States of Data
Data at rest is data stored on physical media that is not in the process of being moved from one place to another.
- Stored in persistent storage media
- e.g., hard drive, flash drive, or database
Data in motion is data actively being transmitted over a network.
- aka data in transit
Data in use is data that an application or individual is actively accessing or modifying.
- aka data in processing
- is present in volatile memory
- e.g., RAM or CPU registers and cache
- When a user works with data,
- it usually needs to be decrypted as it goes from at rest to in use
- data may stay decrypted for an entire work session
Protecting Data
Protecting Data at Rest
- data at rest could be:
- physically stolen
- logically stolen
- ways to protect:
- encrypt the data
- can encrypt at the level of
- file
- storage device
- methods
- self-encrypting drives
- file system encryption
- aka full disk encryption
- encrypt an entire hard disk
- aka full disk encryption
- database encryption
- Applying encryption at the table, field, or record level via a database management system rather than via the file system
- file or folder level encryption
- can encrypt at the level of
- Access controls
- apply permissions (ACLs)
- only if access is fully mediated through a trusted OS
- apply permissions (ACLs)
- physically protect the device
- encrypt the data
Protecting Data in Motion
- 2 ways:
- Encrypt the data
- encrypt the specific file
- encrypt the entire connection with a transport encryption protocol
- encrypt with a VPN connection
- using TLS encryption
- protections generally apply to only a single application or protocol
- Encrypt the data
Protecting Data in Use
- Protected by permissions and authentication of users
- trusted execution environment (TEE) mechanisms can encrypt data as it exists in memory, so that an untrusted process cannot decode the information
- e.g.,
- Intel Software Guard Extensions
- e.g.,