Securing data in motion vs. data at rest? It’s the wrong question!

Data at rest refers to all data in computer storage. Examples of this include corporate files stored on the hard drive of an employee’s computer, copies of the file stored in backup tapes on-site and off-site, files on the servers of a storage area network (SAN) and representations of the document in the computer’s display buffers.

Meanwhile, data in motion refers to the transfer of that data between all these copies and versions of the original file, such as data traversing the Internet.

Yet differentiating between how to secure data at rest and in motion is spurious. Generally, data requires a blend of protective measures. It is vitally important to consider data in motion and data at rest, just as it is important to consider where that data is replicated (and who is controlling its protection) – both inside and outside an organisation. Protective measures should be directed where they are needed most and in proportion to business risk levels.

Rather than differentiating between whether data is at rest or in motion, the fundamental issue has to do with choosing what to protect and to what extent – taking into account issues of policy, personnel, behaviour and assurance.

Simply put, data is data. It requires protection from compromise of four essential security properties to a degree commensurate with its classification of importance to the organisation and in a way that is sensitive to compliance requirements that the organisation chooses to meet.

The essential security properties are:
• Confidentiality - how sensitive is the data to unauthorised reading, copying or printing?

• Integrity - how critical is it that the data can be relied on to be accurate and without unauthorised alteration?

• Availability - how important is it that the data is ready for use or retrieval?

• Accountability - how critical is it that usage of the data can be monitored and reported on?

Unfortunately, many information security plans and implementations either ignore classification of data or restrict it to considerations of confidentiality.

What is needed is a sophisticated analysis of data security issues that impact an organisation rather than delivering a poorly conceived ‘silver bullet’ plan.

Generally, the following steps serve as a good starting point for incorporation into a data security plan:

• Classify your data and determine its criticality to the business of the enterprise. Analyse the impact of information security risk as a component of operational risk.

• Consider the security implications of data shared with partners, suppliers, customers and service providers.

• Define how effective your controls have to be, assess the effectiveness of your current safeguards and adjust as necessary.

• Ensure that assurance mechanisms are in place to check the ongoing effectiveness of the controls and that compliance obligations are being met.

• Clearly state and communicate the intent and expectations of your information security vision. Ensure that senior management demonstrates ongoing commitment and support

• Implement security awareness programs throughout the organisation.

Much of this is common sense. Often, the difficulty is knowing where to start and where to stop. Piecemeal approaches, such as concentrating on data at motion or at rest, seldom yield optimal results. Over analysis results in confusion, frustration and lack of progress.

For an organisation to manage its information security, there are practical, useful methodologies available to assist tactical and strategic information security planning and improvement.

The most effective approaches consider security for data when it is at rest, in motion or in any other state. They consider policy, assurance, governance and technical capability as well as providing a framework for determination of which data exposures represent a “clear and present danger”.

Information security is far more than data in motion or data at rest. Protective measures should cover policy, process, technology, personnel, architecture and assurance and be directed where they are needed most and in proportion to business risk levels.

By David Shaw, Product Manager Security Lifecycle Program (SLP), Cybertrust.

atdatainmotionrestsecuringsecurityvs