Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
CIS Safeguard 3.11 mandates the encryption of sensitive data while it is stored, also known as "data at rest." This includes data stored on various mediums, such as hard drives, databases, and cloud storage. Encrypting data at rest ensures that even if unauthorized individuals gain access to the storage media, they cannot easily read or use the data without the corresponding encryption keys.
The Importance of Encrypting Sensitive Data at Rest
The encryption of data at rest serves as a critical barrier against unauthorized access. It ensures that sensitive information remains secure, even in the event of a physical or virtual breach. By encrypting data, organizations can protect personal information, financial records, intellectual property, and other sensitive data from being exposed to malicious actors. This practice not only helps in maintaining the integrity and confidentiality of data but also aids in compliance with various regulatory standards, such as GDPR, HIPAA, and PCI-DSS.
Real-World Examples of Failures to Encrypt Data at Rest
- Uber Data Breach (2016): the Uber data breach that occurred in 2016 but was only disclosed in 2017. Hackers accessed the personal information of 57 million Uber users, including names, email addresses, and phone numbers. The breach was facilitated by poor security practices, including the lack of encryption for sensitive data stored on the company’s servers. The failure to encrypt this data allowed attackers to easily access and exploit the information, leading to significant reputational damage and financial consequences for Uber.
Implementing CIS Safeguard 3.11
- Identify Sensitive Data: The first step in implementing CIS Safeguard 3.11 is to identify all sensitive data within the organization. This includes personal information, financial records, proprietary business information, and any other data that, if exposed, could harm the organization or its clients. Conducting a comprehensive data audit can help in pinpointing where sensitive data resides.
- Use Strong Encryption Algorithms: It is essential to use strong encryption algorithms to protect sensitive data. Algorithms such as AES (Advanced Encryption Standard) with 256-bit keys are recommended for their robustness and security. Avoid using outdated or weak encryption methods that can be easily broken by attackers.
- Implement Encryption Key Management: Effective encryption relies on secure key management. Encryption keys should be stored separately from the encrypted data, and access to these keys should be strictly controlled. Implementing hardware security modules (HSMs) and key management software can help in securely generating, storing, and managing encryption keys.
- Encrypt Data at Multiple Levels: Data should be encrypted at multiple levels, including file-level, database-level, and disk-level encryption. This multi-layer approach ensures that even if one layer of encryption is compromised, the data remains protected by other layers.
- Regularly Update and Patch Systems: Keeping systems and software up to date with the latest security patches is crucial in preventing vulnerabilities that could be exploited to access encrypted data. Regularly updating and patching systems reduces the risk of successful attacks.
- Monitor and Audit Encryption Practices: Continuous monitoring and auditing of encryption practices ensure that sensitive data remains protected. Regular audits can help in identifying potential weaknesses and areas for improvement in the encryption strategy. Tools and services that provide real-time monitoring of data access and encryption processes can be invaluable in maintaining data security.
Conclusion
Encrypting sensitive data at rest, as outlined in CIS Safeguard 3.11, is a fundamental practice for securing critical information against unauthorized access. The real-world example of the Uber breach underscore the severe consequences of failing to implement robust encryption measures. By identifying sensitive data, using strong encryption algorithms, implementing effective key management, encrypting data at multiple levels, keeping systems updated, and regularly auditing encryption practices, organizations can significantly enhance their data security and protect against potential breaches.
Following these best practices not only helps in safeguarding sensitive data but also ensures compliance with regulatory standards and builds trust with clients and stakeholders. Implementing CIS Safeguard 3.11 is a proactive step towards a more secure and resilient organizational data environment.
Resources
Here’s a link to the Data Management Policy Template for CIS Control 3 provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 3 – Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
CIS Safeguard 3.11 - Encrypt Sensitive Data at Rest
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).