Best Practices: Securing Data at Rest, in Use, and in Motion
Sensitive business data is more vulnerable today than ever before. Corporate trade secrets, national security information, personal medical records, Social Security and credit card numbers are all stored, used, and transmitted online and through connected devices.
This proliferation of valuable data presents criminals with an increasingly wide range of opportunities to monetize stolen information and intellectual property. In addition, foreign governments and organized crime rings have embraced hacking as one of the most potent tools at their disposal.
Organizations are also at risk from internal threats. A negligent or disgruntled employee can expose confidential information even faster than a hacker if there aren’t adequate safeguards in place to prevent the accidental or intentional release of sensitive data.
Security is critical, but it can’t come at the expense of your ability to complete daily tasks. This article examines the best practices for conducting a risk assessment and striking the right balance between security and functionality.
The Three Critical Components of a Total Information Security Strategy
Data needs to be protected in three states: at rest, in use, and in motion. Each state presents unique security challenges.
Data at Rest
Data is at rest when it is stored on a hard drive. In this relatively secure state, information is primarily protected by conventional perimeter-based defenses such as firewalls and anti-virus programs. However, these barriers are not impenetrable. Organizations need additional layers of defense to protect sensitive data from intruders in the event that the network is compromised.
Encrypting hard drives is one of the best ways to ensure the security of data at rest. Other steps can also help, such as storing individual data elements in separate locations to decrease the likelihood of attackers gaining enough information to commit fraud or other crimes.
Data in Use
Data in use is more vulnerable than data at rest because, by definition, it must be accessible to those who need it. Of course, the more people and devices that have access to the data, the greater the risk that it will end up in the wrong hands at some point. The keys to securing data in use are to control access as tightly as possible and to incorporate some type of authentication to ensure that users aren’t hiding behind stolen identities.
Organizations also need to be able to track and report relevant information so they can detect suspicious activity, diagnose potential threats, and proactively improve security. For example, an account being disabled due to a certain number of failed login attempts could be a warning sign that a system is under attack.
Data in Motion
Data is at its most vulnerable when it is in motion, and protecting information in this state requires specialized capabilities. Our expectation of immediacy dictates that a growing volume of sensitive data be transmitted digitally— forcing many organizations to replace couriers, faxes, and conventional mail service with faster options such as email. Today, more than 100 million business emails are sent every day.1
When you send an email, it typically takes a long and winding journey through the electronic infrastructure at universities, government facilities, and other network locations. Anyone with the right tools can intercept your email as it moves along this path. However, there are effective ways to make email more secure.
The best way to ensure that your messages and attachments remain confidential is to transmit them through an encryption platform that integrates with your existing systems and workflows.
Optimally, users should be able to send and receive encrypted messages directly from their standard email service. More than 90% of organizations that currently use email encryption report that they have this capability.2
Looking ahead, it will also become increasingly important for the encryption service your organization uses to cover mobile email applications. The Radicati Group1 predicts that 80% of email users will access their accounts via mobile devices by 2018, but more than 35% of organizations currently using email encryption say their users currently lack the ability to send secure messages from their mobile email client.2
How to Conduct an Effective Risk Assessment
Unless your organization has recently conducted a holistic risk assessment, the threat of a data breach is probably much larger and more immediate than you realize.
Organizations often underestimate their risk because they erroneously believe all of their sensitive data is contained within a few secure systems. In reality, this is seldom true.
Think about the situation from a workflow perspective. Do employees access corporate systems from their personal devices or use company-issued devices to work from home? What happens when employees take their devices on business trips? How is data transferred between devices or communicated to other stakeholders? And have you thought about what your customers or business partners do with any sensitive files you send them?
Almost inevitably, information is going to end up spread across multiple devices and networks with varying degrees of security and risk. Before you can take effective action to mitigate your risk, you need to have answers to the following questions:
- What types of sensitive data does your organization store, use, or transmit?
- Who has access to this data?
- Where, when, and why are they using it?
- How is data stored when it is not in use?
- How is access to databases controlled?
- What mechanisms are used to transport data?
- What are the pertinent laws, regulations, and standards?
Once you have a solid grasp of the potential risks, work with data security experts to determine the next steps to implement a total information security strategy. But don’t wait for the risks to make themselves clear; by that time it will almost certainly be too late to take effective action.
There is a long and growing list of organizations that have learned painful first-hand lessons about data security, including Target, Home Depot, Anthem, the Federal Office of Personnel Management, and the National Security Agency. Take action today to ensure your organization doesn’t end up on this list.
1. The Radicati Group. “Email Statistics Report, 2015–2019.” 2. DataMotion. “Secure Email and File Transfer Corporate Practices 3rd Annual Survey Results.”