Encrypted Data at Rest – A Necessity in a High Security Environment

Published by Brian Moffitt, Information Security Manager, Managed Hosting
June 23rd, 2017

In the financial industry, data security is paramount. Recent compliance guidelines have identified Encrypted Data at Rest (EDR) as an industry best practice for hosted applications.  The implementation of these solutions can be cost prohibitive, but First Rate has addressed the EDR challenge and can help you with all your hosting needs.  Contact us today to explore our hosting solutions. 

The encryption of data at rest is a key cornerstone of a strong data security policy.  When all other security measures fail, data encryption means even if your information is stolen, it can’t be used outside the system it was intended for.  A key issue identified in the Sony hack of 2014 was their data was not encrypted at rest.  This allowed attackers to post it online for use by anyone. 

The options for providing encryption of data at rest are wide and varied in their implementation.  The most common methods are full-disk encryption, file system encryption, database encryption, and storage system encryption. 

  • Full-disk encryption requires a piece of software to be placed on the server which handles the encryption/decryption of data as I/O request are received by system.  The downside to this method is the overhead required to encrypt/decrypt each block of data as it is needed, which can lead to system slowdowns as the I/O load increases.  This method is most commonly deployed on portable devices (e.g. laptops) to provide end-to-end security of data on the device. 
  • File system encryption encrypts only the data in the file system, not the entire disk.  This method is slightly more performance efficient than full-disk encryption but requires the data owner to ensure their data has been placed upon an encrypted volume, if required, and not accidentally stored on an unencrypted volume.   
  • Database encryption only encrypts data contained with a database (Oracle, SQL Server, etc.), and comes with a significant performance hit to database I/O.  Current estimates place this method of disk encryption at up to a 20% load on I/O of the database. 

First Rate, in our ongoing commitment to providing our clients with a high security environment, has opted to provide our clients encryption of data at rest via the fourth option, storage system encryption. By partnering with our storage vendor Pure Storage, First Rate can provide real-time encryption of all client data both at rest and in use.  Through the Pure Storage OS, Purity, all data blocks on the array are encrypted using AES-256 bit encryption.  This moves the encryption overhead, e.g. the I/O performance hit, from the local system to the storage array, which was built to handle this I/O hit through improved I/O performance via SSD drives; while providing our clients with improved system performance via an all SSD storage array.

For more information on encrypted data at rest or our hosting solutions please contact Brian Moffitt: bmoffitt@firstrate.com

About the Author: Brian Moffitt MCSE, Information Security Manager for First Rate, has been with First Rate since 2007. Moffitt is responsible for the security of client data throughout the organization. Moffitt previously served as Senior Virtual Systems Administrator within First Rate’s Managed Hosting group and was instrumental in the decision to deploy Pure Storage. You can contact Brian via LinkedIn.

Share This Post: