Macs in the Enterprise: How to Secure Data at Rest
Data at rest refers to all data stored on devices that are not transferred from network to network or device to device. It includes data saved locally on computer hard drives, archived in databases, file systems, and storage infrastructure. Since it does not travel over the internet, data at rest is considered less vulnerable than data in motion as it remains within the confines of a company’s network and its security framework. However, data at rest is often more attractive to malicious outsiders as it guarantees a bigger catch than data packets in transit.
Data at rest is most at risk from insiders that may intentionally or accidentally leak it. According to this year’s Cost of a Data Breach Report released by IBM and the Ponemon Institute, 52% of all data breaches this year were caused by malicious attacks, with human error accounting for another 23%. When it comes to malicious data breaches, compromised credentials were the number one cause, being responsible for 19%, with a further 7% caused by malicious insiders, 10% by physical security compromise, and 17% by phishing and social engineering. All these attack vectors often target data at rest, helping outsiders to gain access to a company device or network and the data stored on it.
If data at rest is not transferred over the internet, it does not mean that it cannot be on the move. As the world shifted towards remote work in the wake of the COVID-19 pandemic, more and more work computers ventured outside office spaces into the limited security capabilities of home environments, putting the data stored on them in a precarious position.
Macs and Data at Rest
Macs saw a sharp increase in adoption rates in the enterprise as companies began implementing policies that allowed employees to choose their own devices in the workplace. Apple itself has encouraged the trend by improving macOS security features to serve enterprise needs. These included a move to the 64-bit Apple File System (APFS) and system extensions as well as the addition of tools such as FileVault as default apps.
As previously mentioned, because a lot of the attack vectors that target data at rest rely on the human factor, Macs are just as vulnerable to them as computers running on other operating systems. This is because these types of data breaches rely on individuals gaining access – whether lawfully or unlawfully – to a system. For example, anyone who has employee login credentials can bypass security protocols and steal data at rest.
However, it is not only data breaches that companies need to worry about when it comes to data at rest. Under the new wave of data protection legislation spearheaded by the EU’s General Data Protection Regulation, which includes laws such as the CCPA in the US and the LGPD in Brazil, companies can only keep personal data for as long as it is necessary for the purpose it was originally collected or processed. These laws also grant data subjects the right to erasure, meaning that, under certain circumstances, they can request their data to be deleted from company records.
This is where organizations face the possibility of noncompliance with data protection legislation requirements because of data at rest. They can erase data no longer needed or the deletion of which has been requested by an individual from their databases, but copies of records may unknowingly still exist on the computers of employees who have worked with that data and have relegated it to archived folders. Should an audit find such data still stored on company computers, organizations can face steep fines.
Protecting Data at Rest Begins with Transparency
Data at rest is particularly dangerous because companies may sometimes not be aware of its existence. Employees work with large amounts of data on a daily basis and often choose to store documents locally, archiving them when a task is complete rather than deleting them. This can lead to a build-up of sensitive data depositories that may elude security and compliance policies.
To protect data at rest on Macs, companies must first know where it is located. This can be done through Data Loss Prevention (DLP) solutions that include data discovery tools. Using powerful content and context scanners, DLP tools can search entire company networks for sensitive data at rest, flag it when it is found, and give admins the possibility to dispose of the data by either deleting or encrypting it. By performing regular scans, organizations can ensure that no sensitive data is stored locally for longer than necessary.
Data discovery and remediation actions can also support companies in fulfilling any request for erasure from data subjects. By identifying problematic data storage practices among employees, organizations can make informed decisions when it comes to training and security policies.
Encryption is key
When it comes to data at rest, the best way to protect it from outsider interference is encryption. Companies can easily enable Macs’ native encryption capabilities through FileVault to encrypt work computer hard drives at no additional cost. In this way, should a Mac be lost or stolen, as, in 10% of malicious attacks, no one would be able to access the data on it. Hard drive encryption also eliminates the possibility of a Mac being booted up using a USB drive which is how outsiders can bypass the need for login credentials.
Ensuring Data Remains at Rest
Should a malicious outsider or insider gain access to a company Mac, it is important that they are prevented from taking data at rest. This can be done through DLP policies that can block the transfer of sensitive data outside authorized channels or onto external devices that are not marked as trusted.
Device control policies allow companies to choose what kind of devices can connect to a Mac, whether it is only company-issued trusted devices or none at all. Every attempt to transfer a file containing sensitive information, whether over the internet or onto a removable device, is also logged and reported, allowing organizations to immediately pinpoint where a security breach might be taking place.
Data at rest is less vulnerable than data in motion but provides higher rewards if stolen which is why it is consistently targeted by malicious outsiders. It is also problematic from a data protection legislation compliance point of view. Macs do not provide any guarantees for the protection of data at rest which is why companies must look to specialized tools to protect it.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.