What Is Data at Rest?
In information technology, data at rest refers to computer data in digital form, such as cloud storage, file hosting services, databases, or data warehouses. Data at rest includes both structured and unstructured data.
Data at rest is at risk from accidental damage, hackers, and insider threats, who can digitally access the data or physically steal the data storage media. To prevent access to, modification, or theft of data at rest, organizations typically use security controls such as password protection, data encryption, physical controls, and monitoring.
This is part of a series of articles about data security.
The Importance of Protecting Data at Rest
Almost every organization is at risk of a major data breach. The question is: are attackers more likely to steal data while it is stored or transmitted?
Stored data is generally considered a more attractive target for malicious hackers. It is true that data can be vulnerable at many points along its lifecycle, but modern applications typically use connections secured with the Secure Sockets Layer (SSL), an advanced encryption standard, making it difficult for attackers to listen in on communications.
When digital data is stored in a particular storage configuration for a long period of time, cyber attackers assume (mostly correctly) that it has value and would be advantageous if stolen. Indeed, data at rest is often the most sensitive data in an organization, and exposure can be devastating. Data leaks can not only cause huge losses to businesses, customers and partner organizations, but can also damage a company’s reputation and lead to regulatory fines and civil liability.
Data at Rest Encryption
Encryption is the process of shuffling data so that it can only be decrypted using a key (a string of random values, which is held in confidence). Hard disk encryption is the most common way to encrypt data at rest.
Encrypting data at rest secures files and documents, ensuring that only those with the key can access them. The files are useless to anyone else. This prevents data leakage, unauthorized access, and physical theft—unless attackers manage to compromise the key management scheme and gain access to the key.
Data at Rest vs. Data in Transit vs. Data in Use
Data can exist in many states and can change rapidly based on business needs. The first step in choosing the appropriate encryption mechanism is to understand the main differences between the three data states, and the specific security challenges each state represents:
- Data in transit—data moving from one place to another. This includes information transmitted through email, collaboration platforms, instant messaging, and any other communication channel. This data is usually less secure than data at rest because it is exposed on the Internet or on a company’s private network, as it moves from one location to another.
- Data at rest—this is inactive data, which is not currently moving between networks or devices. This information is stored, and is often archived, and is thus less vulnerable than data in other states. However, the information that companies store is typically very valuable to hackers, and has become a target for cyberattacks.
- Data in use—this is data accessed or used by employees, corporate applications, or customers. Data in this state is the most vulnerable—whether it is being processed, read, or modified. Granting direct access to individuals makes them vulnerable to attacks and human error, any of which can have serious consequences. Encryption is important for protecting data in use. Many companies complement encryption by adding security measures such as authentication and strict data access control.
Best Practices For Securing Data at Rest
Best practices for protecting stored data include:
- Data classification—organizations need to know what data is in storage, where it is stored, how critical it is, and how to protect it. Data classification is a proactive measure to identify and organize data according to sensitivity. Organizations need to evaluate and prioritize their data and applications to determine what is most important to their business processes. Data classification can be used to automate processes and ensure standards are applied consistently.
- Data encryption—ensures that data cannot be viewed by unauthorized access. An organization can encrypt its sensitive files before moving them, or use full disk encryption to protect entire storage media. Encryption keys are highly sensitive, so it is a good idea to use cryptographic key management services to secure them.
- Data federation—organizations implement data federation to aggregate data from various sources and store them in one virtual database. Here, the metadata might be exposed, but the data itself is not visible. This allows you to federate your data, organize it in one central location, and apply strong security controls. Data federation solutions are useful in distributed data environments where data is stored in different countries with varying data protection laws.
- Data tokenization—this approach replaces sensitive data with place-holding tokens that provide no value for attackers if stolen or intercepted. Tokenization is a similar approach to encryption, but usually requires fewer computing resources.
- Layered password protection—this approach allows organizations to set access controls to data at different levels of sensitivity and assign passwords or access controls based on these levels.
Data Security with Imperva
Imperva Data Security Fabric protects all data workloads in hybrid multicloud environments with a modern and simplified approach to security and compliance automation. Imperva DSF flexible architecture supports a wide range of data repositories and clouds, ensuring security controls and policies are applied consistently everywhere.
