Data States

(OBJ 3.3)

Data at Rest

• Data stored in databases, file systems, or storage systems, not actively moving through the network or any processes.

• Data at rest is a prime target for threat actors, it is essential to employ robust security measures

  • Data encryption
  • Implementing Access Control Lists (ACLs)

• Encryption Methods

  • Full Disk Encryption (FDE)
    • Encrypts the entire hard drive
    • When the system is off, the data is encrypted, when the system is on and the user is logged in, the data is then decrypted.
    • Achieved through the OS, third party software, or the disc device itself
  • Partition Encryption
    • Encrypts specific partitions of a hard drive, leaving others unencrypted
    • Example: "Encrypt only the D drive"
  • File Encryption
    • Encrypts individual files
    • Specific files that need top be secured
  • Volume Encryption
    • Encrypts selected files or directories
    • Select and encrypt multiple files and directories
    • "Folder level encryption"
  • Database Encryption
    • Encrypts data stored in a database at column, row, or table levels
  • Record Encryption
    • Encrypts specific fields within a database record
    • Beneficial when multiple users are accessing the same database, but not all of them have the same access and view rights.

Data in Transit (Data in Motion)

• Data actively moving from one location to another, vulnerable to interception

• Across the internet or through a private network

• Protected through the use of a communication tunneling protocol

• Transport Encryption Methods

  • SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
    • Cryptographic protocols designed to provide secure communication over networks, widely used in web browsing and email
  • VPN (Virtual Private Network)
    • Creates secure connections over less secure networks like the internet
    • Ensures that data sent and received is encrypted and secured from prying eyes.
  • IPSec (Internet Protocol Security)
    • Secures IP communications by authenticating and encrypting each IP packets in a data stream.

Data in Use

• Data actively being created, retrieved, updated, or deleted

• Just as vulnerable to threats as the other states

• Protected through the use of a communication tunneling protocol and by using encryption at the application level.

• Protection Measures

  • Encryption at the Application Level
    • Encrypts data during processing
      • Homomorphic Encryption
        • Allows data to be processed without being decrypted, effectively securing data-in-use. Computations can be performed on the encrypted data directly, and the results, when decrypted, match as if the operations were done on the plaintext.
  • Access Controls
    • Restricts access to data during processing
  • Secure Enclaves
    • Isolated environments for processing sensitive data
  • Mechanisms like INTEL Software Guard
    • Encrypts data in memory to prevent unauthorized access

• Note: Understanding the three data states (data at rest, data in transit, and data in use) and implementing appropriate security measures for each is essential for comprehensive data protection.