Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Excryption Question - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Excryption Question
Hello everyone,

I am having difficulty with encrypting data at rest, and was hoping someone could shed some light on how this can be done. We have McAfee File and Removable Media Protection on all of our workstations. I can encrypt an entire share with this, and have. All of the workstations can read the data on the encrypted share. The problem is that we have SQL servers running jobs against the data from this share constantly, and the SQL servers cannot run their queries against the encrypted data. Turns out Symantec and Sophos have similar products, however, they have the same basic limitations, being that they are for end users.

The share contains PII data and needs to be encrypted. Can anyone shed some light as to how this can be done where both the end users and the Servers can read the data? Reading the data is required for all to do their jobs BTW.

Thanks
gmagerr

2 Posts
Have you looked at bit-locker drive encryption?

What OS are you using?
PW

63 Posts
Thanks for the reply. We are all using Windows 7 pro, however the issue isn't on the workstations, the issue is once the share on the server is encrypted (Windows 2008 R2) only the workstations can read the data. This is because they all have McAfee File and Removable Media installed, there is no install for a server. The SQL server (Windows 2012 R2) runs jobs each night to pull data from that share (The encrypted one) however, the SQL server cannot read the encrypted data, and we cannot install McAfee File and Removable Media on the server. I was hoping someone has faced this kind of an issue before, and if someone could recommend how to encrypt data at rest so the SQL server can still run it's jobs against the encrypted drive.

Thanks
gmagerr

2 Posts
I don't know what kind of server you are running, but if the data is sensitive enough with PII to need encryption on the share, then you want to keep it encrypted when it travels over the wire to the server.

Could you set up a vm on the server with the PC-style software and have the vm write to a socket that the rest of the non-vm part of the server could read. Just a thought...
Moriah

133 Posts
When it comes to encrypting data, you need to be clear on what your goals are. Encrypting the data on the share, but having any workstation able to read it at will, isn't really getting you a lot of one of those workstations gets compromised--an attacker would be able to copy the data of the share and exfiltrate it. All this gets you is some protection if the server the share is on is somehow stolen, and that assumes that the password would be entered every time it's booted (so that the server itself cannot read the data without someone supplying it a password.)

You can buy hard drives (or SSDs) and NAS products that will encrypt data at rest. They may require a password to be supplied at boot time (by special software or a human), to "unlock" the data, but once it is accessible over the network to clients, the clients are still your biggest risk.

What you really want is for the data in the database to be encrypted at rest by the SQL server itself, and a guardian type application connecting to the SQL server that ensures users are authenticated to the SQL servers to make any use of the data. This would be done in a client/server arrangement with the data transmissions between the client and server over something secure like HTTPS or an equivalent. This is not something trivial for someone in IT to setup... this needs a software developer or team (or purchase of a well designed 3rd party product.)

If the data is REALLY sensitive, then the SQL server will use a 3rd party device to help secure it... a hardware security module (HSM) or equivalent... something that can use passwords that the software itself doesn't even know. An HSM cannot really be attacked over the network, and if it is physically captured by an attacker, then in should be virtually impenetrable to anyone but a nation state. (It has physical tamper resistance, and will wipe the data before giving it up.)

Of course, you still need backups, and they will need to be secured as well. And you will want to do test restores fairly regularly to make sure your backups are valid and you can actually rely on them when it counts.
Anonymous

As previously stated, your risks should be well defined so you know what your solution must do and what access you are able to give to the data

Sounds to me like the solution was chosen before the needs were defined, as it probably answered the most pressing requirement at the time.

One solution I have seen, to protect for data at rest, which implies your users are ok to access it, is to encrypt the volume with say bilocker, and have password entry, like boot time or server start up. (on volume or external)

If you really want this secure, then you would have to enter the password prior to data being accessible. And for accountability reasons, that password would be highly restricted. And this would have operational impact for reboots, yeah some solutions are not pretty.

There are other options like TPM, where the encryption key would be safely stored and risk mitigated should the drive be removed. Again, what are your risks ?
Mr.Prontissimo

14 Posts

Sign Up for Free or Log In to start participating in the conversation!