Skip to Content

What is a common way to protect data at rest *?

Protecting data that is not actively being accessed or transmitted, known as data at rest, is a critical part of any organization’s cybersecurity strategy. There are several common methods used to secure data at rest depending on the type of data, where it is stored, and regulatory requirements.

Encryption

One of the most common and effective ways to protect data at rest is through encryption. Encryption converts data into coded form called ciphertext. To access the encrypted data, the appropriate cryptographic key is required to decrypt the data back into its original form, called plaintext. There are several types of encryption that can be used:

  • File/folder encryption encrypts specific files or folders.
  • Disk encryption encrypts at the disk level, protecting entire volumes.
  • Database encryption encrypts at the database and column/field level.

Encryption protects data at rest by ensuring only authorized parties can view plaintext data. Even if encrypted data is compromised, such as during a data breach, the information will appear as unreadable ciphertext to unauthorized parties if the keys are properly protected.

How Encryption Secures Data at Rest

Plaintext Data Encrypted Data
Social security # 123-45-6789 jWt!@3#t%3@W@%$TEwf……

Without the encryption key, the encrypted data (ciphertext) cannot be returned to its original readable form (plaintext).

Access Controls

Access controls limit which users can access data at rest. This helps prevent unauthorized parties from being able to view or modify confidential or sensitive information. Some common access control methods include:

  • File permissions – Set permissions on files/folders to only allow authorized users access.
  • Network access controls – Limit which devices and users can access parts of a network where data is stored.
  • Database access controls – Assign roles and privileges to restrict database access.

By limiting access to data at rest, organizations reduce the risk of data breaches or misuse of confidential information.

Data Masking

Data masking obscures sensitive information in test or non-production environments. Production data is copied, but sensitive fields are masked or replaced with fictional data. This protects the actual sensitive information from unauthorized access.

Data Masking in Action

Original Data Masked Data
John Smith Jane Doe
123 Main St, Anytown, NY 987 Broadway, New York, NY

With masked data, developers can work with data models containing sensitive information without exposing real customer or employee data.

Data Erasure

Data erasure techniques overwrite data previously stored on media to make recovery of the original data difficult or impossible. This prevents unauthorized parties from accessing old data if the media gets compromised. Common data sanitization techniques include:

  • Overwrite with zeros – Overwriting old data with zeros makes recovery difficult.
  • Overwrite with random data – More secure than zeros, random data makes discerning patterns harder.
  • Multi-pass overwrites – Writing alternating bit patterns in multiple passes makes recovery even more difficult.

By erasing data from end-of-life media and backups, organizations can better protect old data against compromise.

Media Encryption

Media encryption protects data at rest by encrypting entire storage devices. This includes:

  • Hard disk drives (HDDs)
  • Solid state drives (SSDs)
  • USB drives
  • Removable media like tapes

Once encrypted, accessing data on these devices requires using the encryption keys. Media encryption prevents loss or theft of media from causing a data breach because the data remains encrypted.

Media Encryption Use Cases

Media Type Encryption Standard
USB Drive AES 256-bit
Hard Disk AES 256-bit
Backup Tape LTO encryption

Encrypting removable media is critical to prevent loss or theft from exposing sensitive data.

Key Management

The keys used to encrypt and decrypt data at rest must be properly managed. Key management best practices include:

  • Securely generating keys using robust algorithms and sufficient key length.
  • Protecting keys, such as storing within a hardware security module (HSM).
  • Changing encryption keys periodically to limit the amount of data exposed if a key is compromised.
  • Escrowing keys to allow access to encrypted data if keys are lost.
  • Auditing and logging key access and usage.

With strong key management, organizations can encrypt data at rest while still having access to information when needed.

Physical Security

Physical security measures prevent unauthorized access to the physical media where data at rest is stored. This includes:

  • Data center access controls – Manage who can enter server rooms and access devices.
  • Media storage protections – Lock removable media like tapes and hard drives in secure locations.
  • Surveillance systems – Security cameras and guards to monitor for unauthorized access.
  • Endpoint security – Require logins, passwords, or biometrics to access end user devices.

Physical protections create additional barriers against accessing stored data without proper authorization.

Network Segmentation

Network segmentation divides networks into smaller segments. This helps protect data at rest by preventing lateral movement across networks where data is stored. Examples include:

  • Employee personal devices on separate guest networks from internal databases.
  • Databases isolated on separate subnet with restricted access.
  • Storage networks partitioned from rest of corporate network.

With effective network segmentation, breach impact can be limited if part of the network is compromised.

Testing and Auditing

Testing and auditing data protections provide assurance that controls are properly implemented and effective. This can include:

  • Security testing – Attempt to circumvent protections to identify gaps.
  • Compliance audits – Assess against regulatory or internal standards.
  • Access auditing – Review logs for unauthorized access attempts.

Ongoing testing and auditing is key to ensure data at rest protections are operating as intended.

Defense in Depth

A defense in depth strategy combines multiple layers of protection to secure data at rest. This provides stronger protection than relying on any single control. A typical multilayered approach includes:

  • Perimeter defenses like firewalls to prevent network attacks.
  • Access controls to restrict authorization to data.
  • Encryption to protect confidentiality of data.
  • Data masking in lower environments to limit exposure.
  • Activity monitoring to detect suspicious access attempts.
  • Vulnerability management to identify and patch known weaknesses.

With multiple complementary controls in place, organizations can better withstand threats and prevent data breaches.

Cloud Considerations

Storing data in the cloud introduces additional considerations for protecting data at rest:

  • Review cloud provider security controls and procedures.
  • Encrypt sensitive cloud data and manage keys.
  • Use cloud access controls and role-based access.
  • Take advantage of cloud infrastructure protections like firewalls.
  • Monitor cloud accounts for suspicious activity.

Cloud services provide many data protections, but organizations must also implement strong data security practices on their end.

Conclusion

Protecting sensitive data that is not in use or transmission is critical for mitigating the risk of data breaches and unauthorized access. By leveraging encryption, access controls, data masking, strong key management, physical security, network segmentation, auditing, and cloud security best practices, organizations can effectively secure their data at rest as part of a defense in depth strategy.