Information about protecting the three states of data (Data In Use/ Data in tranzit and Data at Rest)

Configurare noua (How To)

Situatie

Solutie

Data is in use when it’s being accessed by a person or program. For companies, data is most likely to be in an active state when it’s being viewed or modified by an employee, or being processed by automated or manual means.

Documentation is considered secure at rest when it is encrypted (so that it requires an unworkable amount of time in a brute-force attack to be decrypted), the encryption key is not present on the same storage medium, and the key is of sufficient length and level of randomness to make it immune to a dictionary attack.

How to protect data in use:

In addition to encryption, best practices for protecting data include:
– Encrypting all data in transit and at rest.
– Requiring strong passwords with a minimum of 8 characters containing letters, numbers and symbols.

  • To protect data in transit, companies should implement network security controls like firewalls and network access control. These will help secure the networks used to transmit information against malware attacks or intrusions.
  • Don’t use reactive security to protect your data. Instead, identify at-risk data and implement proactive measures that keep it safe.
  • It’s important for companies to include data protection solutions in their choice of security options, which would prompt the user or encrypt sensitive information.
  • The company should create policies for categorizing and classifying all data, no matter where it resides. Policies are necessary to ensure that appropriate protections are in place while the data is at rest as well as when it’s accessed.
How to secure sensitive data at rest
1. Identify and locate data

To best secure data at rest, organizations must know what data is sensitive — such as personal information, business information and classified information — and where that data resides. Companies need processes in place to limit the locations where sensitive data is stored, but that can’t happen if they aren’t able to properly identify the critical nature of their data.

2. Classify data

Data classification methods vary from one organization to the next. It is important, however, that various business department leaders assist in assessing and ranking which applications and data are considered most critical from a business continuation perspective. For example, if an application drives revenue or supports it in some way, it’s likely vital to the livelihood of the business and should be considered critical.

Classification is a dynamic process that requires companies to constantly reevaluate sensitivity levels and readjust data protection levels accordingly. For instance, if data that was once labeled low risk or not sensitive for the organization is suddenly reassessed at a higher risk, if and how the data is encrypted should change. This not only includes the process of encryption, but also policy that helps manage encryption keys so they aren’t accidently stolen or leaked.

What is data in transit?

As you may have guessed from the name, data in transit is data that is actively moving from one location to another, which includes across the internet.  Data moves across the internet and in email services, also known as data in motion, is when safeguards are put in place to protect data while it is moving from one location to another.

How to secure data in transit:

The secure transmission of data in transit relies on both encryption and authentication − on both the hiding or concealment of the data itself, and on ensuring that the computers at each end are the computers they say they are.

Data in motion can be encrypted using SSL/TLS. TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are transport layer protocols that protect the data in transit. TLS is a newer and improved version of SSL.

SSL/TLS ensure confidentiality through encryption. Firstly, a session is created between the two parties exchanging a message using asymmetric encryption. Then, after the secure session is established, symmetric algorithms are used to encrypt the data in motion.

Using one of the mentioned protocols prevents attackers from reading the data in motion. Websites should use HTTPS (Hypertext Transfer Protocol Secure) instead of HTTP to ensure encryption between websites and browsers. HTTPS uses SSL/TLS.

What is in motion data vulnerable to?

Eavesdropping attacks. In this situation, malicious entities can analyze traffic sent over the internet and read unencrypted data. Data at rest is data stored in a specific place that isn’t actively moving to other devices or networks. Files on your hard drive, photos on your smart phone, and backups that are kept on a USB stick are all examples of data at rest.

At Rest Encryption

Once data arrives at the destination and is not used, it becomes at rest.

Examples of data at rest are:

  • databases,
  • cloud storage assets such as buckets,
  • files and file archives,
  • USB drives, and others.

This data state is usually most targeted by attackers who attempt to read databases, steal files stored on the computer, obtain USB drives, and others. Encryption of data at rest is fairly simple and is usually done using symmetric algorithms. When you perform at rest data encryption, you need to ensure you’re following these best practices:

  • you’re using an industry-standard algorithm such as AES,
  • you’re using the recommended key size,
  • you’re managing your cryptographic keys properly by not storing your key in the same place and changing it regularly,
  • the key-generating algorithms used to obtain the new key each time are random enough.

For the examples of data given above, you can have the following encryption schemes:

  • full disk encryption,
  • database encryption,
  • file system encryption,
  • cloud assets encryption.

One important aspect of encryption is cryptographic keys management. You must store your keys safely to ensure confidentiality of your data. You can store keys in Hardware Security Modules (HSM), which are dedicated hardware devices for key management. They are hardened against malware or other types of attacks.

Tip solutie

Permanent
Etichetare:

Voteaza

(4 din 11 persoane apreciaza acest articol)

Despre Autor

Leave A Comment?