Data at Rest vs. Data in Transit
How do you keep sensitive data secure in a complex enterprise environment? Data is always traveling everywhere, sitting stationary in different places, and in use by several different entities.
To help deal with cybersecurity, enterprise management often uses the terms “data at rest” and “data in transit” when referring to data protection. The approach you need to take changes depending on the type of information you’re dealing with.
It is imperative for businesses of all industries to defend against digital compromise, which can result in loss of sensitive data and a negative reputation amongst your business partners and customers.
What Is Data at Rest?
Just like it sounds, “data at rest” refers to information stored on hard drives, flash drives, or archives. This inactive data does not move and stays where it is. While data at rest is more difficult to steal, it’s also usually more valuable to cybercriminals.
The Challenges of Protecting Data at Rest
Data might stay still, but it can sit in a variety of different locations, including workstations, mobile devices, servers, and even the cloud. Keeping track of where it’s all located and how to protect it everywhere can be costly.
You also have to ensure that the encryption keys you use are not kept in the same location as the data itself. These steps are necessary for ensuring compliance with data protection regulations such as the GDPR and HIPAA, which often deal with data at rest.
Methods of Protection For Resting Data
There are many best practices for ensuring the security of resting data, and encryption is a common theme among them. They include:
- File encryption before storage. In some cases, the enterprise may choose to encrypt the entire storage drive.
- Database encryption. A technology known as transparent data encryption (TDE) works well for database purposes, as it performs its operations and creates log files in real time.
- Mobile device management, or MDM, deals with sensitive data stored on mobile devices like laptops, phones, and tablets. It’s especially useful whenever your business loses a device.
- Digital rights management is a type of encryption that allows the receiver of the data certain permissions like reading or editing without fully decryping the data for full access.
- Data leak prevention, or DLP, can block access in case it detects a security policy violation to make sure no data becomes breached or destroyed. However, DLP only applies to data contained within the organization and does little for the data that is exported.
- Cloud Access Security Brokers, or CASB, is a set of security policies available in cloud systems like Office 365 and Salesforce. Think of it as DLP but applied to cloud applications.
Protecting data at rest is largely about analyzing the primary risks and selecting the tools and technologies that give you the right amount of protection you need.
What Is Data in Transit?
Data in transit moves through the network, whether it’s a private business network or the Internet. Every time you move information, such as uploading from local storage to a cloud environment, you need to protect that content as it moves.
The Challenges of Protecting Data in Transit
Enterprises today use a broad variety of communication channels, from email to web to even cloud applications like Salesforce and G-Suite. Handling security for all those transfers can be challenging. On top of that, you need a way to protect that data once it reaches the recipient.
Methods of Protection For Moving Data
Data in motion is less secure because it’s harder to track, but there are still solutions for working with moving information.
- Using encrypted connections like HTTPS, SSL, and TLS are common tools to use before sending out content.
- Email encryption is an end-to-end method for protecting message bodies and attachments from interception.
- Managed file transfer (MFT) works by uploading data to a platform and allowing the recipient to download it using an HTTPS link. The link itself could come with an expiration date or require password access.
- DLP and CASB, tools mentioned in the data at rest section, are also applicable to data in transit. Digital rights management technology can also apply here, restricting, for example, the ability to forward the contents of an email if desired.
There’s actually a third state data could be in when the enterprise is working with it: data in use.
The Third State: Data in Use
Data is considered “in use” when it’s currently opened by an application or a user is accessing it. Many of the solutions we’ve talked about only work before the end user receives the data and have little impact once the usage begins. Protecting data in use largely depends on methods like:
- Identity management to make sure the end user is the correct, authorized entity to receive the data.
- Role-Based Access Control for checking the end user’s locations, IP, and roles in the organization.
Once the data reaches the right entity, digital rights protection is often used to limit what the recipient can do with the data. It combines encryption with permissions management for this purpose.
Best Practices For Data Protection
Regardless of whether your data is at rest, in use, or in transit, here are some best practices to get you started.
- Have the right network security tools in place from the beginning, such as anti-malware, firewalls, and network access control.
- Classify the sensitive data you have so that security measures can be applied properly.
- If you use a cloud service provider or application, ensure that it has its own security features.
A common mistake among businesses is to be reactive to data integrity incidents rather than proactive to prevent them initially. Start by identifying the data at risk and begin protection work as soon as you can.