- Data has 3 States: We want to protect it as well as we can in each state.
- Data at Rest (Stored Data):
- This is data on Disks, Tapes, CDs/DVDs, USB Sticks
- We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs).
- Encryption can be Hardware or Software Encryption.
- Data in Motion (Data being transferred on a Network).
- We encrypt our network traffic, end to end encryption, this is both on internal and external networks.
- Data in Use: (We are actively using the files/data, it can’t be encrypted).
- Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
- The Three States of Digital Data
Understanding the different states digital data can be in can help you select the kinds of security measures and encryption that are appropriate for protecting it. There are three basic states of data: data at rest, data in motion, and data in use. Below you will find brief descriptions of the three states of data as well as the kinds of encryption and security needed to protect it.
Data at rest
Data at rest is a term that refers to data stored on a device or backup medium in any form. It can be data stored on hard drives, backup tapes, in offsite cloud backup, or even on mobile devices. What makes it data at rest is that it is inactive data that is not currently being transmitted across a network or actively being read or processed. Data at rest is typically in a stable state. It is not traveling within the system or network, and it is not being acted upon by any application or the CPU.
Data at rest is data that has reached a destination (even if only temporarily). At this destination, there can be additional layers of security added to it, such as encryption, multi-factor authentication, and both digital and physical access controls. Data at rest should almost always be encrypted.
Data in motion
The second phase of data is data in motion. Data in motion is data that is currently traveling across a network or sitting in a computer’s RAM ready to be read, updated, or processed. Data crossing over networks from local to cloud storage or from a central mainframe to a remote terminal should be encrypted so that it cannot be read or manipulated by any machine or hacker between the data’s source and destination. This data in motion includes data moving across a cables and wireless transmission. It can be emails or files transferred over FTP or SSH.
Cryptography was originally invented to protect data in motion–such as sensitive communications between a military general and his army. Software like ASPG’s MegaCryption can protect enterprise data from prying eyes by encrypting it before it is transmitted beyond the system where it is stored or generated.
Data in use
Data in use is data that is not just being stored passively on a hard drive or external storage media. This is data that is being processed by one or more applications. This is data currently in the process of being generated, updated, appended, or erased. It also includes data being viewed by users accessing it through various endpoints. Data in use is susceptible to different kinds of threats depending on where it is in the system and who is able to use it. The most vulnerable point for data in use is at the endpoints where users are able to access and interact with it.
Protecting data in use is a challenging task since there is such variety in the ways the data can be accessed and manipulated. One set of data can potentially have multiple users working with it from multiple endpoints. The large number of in-house systems, devices, and employees accessing mainframe data from personal devices means this data should be protected through strong user authentication, identity management, and profile permissions. This will help ensure that only individuals with the proper permission and knowledge are able to access and manipulate data. Also, since technology makes it nearly impossible to prevent data leakage from endpoints, most employers also have their employees sign legal agreements that they will not share private data with anyone that does not have permission to view it.
- Data at Rest (Stored Data):