A Q&A on Protecting Data-at-Rest
One of the most important aspects of security is how to
protect the data that is just “sitting there” called data-at-rest. There are
many requirements for securing data-at-rest and they were discussed in detail at our SNIA Networking Storage Forum (NSF) webcast Storage
Networking Security: Protecting Data-at-Rest. If you missed the live event,
you can watch it on-demand and access the presentation slides here.
As we promised during the webcast, here are our experts’ answers to the
questions from this presentation:
Q. If data is encrypted at rest, is it still vulnerable to ransomware
attacks?
A. Yes, encrypted data is still vulnerable to ransomware
attacks as the attack would simply re-encrypt the encrypted data with a key
known only to the attacker.
Q. The data at rest is best implemented at the storage device. The Media Encryption Key (MEK) is located in the devices per the Trusted Computing Group (TCG) spec. NIST requires the MEK to be sanitized before decommissioning the devices. But devices do fail, because of a 3-5 year life span. Would it be better to manage the MEK in the Key Management System (KMS) or Hardware Security Module (HSM) in cloud/enterprise storage? Read More