The state of a piece of data will assist in determining the best way to secure it. In this video, you’ll learn about securing data in-transit, at-rest, and in-use.
<< Previous Video: Hardware-based EncryptionNext: Permissions and ACLs >>
Of the three states of data that we’re going to discuss, the first one will be data in transit. This is sometimes called data in motion because it refers to the data that’s being transferred across the network. As the name implies, we’re sending information across the network through switches, through routers, across wide area networks to many different devices on the network. And it’s very important that we are able to secure that data as it’s passing through. Obviously, not all of the data inside of this information can be encrypted because we still have to have headers and information that will tell the routers and the switches where to send the data.
And if we encrypt it, obviously the data cannot be read, and it will never make it to its endpoint. Instead, what we’ll do is encrypt the data that’s being stored within these headers, and within those packets. And we do this using a number of different methodologies. If you’re communicating to a web server, you’ll probably use SSL to communicate to that web server, the modern name for that being TLS, or transport layer security. If this is something that’s being transferred across a wide area network or you’re transferring it using a virtual private network, you’re probably using a method called IPsec, which stands for internet protocol security.
Once we transfer the information across the network, we’re probably going to store it somewhere. And we refer to this stored data as data at rest. It’s on a hard drive, it’s on a sand, it’s on an SSD. It’s on some device that’s stored and waiting for us to retrieve it. Since the data is now being stored, it’s probably a good idea to think about encrypting that data as a way to protect it. We can do whole disk encryption, which is very common to see on mobile devices or devices that you’re very concerned about what happens to that data if it gets out of your control.
You might also want to encrypt parts of a database. If you’re storing private or sensitive information, perhaps that’s a perfect place to begin storing it in an encrypted form. And of course, you could maybe choose to only encrypt a single file or a group of files in a folder, and simply have that section of the data at rest be in an encrypted form. Regardless of whether that data is going to be encrypted or not, we still have to apply the appropriate permissions to that data. If this accounting information, then the accounting department may have access to look and change that data.
But you don’t want shipping and receiving to have any access to that information. So there’s going to be access control lists built into your network devices and into your operating systems that’s only going to allow authorized users to gain access to that information. If the data’s not in motion and the data is not at rest, then the data is in use. It’s in the memory of a device, and it’s being accessed by an application to perform calculations, to look up and gather information, and be able to perform calculations of that information. This is usually stored in the system memory.
It’s in CPU registers. It might be in a cache. But it’s somewhere inside of this computing device. To be able to use this information it has to be in a decrypted form. You cannot encrypt the data and then have the application be able to perform some type of action to the data if it can’t possibly read it. So when you bring this into the system memory and it is data in use, it is almost always in a decrypted form. This means though that the bad guys, if they know where to look, could pull that decrypted data right out of memory and be able to store it, manipulate it, or do anything they’d like with that information.
This is a very attractive option for the bad guys. And if they know that they can’t access the data across the network and they can’t access the data at rest, then perhaps getting to the data in use maybe a perfect place to go. In fact, this is exactly what happened in November of 2013 when we discovered the Target corporation’s breach where there were well over 100 million credit cards that were then made available to the bad guys. They were not able to see this information go across the network because Target properly was encrypted credit card information as it went over the network in transit.
Target also was storing their information in an encrypted form. So all of the data at rest was also something the bad guys couldn’t access. So what the bad guys did was put software on the registers themselves, the point of sale terminals. Those terminals were running a version of Windows. And they simply added some Malware into those terminals that would take the information in memory where the credit card numbers were stored, pull that information off, and store them off into a separate area that then was transferred out of the Target network back to the bad guys.
They knew exactly where to go to take advantage of all of this data in use. And that’s why we need security controls not only on our networks, in our databases, in our data centers, and our storage devices, but also on our computing devices itself. So we can protect data in motion, data at rest, and the data in use.