Why it's important to secure data at rest, in use and in motion

Information theft is the primary reason for organizations to pay attention to how they protect data. Stolen data can be used for identity fraud, for corporate or government espionage, and as a lure forransomware.

Midsize and small organizations are attractive targets for information theft because they often don't have sophisticated data security policies and tools in place. Smaller organizations might also bristle at the cost of security tools or policy enforcement, but the risk of a major data loss to information theft should be justification for the resources -- both budget and staff -- to protect data.

While midsize and small organizations are attractive targets, that doesn't mean larger enterprises are immune. They too must ensure the proper budget and staff are allocated toward information security.

Additionally, whereas organizations used to spend a large amount of time identifying and mitigating external threats, internal threats now also require significant resources. Verizon's "2022 Data Breach Investigations Report" (DBIR) revealed nearly one in five data breaches are due toinsider theft or negligence.

Once a company has committed to the necessary resources, its next step is to develop a strategy to monitor and secure data at rest, in use and in motion.

How to secure sensitive data at rest

1. Identify and locate data

To best secure data at rest, organizations must know what data is sensitive -- such as personal information, business information and classified information -- and where that data resides. Companies need processes in place to limit the locations where sensitive data is stored, but that can't happen if they aren't able to properly identify the critical nature of their data.

2. Classify data

Data classification methods vary from one organization to the next. It is important, however, that various business department leaders assist in assessing and ranking which applications and data are considered most critical from a business continuation perspective. For example, if an application drives revenue or supports it in some way, it's likely vital to the livelihood of the business and should be considered critical.

Classification is a dynamic process that requires companies to constantlyreevaluate sensitivity levels and readjust data protection levels accordingly. For instance, if data that was once labeledlow risk ornot sensitive for the organization is suddenly reassessed at a higher risk, if and how the data is encrypted should change. This not only includes the process ofencryption, but also policy that helpsmanage encryption keys so they aren't accidently stolen or leaked.

3. Embrace encryption

Some IT administrators may be concerned with encryption's potential performance degradation. This shouldn't prevent enterprises from reaping thesecurity benefits encryption offers. Plus, there are plenty of ways to get around performance issues, such as the selective encryption of database fields, rows and columns versus encrypting all data regardless of sensitivity.

4. Secure the infrastructure

Remember, data at rest is only as secure as the infrastructure that supports it. Theproper patching of servers, network hardware, OSes, and other on-premises and cloud software is also critical to keeping data secure.Continuously monitoring internal and external threats attempting to access data at rest is another great way to keep an eye on infrastructure.

5. Train users

Employees who have access to business-critical information need to understand the importance of securing data at rest to prevent data loss. Verizon's 2022 DBIR found 82% of breaches over the previous year involved a human element. Regular training can help mitigate the risk of human error.

How to secure sensitive data in use and in motion

Protecting data at rest is far easier than protecting data in use -- information that is being processed, accessed or read -- and data in motion -- information that is being transported between systems.

1. Control access to data

The best way to secure data in use is torestrict access by user role, limiting system access to only those who need it. Even better would be to get more granular and restrict access to the data itself.

This can be accomplished by enabling access to only specific data sets and fields or through the obfuscation of data not needed prior to analysis in other applications. The use of metadata, as opposed to raw data, can also help prevent sensitive information from leaking.

2. Encrypt data in use and in motion

Encryption plays a major role in protecting data in use or in motion. Data should always be encrypted when it's traversing any external or internal networks. This includes encrypting all data prior to transport or using protected tunnels, such as HTTPS or SSL/TLS. Encrypted tunnels, such as VPNs andGeneric Routing Encapsulation, are also potential options.

3. Invest in visibility

One final tip to secure data in use or in motion is to provide proper visibility for breach detection purposes. Advancements inAI security tools that ingest network telemetry data and then analyze it to spot anomalies in data access behavior can identify threats, determine the extent of damage and provide actionable insights on how to stop further data loss. ModernAI and security analytics tools, such as network detection and response andAI for IT operations platforms, are great ways to gain the proper level of visibility without requiring large amounts of time from an administrative perspective.