Data can reside in a few different states. In this video, you’ll learn about data in-transit, data at-rest, and data in-use.
<< Previous Video: Stream and Block Ciphers Next: Perfect Forward Secrecy >>
Data in-transit is any data that we’re sending across the network. You may also hear this referred to as data in-motion. By itself, there’s not much protection of this data. It’s going through many different points, passing through switches, routers, and other devices to get to where it needs to go. And in each one of those locations is an opportunity for someone to capture that data and see what’s inside.
In order to provide some type of protection for data in-transit, we often will install firewalls or intrusion prevention systems. But one of the best ways to protect data in transit is to encrypt it. Some of the most common forms of encryption are to use SSL, or what is now called TLS– Transport Layer Security. And encrypted tunnels often use IPsec, or Internet Protocol Security.
Whenever you’re storing data on a storage device, we refer to this as data at-rest. The storage device can take many forms, such as a hard drive, an SSD, a flash drive or anything else that can store data. To protect this data at-rest, it’s common to implement some type of encryption. It’s very common to encrypt the entire drive, through whole disk encryption.
But sometimes you don’t need to encrypt everything on the drive. If this data is in a database, you can encrypt the entire database or a portion of that data. Or you can encrypt the data before storing it. We call this file or folder-level encryption, where only the information you’re storing on the drive will be encrypted, and the remaining part of the drive remains in the clear.
It’s also common to increase the security of data at-rest by applying permissions. This usually takes the form of a group that you would then apply to the data, which would either allow or disallow access to this data at-rest.
When data is stored in a storage device, or when it’s transported across the network, we’re not able to take any action to that data. The part where the system is using that data is when it is in the memory of the system, or it’s in the CPU. This is data in-use.
This data is almost always in a decrypted form. If it was encrypted, the CPU would not know what to do with that data when it received it from the memory. Because this data is in the clear, it’s a perfect opportunity for the bad guys to start sifting through our memory to try to find information that might be valuable.
A good example of this happened in November of 2013 to the Target corporation. There were 110 million credit card numbers that were stolen from Target. Target used data in-transit encryption and they used data at-rest encryption. But the bad guys found that data in-use did not have encrypted data. They put malware on the point-of-sale terminals, and they were able to capture credit card numbers when the transaction was occurring in real time.