There are many ways to protect data, including both digital and physical access control, multi-factor authentication and encryption. Looking at digital data in its various states can be helpful when evaluating the most appropriate security measures to protect it.
The three basic states of digital data are:
- stored data
- data in transit
- and data in use.
Data encryption is an important tool in the data protection arms race. Data encryption is the action of converting text or data to a code. To use the data, you must have the correct key to decrypt it. When applied to stored data and data in transit, encryption is an effective security measure to protect files, while data in use is more challenging to protect as it can often be accessed at the end points by users with permissions.
According to Varonis, over 50% of businesses have 1,000 files with sensitive data open to every employee and an average of more than half a million files containing confidential information.
So, why is data so valuable and how is it used in the hands of criminals?
Data is most often stolen for financial reasons and there are many ways for hackers to profit from stolen data. Hackers sell the data to third parties on the dark web or use it to commit a wide variety of financial crimes, including impersonating the victims or hacking into accounts.
According to Forbes, credentials can be sold on the dark web from anywhere from £1 to £2,000. Alternatively, criminals can use the stolen information to apply for credit cards and bank loans or hack into the victims’ accounts to transfer funds or make fraudulent purchases.
While it is still possible for hackers to bypass security measures such as encryption, the added layer of security makes it much more difficult to access sensitive information, as encrypted data cannot be decrypted without the key.
Let’s look at how encryption works on the different states of digital data.
Stored data, or data at rest, is inactive data that is stored in databases, spreadsheets, mobile devices, off site backups, data warehouses and so on. The most common security measures used for this type of data are password protection and encryption. Access control is often the first line of defense for stored data and regularly updating passwords and limiting user permissions helps to mitigate the risk of a breach. When access control such as username and password fails, the last defense is data encryption which should remain encrypted at this point.
Data in transit
Data in transit is data that is actively moving from one location to another, for example between servers or networks. Data is often considered less secure when in transit which makes it even more critical to have effective data protection measures in place.
To protect data while it’s being processed, businesses often choose to encrypt sensitive data prior to transit and use encrypted connections to keep it secure while it is moving from A to B.
Data in use
Data in use refers to active data in computer memory or any data currently being processed by applications. Sensitive information such as encryption keys, digital certificates and personally identifiable information can be stored in memory. This makes it an easier target for attacks as compromising data in use in effect gives access to encrypted data in the two other basic states.
Encryption is increasingly recognised as the most effective way to protect data in use. Several projects use memory encryption to protect data in use, one of which is Microsoft Xbox systems.
Policies and common sense
Security measures such as encryption, access control and two-factor authentication are only as effective as the policies that enforce them. Common sense is required to ensure that security measures stay secure, for example:
- understand who has access to your data
- update data encryption keys on a regular basis
- store encryption keys separately from the data
- audit sensitive data periodically
- and store only a minimum amount of sensitive data.
Whether we discard a key to a treasure chest by throwing it overboard or we encrypt data and destroy the encryption key, the effect is the same. The data (the treasure) is no longer recoverable, regardless of where it is located. This is a powerful concept that shows the control value of proper encryption key management.
With effective policies behind it, data encryption is an extremely valuable data protection tool. Businesses need to think about data in all three basic states to ensure that appropriate security measures are applied across the board.
Auditing data and deleting unneeded data will help companies control sensitive information and with less sensitive information stored, the likelihood of costly data breaches reduces. Like gold, data shouldn’t be left unprotected. Any company in a regulated industry that stores sensitive/competitive data about customers, employees or products should use encryption.