Archive & Data Protection

    Data Encryption: How to Protect Data in Transit, Data in Use and Data at Rest

    With Data Growing In Volume And Scope, Companies Need To Know The Best Encryption Methods For The Three States Of Data To Keep Their Information Secure.  

    by Daniel Argintaru

    Key Points

    • Data encryption is a core component of modern data protection strategy, helping businesses protect data in transit, in use and at rest.
    • The risk profile for data varies for each of these three states.
    • Best practice approaches and technologies can help companies head off threats to their data wherever it may be.

    Data is the fuel driving modern business operations. But like any valuable commodity, data is also an attractive target for cyber thieves. With hackers using more sophisticated methods to access and steal their data, businesses are turning to advanced encryption methods to keep this vital asset secure, both within their organizations and when they share it with external parties.

    What Is Data Encryption?

    Data encryption is the process of converting information into a secret code (or cipher) to hide its meaning. Using a specialized encryption algorithm, companies can encode their data so it becomes indecipherable to anyone but the intended recipient, who relies on another encryption algorithm on their end to decode the information.

    The practice of encryption goes back to 4000 BC, when the ancient Egyptians used hieroglyphics to communicate with each other in a way only they would understand. Today, encryption has been adopted by businesses, governments and consumers to protect data stored on their computing systems, as well as information that flows in and out of their organizations.

    This latter point is especially relevant for global organizations, with the EU laying out new guidelines on compliance for data exchanged between the United States and EU member states.[1] Data security and compliance requirements will only become more stringent and complex, requiring an equally sophisticated security approach.

    The Three States of Data

    Like oil, data can exist in multiple states, and it can quickly change states based on a company’s needs – for instance, when a finance controller needs to access sensitive revenue data that would otherwise be stored on a static database.

    The first step in choosing the right encryption strategy is to understand the differences between three different states of data – in transit, at rest and in use – and the security challenges posed by each.

    What Is Data in Transit?

    As the name implies, data in transit’s data that is moving from one location to another. This includes information traveling via email, collaboration platforms like Microsoft Teams, instant messengers like WhatsApp, and virtually any public communications channel. This data is generally less secure than inactive data given its exposure across the internet or private corporate network as it travels from one place to another. This makes data in transit a prime target for attack.

    What Is Data at Rest?

    Data at rest refers to inactive data, meaning it’s not moving between devices or networks. Because this information tends to be stored or archived, it’s less vulnerable than data in transit. That said, any information companies keep close to their chests is also seen as more valuable by hackers, making it a target for external attacks. Data at rest might include information archived in a database or any data stored on a hard drive, computer or personal device.  

    What Is Data in Use?

    Data is in use when it’s accessed or consumed by an employee or corporate application. Whether it’s being read, processed or modified, data is at its most vulnerable in this state because it’s directly accessible to an individual, making it susceptible to attack or human error – both of which can have significant consequences. Encryption is essential to protecting data in use, and many businesses will shore up their encryption solutions with additional security measures like authentication and permissions for data access.

    The Role of Encryption in Protecting Data in Transit, Data in Use and Data at Rest

    While the risk profile for data in transit and data in use is higher than when it’s at rest, attackers regularly target information in all three states. As opportunists, they will look for any assets or intellectual property that are easy to breach. Encryption plays an integral role in a company’s defenses across all three states of data, be it protecting sensitive information while it’s being accessed or moved or encrypting files before storing them for an added layer of security against attacks on its internal servers.

    Best Practices for Data Protection In Transit, In Use, and At Rest 

    Any data left unencrypted or unprotected is at risk. The parameters of that risk will vary for businesses based on the nature of their information and whether it’s in transit, in use or at rest, but encryption is a key component of their defense on all fronts.

    Before diving into specific tactics to protect data in its three states, there are two overall best practices that apply to data security at every level:

    • Reactive protection does not work: Once a company’s data is breached, the task shifts from protection to risk management and damage control. Instead of playing catch-up, businesses should identify which data is at risk and build proactive defense mechanisms to head off attacks before they materialize.
    • Smart classification equals smart protection: By categorizing all of their data and understanding its risk profile in every state, companies will be in the best position to choose the most effective protection measures. Implementing automatic protocols will also ensure that accurate defense measures are triggered when data shifts between states, so that it always has the highest level of protection.

    Best practices for data in transit include:

    • Build solid basics: Straightforward network security tools like firewalls and authentication are simple but effective defenses against malicious attacks and attempted intrusions.
    • Implement automated controls: Today’s data protection technologies include automated policies that block malicious files, prompt users when they are at risk and automatically encrypt data before it’s in transit. This helps companies securely manage a growing volume of email attachments, removable drives and file transfers.
    • Email encryption is not optional: Encrypting email ensures its contents are safe and that any attachments are encoded so they can’t be read by prying eyes. Encryption can be applied to email delivery, directory sync and journaling, helping with both security and classification.
    • Pre-empt data loss with a DLP: A data loss prevention (DLP) solution helps companies avoid the loss of intellectual property, customer data and other sensitive information. DLPs scan all emails and their attachments, identifying potential leaks using flexible policies based on keywords, file hashes, pattern matching and dictionaries. Suspicious emails can then be blocked, quarantined for review or sent via a secure messaging portal, depending on a business’s policies.

    Best practices for data in use include:

    • Data controls start before use: Protections for data in use should be put in place before anyone can access the information. Once a sensitive document has been compromised, there is no way to control what a hacker does with the data they’ve obtained.
    • Double down on identity management: Identity theft has become increasingly popular, especially with people sharing more of their data online than ever. Identity management solutions help businesses ensure users are who they say they are before they access any documentation, reducing the risk of fraud.
    • Manage the right to access: Whether they use digital rights protection, information rights management (IRM) or another method, leading companies use security solutions to limit the actions a user can take with the data they access. For instance, a manager may have full access to a confidential performance report, while their employees can only read the document, with no option to edit or share it with colleagues.

    Best practices for data at rest include:

    • Play it safe with full disk encryption: A lost laptop or device only costs a few hundred dollars, but the data contained in its hard disk could cost a fortune if it falls in the wrong hands. Full disk encryption ensures malicious users cannot access the data on a lost drive without the necessary logins.
    • DLPs to the rescue again: In addition to protecting data in transit, DLP solutions allow businesses to search for and locate sensitive data on their networks and block access for certain users. These controls are only valid while the data is at rest. Once it’s accessed or moved, DLP protections for the other states of data will apply.
    • Extend loss prevention to the cloud: Cloud access security brokers (CASBs) let companies apply DLP policies to information they store and share in the cloud. This includes back-end systems and collaboration platforms like Slack or Microsoft 365. The mechanism of a CASB is similar to that of a DLP, with policies and functionality tailored to a cloud environment.
    • Security goes mobile: Mobile phones and tablets are mainstays of the modern workplace, and mobile device management (MDM) is an increasingly popular way to manage the data housed on these devices. MDM tools limit data access to business applications, block devices that fall into the wrong hands and encrypt any data it contains so it’s indecipherable to anyone but approved users.

    The Bottom Line

    Data encryption is a central piece of the security puzzle, protecting sensitive information whether it’s in transit, in use or at rest. Email exchanges, in particular, are susceptible to attacks, with businesses sharing everything from customer data to financials over email servers like Outlook. With the right tactics and solutions in place, companies can protect their information from data loss, in addition to the fines, legal fees and loss of revenue that frequently accompany a major security breach.


    [1]Data Sovereignty and Privacy Compliance Post Schrems II,” Infosecurity Magazine

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top