By Mariann Utrosa • April 3, 2017

Data at Rest, Data in Transit, and Encryption


Computer data spends most of it’s lifecycle being stored ‘at rest’, punctuated with brief periods ‘in transit’ between storage media.  Whether being stored locally on hard drives, servers and other physical media or stored remotely in the cloud … computer data is always either at rest or in transit. 

In either instance, encrypting your data can help protect it from hackers and theft, but over time and as hackers get smarter, and existing encryption techniques become progressively less effective.  How do you protect your data against the inevitable day when that very encryption just isn’t enough anymore?

Since encryption keys can be created on the fly and then destroyed immediately after transmission is complete, they have always been popular and trusted as a front-line mechanism for protecting sensitive data in transit.  Encryption may be good for shorter-term, temporary protection, but what about more permanent, longer-term protection for resting data?

Encryption keys typically accompany the data they protect - whether in storage or in transit - but unless the keys are destroyed after use, valid keys are technically available to attackers, making data at rest more vulnerable to decryption and theft.

What’s even MORE unsettling, is that encryption alone offers ZERO protection against an unauthorized, nefarious user who has access to the encryption keys.  All the protection you enjoy will mean nothing if an individual can access the means to defeat it … just like installing the newest locks on every door in your house and leaving your windows open!

Luckily, there are a few complementary, alternative techniques:

  • Data Masking - Using this technique, sensitive data such as Personal Health Information (PHI), Personal Identifiers (PII) or Personal Account Numbers (PAN) are converted into values with replacement characters and symbols so that without appropriate security permissions, no viewer would have access to actual information.
  • Hashing - This technique uses algorithms to generate a new, typically shorter and often fixed-length value to represent an existing text string. A ‘hashed’ output string or number will change drastically with each subtle variation in the original strings and the best hashing algorithms are designed so that it’s nearly impossible to revert the hashed string into the original string.
  • Internal Firewalls - This technique uses a mechanism to segment or break-up a database or network. When sensitive and relational data can be segregated into separate locations, each portion of a database, data therein and the relationships between them are all protected individually, adding multiple layers of protection.

Whether at rest or in transit … masked, hashed or tucked behind a firewall … your data is always at risk, but using a layered approach to security and following basic best practices can provide confidence and help to protect your foundation.

 Learn how DataStealth allows you to obfuscate your data without the use of encryption.

Download Now 

Talk to our team!       

Schedule My Meeting