Data protection. Two important questions to answer: Why and How to protect data at rest, in motion and in use
14.08.2020Back to blog list
Now the fact that data needs to be protected in three states: at rest, in use, and in motion is obvious to every small, medium and big enterprise.
However, the truth of things is that today sensitive business data, such as trade secrets, security information, personal data, social security and credit card numbers, is more vulnerable to being stolen than ever before. This data is stored, used, and transmitted online and through connected devices.
Still and all, this state of affairs, namely, widespread usage of SaaS applications - like Office 365 - undoubtedly benefits organizations by reducing overheads, increasing productivity, facilitating accessibility and many more.
Even so, no one is to forget that data left with no protection stored in these Software-as a-Service applications leaves any business vulnerable to data leakage. In fact, SaaS companies are responsible for securing their infrastructure and not your data that is stored in it. Considering this, it is expected statistics that two out of three businesses are victims of SaaS data loss.
Nowadays, hacking is celebrated as one of the most potent tools at the criminal’s disposal. But it is not the only threat hampering your business. There is also so called internal threat. In order to monetize stolen information and intellectual property an employee can expose sensitive information even faster than a hacker.
The hot question here is what to do about it? Any risk management or safety expert would say that to prevent the accidental or intentional release of sensitive data you are to ensure adequate safeguards in place.
So, let us be more specific considering types of data and how could we possibly protect it.
There are three data types, which are to ensure a total information security approach:
1. Data at rest
2. Data in motion or in transit
3. Data in use
Being different in their essence, they present unique security challenges.
DATA AT REST
To put it simple, data at rest is data that is being stored in a stable medium. It is data, which is not actively moving from device to device or network to network.
This type of data is typically stored on a hard drive, notebook or flash drive and is primarily protected by conventional perimeter-based defenses such as firewalls and anti-virus programs, which in fact are not really impenetrable.
Many entrepreneurs deceptively assume that data at rest is less vulnerable and prone to being stolen; however, malicious attackers often find data at rest a more valuable target than any other type of data. Hackers will look for data at rest if your SaaS apps are not able to ensure strong at-rest encryption standards. This results in potential threat of unauthorized access and distribution of sensitive data.
DARP (Data At Rest Protection) aims to secure inactive data stored on any device or network, namely, strong data encryption.
Two options are suggested: if you possess a lot of resources you can encrypt the entire data set in your storage, or, as an alternative, you can initially evaluate different kinds of data to see which data sets needs to be protected. Password protection or access protocols can also be applied to facilitate a solution.
At first sight, data at rest protection seems to be quite simple to solve. There is no mystery for an IT administrator to set up an encrypted storage medium. Nonetheless, when it comes to other issues, such as whether a user could attach a flash drive or other removable USB devices, it gets much harder.
Check out SearchInform DeviceController Solution
In this regard, we are to remember that threats are not just external. There are also internal threats of a disgruntled or mercenary employees who can intentionally release a company’s sensitive data.
Thinking about the solution we are to bear in mind that however indispensable security is to a business, it can not come at the expense of the ability to complete day-to-day target. In a critical situation any business will opt for money over security.
Being afraid to hamper employees' ability to do their jobs by implementing DARP, a company rely on internal training and careful job application screening.
DATA IN MOTION OR IN TRANSIT
Key point when describing data in motion or in transit is moving. This active type of data, which travels from one location to another such as across the internet, through a private network or from local storage to a cloud storage.
It is generally assumed that data in motion is less secure than other types of data. Being undeniably vulnerable, it becomes a desired prey of numerous attackers. It is crucial for a reasonable employer to be sure all SaaS application can provide in-transit encryption.
Growing pace of today’s business processes conditioned an email to become a core of all communication. An estimated amount of sensitive data being transmitted digitally equals 100 billion emails sent and received each day. Every email makes a long way through electronic infrastructures before it actually reaches the intended recipient.
Making information secure requires specialized capabilities. For protecting data in transit, enterprises often choose to encrypt sensitive data by using encrypted connections such as HTTPS, SSL, TLS, FTPS.
Nonetheless, anyone with the right tools can tap in to that infrastructure and intercept your email.
In order to secure data in motion, namely, your messages and attachments remain confidential you are to transmit them through an encryption platform that integrates with your existing systems.
Ideally, users should be able to send and receive encrypted messages directly from their standard email service.
DATA IN USE
Data in use is actively processed type of data. Their vulnerability is defined by the fact that it must be accessible to those who need it.
Security managers should be able to track relevant information so they can detect suspicious activity, diagnose potential threats and proactively improve security.
Check out SearchInform SIEM
For instance, the fact that an account was disabled due to a certain number of failed log-in attempts could ring a bell to a already mentioned security manager, communicating that a system is at peril.
In order to secure data in use you are to incorporate authentication to ensure that users aren’t hiding behind stolen identities.
Conclusion: proactive measures to take
There is an extended and constantly updated list of organizations that have suffered from data breaches cause their sensitive information was left vulnerable and unprotected.
Such companies as Target, Home Depot, Anthem and the National Security Agency have learned painful first-hand lessons about their own data security. In order to make sure your organization will not appear on the list, it would be reasonable to take action today. In fact, unless your company has conducted a holistic risk assessment, the threat of a data leakage is probably much larger and more proximate than you could possibly imagine.
Organizations often make the same mistake by taking for granted their secure systems, believing it is enough to stay safe. The best solution is to take preventive measures: classify and categorize data, including content, user and context-aware security. Identify data at risk and implement effective data protection for data in transit and at rest.
Do not wait for the risks to make themselves clear, once you have a solid comprehension of the potential risks, work out your information security strategy.
Here you can see a quick checklist for best information security strategies to protect data in transit and data at rest:
1. To protect data in motion against malware attacks, implement strong network security controls. Firewalls and Network Access Control will help secure the networks used to transmit data.
2. In case you exploit a public, private, or hybrid cloud provider, choose with precision cloud vendors and their security-offers.
3. Take control over your sensitive data, be aware how is it encrypted, and how often your data is backed up.
4. If employees work remotely and need access to company’s sensitive data, look for a solution that keeps sensitive data off the device and make sure in case needed a security manager can simply disable access to the device.