Rule ID
SV-284901r1227145_rule
Version
V1R1
CCIs
Data at rest is inactive data stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data that is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network. While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server. There are several pieces of data the web server uses during operation. The web server must use an accepted encryption method, such as AES-256, to protect the confidentiality and integrity of the information.
Review the Cisco SNA appliance configuration to verify information at rest (i.e., backup configuration file) are encrypted. Navigate to SNA Dashboard >> Configure >> Central Management >> (Appliance) Actions >> Edit Appliance Configuration >> General tab >> Backup Configuration Encryption. Verify "Enable Encryption" is checked and "Password" has been set. Note: The encryption method is automatically set to AES256-GCM for this feature. If the information at rest (i.e., backup configuration file) is not encrypted using a DoW-accepted algorithm, this is a finding.
Configure the SNA appliance to encrypt information at rest by enabling the "Backup Configuration Encryption" feature. Navigate to SNA Dashboard >> Configure >> Central Management >> (Appliance) Actions >> Edit Appliance Configuration >> General tab >> Backup Configuration Encryption. Check "Enable Encryption" and enter a password in the "Password" boxes. Click "Apply Settings". Note: The encryption method is automatically set to AES256-GCM for this feature.