or a prototype or a look-alike version of a data which is kind of efficient for testing and training.

Like

4 Apply data classification

Data classification is the process of categorizing data based on its value, sensitivity, and risk. This can help data governance professionals identify and prioritize the data that needs to be secured at rest, as well as the appropriate security measures and controls for each data category. Additionally, data classification can facilitate compliance with data protection regulations and standards, such as GDPR, HIPAA, or PCI-DSS. To ensure successful data classification, data governance professionals should use frameworks and tools that support their business objectives and data policies. For example, they can label data with metadata tags that indicate its classification level and security requirements; scan for sensitive or personal information and apply automatic classification rules; and educate users and stakeholders about the data classification scheme and their roles and responsibilities.

Add your perspective

Sachin Raikar, CDS, CIMP Specialization Data Governance

Certified Data Steward, Certified Information Management Professional | Collibra Certified Data Steward | Data Privacy | BigID Certified | Data Security Specialist @ Data Management COE, Fidelity Investments Ireland
Report contribution
Data classification should be the first step in the process followed by identification and prioritization of data. Using a good tool in data classification helps to tag sensitive information to a large volume of data. Once data classification activity is complete, it becomes easy to apply data security policies to safe guard sensitive data.

Like
Sabahat Hussain
Report contribution
Sachin is correct in stating that data classification is the initial stage for implementing data security/masking. Therefore, we should categorize our data using existing classification schemes such as public, internal, confidential, restricted, and highly sensitive. Additionally, we must determine if our data belongs to any of the categories such as PII, PCI or SI standard list. This will enable us to further classify and easily identify the confidential data since the data falling under these categories must be masked from unauthorized users to access.

Like

5 Monitor and audit data at rest

Monitoring and auditing data at rest is the process of tracking and reviewing activities and events related to the data, such as access, modification, deletion, or movement. This helps data governance professionals detect and respond to any anomalies, breaches, or violations of data security policies and standards. It also provides evidence and accountability for data security compliance and audits. Data governance professionals should use monitoring and auditing tools and techniques that enable them to collect and analyze data logs and metrics from various sources, such as encryption systems, key management systems, data masking tools, and data storage systems. Alerts and notifications should be set up for any suspicious or abnormal data activity or event. Reports and dashboards should be generated to summarize and visualize the data security status and performance.

Add your perspective

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

Add your perspective

Sabahat Hussain
Report contribution
Firstly Classify your data: Categorize your data based on its sensitivity and value to determine the appropriate security measures for each category. Implement strong access controls: Utilize role-based access control (RBAC) mechanisms to restrict access to data based on job roles and responsibilities. Implement granular access controls to ensure that only authorized users can retrieve or modify the data.

Like

What are the best practices for securing data at rest?

1

2

3

4

5

6

1 Encrypt data at rest

2 Manage encryption keys

3 Implement data masking

4 Apply data classification

5 Monitor and audit data at rest

6 Here’s what else to consider

Data Governance

Rate this article

Thanks for your feedback

More articles on Data Governance

More relevant reading

What are the best practices for securing data at rest?

1

2

3

4

5

6

1 Encrypt data at rest

2 Manage encryption keys

3 Implement data masking

4 Apply data classification

5 Monitor and audit data at rest

6 Here’s what else to consider

Data Governance

Rate this article

Thanks for your feedback

Explore Other Skills