When most people in the USA hear terms like “Secret” or “Top Secret” regarding classified documents, they may assume that such classifications fall under the auspices of the National Security Agency (NSA) since the NSA plays a strong role in the nation’s cybersecurity, but such is not actually the case. So, who does oversee defining this sort of thing and what does this have to do with the concept of data at rest (DAR)?
Let’s start with the fact that different countries have different mechanisms for protecting official information and state secrets that are related to national security. Part of this involves classifying information based on how much its disclosure would negatively impact national security.
In the UK, for example, there are three levels of security classification: Official, Secret, and Top Secret (prior to 2014, there used to be six such levels: Unclassified, Protected, Restricted, Confidential, Secret, and Top Secret, but it was decided that this was overly complicating things). Similarly, in the USA, information may currently be classified at one of three levels: Confidential, Secret, and Top Secret.
Furthermore, the UK’s Official Secrets Act (OSA) prohibits the disclosure of official documents and sensitive information, and people working with such information are commonly required to sign a statement to the effect that they agree to abide by the restrictions of the OSA. The important point here is that the OSA is a law and individuals are bound by it even if they’ve not signed it.
In the USA, by comparison, since all federal departments are part of the Executive Branch, the classification system is governed by Executive Order rather than by law. Each president may issue a new executive order that either tightens, loosens, or redefines the classifications. Also, the USA does not have a British-style OSA. Instead, there are multiple laws that protect classified information, including the Espionage Act of 1917, the Atomic Energy Act of 1954, and the Intelligence Identities Protection Act of 1982.
In addition to the three classification levels, information deemed as being confidential by the US government is also assigned to one of the following categories:
- Military plans, weapons systems, or operations.
- Foreign government information.
- Intelligence activities, sources, or methods, or cryptology.
- Foreign relations or foreign activities of the United States, including confidential sources.
- Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism.
- United States Government programs for safeguarding nuclear materials or facilities.
- Vulnerabilities or capabilities of systems, installations, infrastructures, projects or plans, or protection services relating to the national security, which includes defense against transnational terrorism.
- The development, production, or use of weapons of mass destruction.
One thing that’s common to all three levels of classified information (Confidential, Secret, and Top Secret) is that it needs to be protected. In the case of information being stored or manipulated on an electronic system, at different times it may exist in one of three distinct states: data in transit, data in use, and data at rest, where the latter refers to data that is physically housed in a storage device.
Many recent security breaches and data loss incidents have been traced to insider threats in the form of unauthorized access to sensitive information, or to computers and/or their drives being mislaid or stolen. Today, protecting DAR is understood to be a critical piece of a zero-trust solution, but fully protecting DAR is a non-trivial matter.
How confident are you currently regarding your own DAR solution? Fortunately, we are experts in storing and securing data and we are here to help. If you have any questions, please feel free to reach out and Contact Us.
Whitepaper: Is Your Data at Rest (DAR) Truly Secure?
Article on EEJournal.com: Secure Your Data at Rest, Stupid!