Protecting Data at Rest vs Data in Motion
Protecting sensitive data such as personally identifiable information (PII), intellectual property, or healthcare data, has become a requirement for most businesses collecting and processing these types of data. Whether it’s to comply with data protection legislation and standards such as GDPR, HIPAA, or PCI DSS or to ensure they preserve their competitive advantage, companies must protect their sensitive information from both malicious outsiders and careless insiders.
Depending on its movements, data can be found in three states: data at rest, data in use, and data in motion. Data at rest refers to all data stored on devices that are not transferred from device to device or network to network. It includes data stored locally on computer hard drives, archived in databases, file systems, and storage infrastructure. Data in use is data that is currently being updated, processed, erased, accessed, or read by a system and is stored within IT infrastructures such as RAM, databases, or CPUs. This type of data is not being passively stored but is very much active.
Data in motion, or data in transit, on the other hand, is data moving from one location to another, whether it’s between computers, virtual machines, from an endpoint to cloud storage, or through a private or public network. Once it arrives at its destination, data in motion becomes data at rest.
The Vulnerabilities of Data in Motion vs Data at Rest
In today’s digitized work environments, data is constantly in motion. Employees transfer data on a daily basis through email, virtual coworking spaces or messaging applications. The solutions they use can be company-approved collaboration tools, but they can also be shadow IT, personal services used by individuals in their work without the knowledge of their employers.
As such, data is considered less secure while in motion. Not only is it exposed to transfer via potentially insecure channels, but it also leaves the security of company networks, venturing to potentially less secure destinations and is vulnerable to Man-in-the-Middle (MITM) cyberattacks that target data as it travels.
Because it is not transferred over the internet, data at rest is considered less vulnerable than data in motion as it remains within the confines of company networks and their security framework. However, data at rest is often more attractive to cybercriminals as it guarantees a bigger payday than smaller data packets in transit. Data at rest is also often the target of malicious insiders looking to damage a company’s reputation or steal data before moving on to a new place of employment.
Although data at rest is not transferred over the internet, it doesn’t mean it does not travel. During the COVID-19 pandemic, as more and more work computers were taken out of the security of office spaces into the limited security capabilities of home environments, data at rest was put in a particularly vulnerable position.
Both data at rest and in motion face the risk of employee negligence. Whether data is stored locally or is transferred over the internet, a moment of employee careless can leave data open to a data breach or leak.
How to Protect Data in Motion vs Data at Rest
As shown above, data at rest and data in motion each come with their unique set of challenges when it comes to its security. While data in motion is unavoidable, many companies have tried to reduce the accumulation of data at rest by implementing Virtual Desktop Infrastructures (VDIs) and Desktop-as-a-Service (DaaS) platforms to limit the local storage of sensitive company data. However, these solutions come with their own data security concerns.
Basic cybersecurity measures such as firewalls and antivirus software are necessary to protect data at rest from outsider attacks. Data Loss Prevention (DLP) solutions are a popular tool for the protection of data both in motion and at rest from insider threats. Using policies that define what sensitive information means to a company, DLP software monitors and controls the transfer and storage of sensitive data.
Using content inspection and contextual scanning, DLP tools such as Endpoint Protector can search for sensitive data in hundreds of file types in real-time, whether it is in transit or stored locally on employees’ computers. Based on search results, controls can be put into place to limit or block transfers as needed or delete or encrypt data at rest when it is identified in unauthorized locations.
Encryption is another common solution used to secure data both at rest and in motion. Encrypting hard drives using operating systems’ native data encryption solutions, companies can ensure that, if a device lands in the wrong hands, no one can access the data on the hard drive without an encryption key.
Some DLP solutions also offer the possibility of enforcing the encryption of any files transferred onto USB flash drives. In this way, should a USB be lost or stolen, no one can access the data on it. For data in motion, encrypting data prior to transport or encrypted tunnels such as Virtual Private Networks (VPNs) can help protect permitted sensitive data transfers.
While data in motion and data at rest have different vulnerabilities and attack vectors, there are many software solutions that can help protect both. Firewalls, antivirus software, DLP solutions, and encryption all contribute to the protection of data in motion and at rest.
Frequently Asked Questions
One of the first steps companies must take to prepare their data at rest for GDPR compliance is to become aware of the way sensitive data is handled internally. This implies a deep understanding of EU data subjects’ rights as well as the principles enshrined in GDPR that relate to the processing of personal data.
Under GDPR, sensitive information must be processed in a transparent way, its use limited to the purpose for which the consent was initially granted and stored only for the amount of time needed for the purpose for which the data was processed. Sensitive information must also be protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage through the use of appropriate technical and organizational measures. Data subjects can also revoke consent at any time and request that their data be deleted through the right to be forgotten. What all these requirements mean in practice is that companies must know where sensitive data is located, who is processing it, and exercise control over it at all times. Find out more.
Large organizations use data discovery tools to scan company networks for sensitive data and, when finding it on computers not authorized to access it, they frequently have the option of deleting or encrypting it. In the age of data protection regulations, transparency is key both for compliance and for building effective data protection policies.
Big companies also ensure that employees are kept informed of compliance regulations and internal cybersecurity policies, providing them with training and clear guidelines for handling sensitive data. Find out more.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.