Data Encryption Guide: Protecting Data in Motion, Data at Rest & Data in Use
Data is an organization’s lifeblood. This valuable information includes everything from customers’ sensitive personal details (such as addresses, birth dates and social security numbers) to account numbers, passwords and even browsing history. And just like any other hot commodity, data is an attractive target for theft. When data breaches do occur, the repercussions can be severe, so it’s imperative that businesses do everything they can to safeguard their data.
When it comes to data protection, encryption goes a long way toward keeping sensitive information confidential. However, the best course of action depends on whether the data is in motion, at use or in rest — in other words, what state it’s in. Each state has its own set of vulnerabilities and, therefore, a unique array of best practices. Read on to find out what they are and what they mean for your organization.
Data Encryption: What It Is & Why It’s Important?
Data encryption uses algorithms to convert sensitive information into a code (known as ciphertext) that can only be cracked by using the correct encryption key — ensuring that only authorized users gain access. This means that in the event your systems are compromised, any encrypted data will remain unreadable to attackers.
The protection that encryption offers is so powerful that businesses use it to safeguard the information that’s stored locally in their own computing systems, as well as for incoming and outgoing data. For companies that do business with the European Union (EU), this is especially important with the recent Schrems II verdict — a ruling that imposes extra security measures on data that’s passed between U.S.-based businesses and organizations located in EU member states.
Defining the Three States of Data
Similar to matter, data can exist in three different states: data in motion, data in use and data at rest. Each state is unique in both circumstances and vulnerabilities, which means that all three have their own set of best practices when it comes to protection strategies. Let’s break them down:
Data in Motion
Data takes this form as it moves from one location to another. Whether it travels between devices connected to the same network or gets transmitted between two different organizations altogether, data is considered to be in motion from the moment it leaves its point of origin until it arrives at its destination. Some common methods of transit include email, instant messengers or collaboration platforms. It’s also important to note that this is the state in which data is least secure.
In addition to encryption, the best methods for protecting data in motion include identifying its vulnerabilities and establishing processes that ensure safe transit — such as using protected passageways like HTTPS or SSL/TLS.
Data at Rest
When data is archived or stored (either on a physical device — such as a hard drive or flash drive — or using a cloud service), it’s considered to be at rest. In this state, data is static and, therefore, at its most secure. However, that doesn’t mean data at rest is immune to theft. Authorized users with malicious intent can still pose a security threat.
Security software and firewalls both provide a good line of defense for your organization’s data at rest. And to help strengthen the fortress, it’s always a good idea to encrypt data in this state as well. Some archiving solutions, such as Intradyn’s Cloud Email Archiving Appliance, rely on server-side encryption to further protect your resting data.
Data in Use
This term describes data that is actively being accessed or used by a member of an organization. For example, the moments when an employee creates, edits or deletes information are all times when that particular data is said to be in use.
Because this form of data can typically be accessed by multiple people, it’s highly susceptible to theft. To keep it safe, always be sure to use strong passwords and the latest versions of protective software as well as requiring authentication for access.
How Does Encryption Protect Data in Motion, Data at Rest & Data in Use?
While hackers may have an easier time intercepting data in motion, data at rest is also an attractive target due to the sheer amount that organizations typically store. It’s also worth reiterating that data in use isn’t completely safe either. That’s why it’s crucial to encrypt data in all of its states.
The primary purpose of encryption is to keep sensitive information private if it falls into the wrong hands. These widely recognized encryption standards ensure that this is exactly what happens in the event of theft:
- AES 256-bit encryption, a virtually impenetrable form of encryption that uses a 256-bit key length to encrypt and decrypt data
- Federal Information Processing Standards (FIPS), a set of stringent encryption standards and guidelines overseen and distributed by the National Institute of Standards and Technology (NIST)
- Format-Preserving Encryption (FPE), a system used by Google Cloud and AWS that maintains the format and length of data during encryption
Best Practices for Protecting Data in All Its States
Each data state is unique, with its own inherent vulnerabilities. This means that the optimal methods for protecting data in motion will differ from the techniques that work best for both data at rest and data in use. These are:
- For data in motion, always have a plan in place. This can include a mandatory encryption policy, implementing automation for certain controls and preparing a data loss prevention (DLP) solution.
- For data in use, it’s all about access. Before allowing access, set up proper permissions for authorized users (i.e. establishing who has editing privileges and who doesn’t) and lean into identity management efforts.
- For data at rest, defense is the name of the game. Using full-disk encryption, establishing a DLP solution (for both local networks and the cloud) and ensuring proper device management all go a long way toward securing the data in your archives.
- For all three states, always be prepared for any scenario. The best data protection strategies are always proactive ones, so building a defense that’s categorized by risk profile is key.
Keeping Your Data Safe
Ready to put these best practices into place but don’t know where to start? Take the first step toward securing your data in motion, data at rest and data in use by downloading your copy of our comprehensive data retention policy plan.