Download our FREE whitepaper on data loss prevention best practices. Download Now

How to Protect Your Data at Rest

In recent years, the protection of sensitive information has become mandatory for most companies, regardless of where they are located in the world. A new wave of data protection legislation, spearheaded by the EU’s General Data Protection Regulation (GDPR), has made companies liable for the protection of sensitive data such as personally identifiable information (PII) in front of the law.

At the same time, specialized laws have appeared such as HIPAA that governs healthcare information in the US, and standards such as PCI DSS that protect credit card numbers globally. Failure to comply with these laws and standards can lead to regulatory fines and lost business. Companies can also be barred from participating in lucrative bids due to noncompliance.

As a consequence, data protection has become a top priority for many companies. When developing their cybersecurity strategies, organizations don’t just have to define what sensitive data means to them in the context of their sector and national legal framework, but must also consider the three different states data can find itself in:

  • Data at rest: static data stored on hard drives that is archived or not often accessed or modified.
  • Data in use: data that is frequently updated by multiple users within a network and is very much active.
  • Data in transit: data that is being transferred outside the network and subject to third-party services whose security cannot be guaranteed.

Why Data at Rest Needs to be Protected

Data in transit or data in motion is considered the most vulnerable type of data as it’s transferred over the internet, outside the security of corporate networks through potentially insecure channels such as cloud storage or third-party service providers to destinations with laxer information security policies in place. Data in motion can also become the victim of Man-in-the-Middle (MITM) cyberattacks that target data as it travels.

However, while data at rest is protected by a company’s cybersecurity strategy and is usually stored locally within the company network, it is still at risk from both malicious outsiders and insider threats. Data at rest is often a more attractive prize for cybercriminals because the volume of information that can be stolen is higher than in data packets in transit. Many of the most spectacular data breaches in the last ten years have involved the theft of data at rest. Malicious insiders also target data at rest when stealing data for the same reason outsiders do: it represents a bigger payday.

Data at rest is also particularly vulnerable to employee carelessness. If someone gains unauthorized access to a work computer or if a company device is stolen or lost, the data at rest on it can be easily accessed and stolen by booting a device using a USB flash drive and bypassing login credentials. This became a particularly relevant issue during the COVID-19 pandemic when most companies were forced to allow their employees to work remotely and take their company-issued devices home with them.

Securing Data at Rest

Conventional antivirus software and firewalls are the most common security measures used to protect data at rest. However, these do not guarantee safety from phishing or social engineering attacks that target individuals, tricking them into revealing credentials and sensitive information that can compromise a company’s data security. They also do not protect sensitive data from insider threats. Access control can be an effective measure to reduce data at rest vulnerability, allowing only employees that require access to sensitive data to perform their duties to store it locally.

One of the best and easiest ways companies can start protecting their data at rest from employee carelessness is by implementing encryption solutions. Operating systems’ native data encryption tools such as Windows’ BitLocker and macOS’ FileVault allow organizations to encrypt employee hard drives, ensuring that, should someone steal or find a company device, they would be unable to access it without an encryption key, even when booting a computer using a USB.

Using Data Loss Prevention Tools to Protect Data at Rest

Companies can go one step further: to secure data at rest, they can use Data Loss Prevention (DLP) solutions that can block or limit the connection of USBs, mobile devices, or removable storage drives all together. In this way, malicious USBs cannot be connected to a device to infect it, nor can they be used to boot a computer. They also prevent data exfiltration via storage devices. Some solutions like Endpoint Protector even offer enforced encryption features that allow employees to use company-approved USB devices but ensure that all files copied on them are encrypted.

Using content inspection and contextual scanning, DLP tools can also search for sensitive data based on predefined or custom content, file name, or particular compliance profiles in hundreds of file types stored locally on employees’ computers. Based on the results, remediation actions can be taken. The sensitive data found can be encrypted or deleted to ensure that it is not stolen or misused. DLP solutions offer a way of controlling sensitive information on employees’ computers remotely, removing it when access to it is no longer desirable, and acting as an additional layer of security in data management.

It is clear that protecting only one type of data, whether in motion or in use or both and ignoring data at rest can lead to disastrous consequences. It is therefore essential that companies look for all-inclusive solutions that deal with all sensitive data, no matter what state it finds itself in.

Looking to protect data at rest? Check out our Data at Rest Encryption solution.


Frequently Asked Questions

What is and how to protect data at rest?
Data at rest is static data stored on hard drives that is archived or not often accessed or modified. Usually, conventional antivirus software and firewalls are used to protect data at rest. However, these do not guarantee safety from phishing attacks for example that can target specific individuals, corrupt one workstation and then proceed to attack the rest of the network. Solutions such as Endpoint Protector, through its eDiscovery module, can scan data at rest stored on employees’ endpoints for sensitive data based on predefined or custom content, file name or particular compliance profiles. Based on the results, it can then encrypt or delete the data to protect from potential breaches.

Read more on how to protect data at rest.

What’s the difference between data at rest vs. data in motion?
Data in motion is actively moving from one location to another across the digital channels of the Internet or a private network. Idle data, as you might have guessed, is at rest - it’s not moving from network or device to another in any way. Think of data stored on hard drives and flash drives, or inside of laptops or computers. When it comes to data at rest, protection aims to preserve inactive data stored on devices or networks. This data is less susceptible to interception and is often considered more valuable to attackers than data in motion.

Read more on how to protect data at rest here or data in motion here.

What is encryption on data at rest?
Encryption at rest is designed to prevent the outsiders from accessing the unencrypted data by ensuring the sensitive data is encrypted when on disk. If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data. This attack is much more complex and resource consuming than accessing unencrypted data on a hard drive. For this reason, encryption at rest is highly recommended and is a high priority requirement for many organizations. Encryption at rest may also be required by an organization's need for data governance and compliance efforts. Industry and government regulations such as HIPAA, PCI, GDPR and FedRAMP, lay out specific safeguards regarding data protection and encryption requirements. Encryption at rest is a mandatory measure required for compliance with some of those regulations.

Read more about data at rest encryption.

What are the threats for data at rest?
Data at rest is at risk of loss, leakage, or theft. Sensitive data stored on a device or backup medium can be easily attacked if it is invisible or improperly managed. Threats for data at rest include both insider and outsider attacks - such as unauthorized employees storing sensitive data on their computers and attackers which manage to bypass the network defense and try to get a hold of the company’s records.

Learn more about data security threats.


Download our free ebook on
Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

In this article:

    Request Demo
    * Your privacy is important to us. Check out our Privacy Policy for more information.