In part two of our blog series, The states of data, we’ll be discussing the various threats to sensitive data at rest in the form of a case study on Morgan Stanley’s data breach. Before we delve into that, let’s look at what data at rest is and see a few examples of data at rest in an organizational context.
What is data at rest?
Your organization’s data at rest could vary vastly based on the industry, scale, region, and various other factors. Here are some common examples of data most organizations keep at rest:
-
Employee records that comprise of names, addresses, performance reviews, or salaries
-
Financial data, such as annual earnings or profit and loss statements
-
Customer details, such as names, email addresses, purchase history, or support requests
-
Product-related details, such as specifications, roadmaps, marketing collateral, or intellectual property
Data at rest could be any data that is stationary, regardless of its sensitivity or relevance. Managing data at rest—which comprises different types of data—with a uniform strategy could be inefficient. Therefore, it’s important to understand how to deal with different types of data at rest.
How do you deal with data at rest?
A perfect analogy to explain how you could deal with different types of data would be that of a wardrobe. Imagine your wardrobe is filled with clothes of varying styles, some frequently worn favorites and others collecting dust. A cursory examination would tell you clearly which ones are used the most and which have become dated or are no longer needed. Similarly, data at rest can be classified based on its business relevance:
- Low-relevance data: This could be outdated information no longer contributing to your business, similar to that outgrown cardigan. Archiving or securely deleting such data can be a cost-effective solution. Check out our blog on redundant, obsolete, or trivial (ROT) data to understand how you could bring down costs by getting rid of it.
- High-relevance data: This data is crucial for your business operations and might be highly sensitive, like your cherished three-piece suit. Implementing appropriate security measures could help you protect this data.
The rest of this blog can help you explore the different attacks that could impact data at rest and how you can secure your network.
The Morgan Stanley data breach: A reason to protect your data at rest
Data is at risk throughout its life cycle and in all states. While organizations are adopting various applications to store and collect data, there is a disconnect between the volume of data they can collect and store and the volume they can effectively manage. This could mean security analysts losing track of the data they possess and a lack of appropriate security controls to sensitive data. One such incident where data at rest was leaked due to oversight is that of the Morgan Stanley data leak.
Morgan Stanley Wealth Management (MSSB), the wealth and asset management division of the banking conglomerate Morgan Stanley, found itself victim to an inadvertent data leak during data center and server decommissioning projects. MSSB hired a moving and storing company, which had no prior experience in data destruction, which then auctioned off thousands of servers and hard drives comprising of 15 million records of MSSB’s customers’ personally identifiable information to a third party. This incident cost the company millions of dollars in penalties and sowed customer distrust, as they could no longer bank on the banking giant to keep their personal data safe.
Incidents like these remind us of the need to protect data at rest and how not protecting it could impact your organization.
How can sensitive data at rest be secured?
The Morgan Stanley incident serves as a prime example of why you should protect data at rest. While incidents like these are unfavorable for any organization, they leave us with plenty of lessons and reiterate the need for efficient solutions. A couple of solutions every organization must implement to secure sensitive data at rest and get rid of ROT data include:
-
Data risk assessment: An efficient data risk assessment tool binds together the fundamental components of data security by discovering data across all your data stores and classifying it. Data is classified into various levels based on sensitivity. One widely used classification type uses levels such as public, internal, confidential, and restricted. These solutions keep you informed about the data you possess, where it is stored, and how sensitive it is. An idea on this could help you avoid incidents such as Morgan Stanley’s and protect your data at rest.
-
File analysis: Once you have an understanding of the data you store and where it is stored, you need to find out if it’s relevant to your business. This is where the storage analysis component of a file analysis solution comes in. It can help you identify and get rid of stale, duplicate, or unmodified files as well as other files that do not add any value to your business. For the data that does add value, it’s imperative to know who has access to it, and the security analysis component of a file analysis solution helps here. It identifies users with access to data and helps you validate if permissions have been assigned appropriately. This can ensure that authorized users have the right permissions to all required files and prevent undue access.
Here’s what’s brewing on our states of data blog series:
While implementing the solutions mentioned above can help you get started towards building a foolproof data security strategy by protecting against threats to data at rest, it doesn’t cover the entire perimeter, meaning these solutions do not completely secure data in use or data in motion.
Data in these states faces various threats from malicious attackers and seemingly innocuous insiders. Therefore, to achieve data security, it’s imperative to have a holistic solution that doesn’t focus on just one state of data but rather takes a systematic approach towards securing data in all its states. The next blogs in this series, The states of data, Part 3: Data in use and why you need to keep an eye on file activities and The states of data, Part 4: Securing data in motion through treacherous transits, will discuss in detail the threats to data in use and data in motion and how you can protect them. Make sure to check them out!