Definition of Data In Transit vs. Data At Rest
Data in transit, or data in motion, is data actively moving from one location to another such as across the internet or through a private network. Data protection in transit is the protection of this data while it travels from network to network or is transferred from a local storage device to a cloud storage device.
Data is often considered less secure while in motion, so effective data protection measures for in-transit data are critical to avoid exposure and misuse.
Data at rest is data that is not actively moving from device to device or network to networks such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way. Data protection at rest aims to secure inactive data stored on any device or network. While data at rest is sometimes considered to be less vulnerable than data in transit, attackers often find data at rest a more valuable target than data in motion. The risk profile for data in transit or data at rest depends on the security measures that are in place to secure data in either state.
Protecting sensitive data both in transit and at rest is imperative for modern enterprises as attackers find increasingly innovative ways to compromise systems and steal data.
Encryption in transit
When we want to ensure that information stays private while it moves across the network, we implement encryption.
We call it encryption in transit.
Why would we want to encrypt the data while it is moving along the network?
- An attacker could be listening to the network traffic somewhere along the way and reading the clear text as it passes through the wire. This could be someone listening on a coffee shop’s Wi-Fi or something on a larger scale like a BGP hijacking attack operated by a “state player”.
- Someone could potentially manipulate the data while it moves around. One example is injecting a malicious payload into an innocent and trusted source.
There are a few ways to achieve encryption in transit, but the most common way is using network/application-level protocols that perform the encryption.
The first example that should pop to mind is the HTTPS protocol that uses SSL or TLS to encrypt your website sessions (and provide trust, but that’s another topic).
Another example could be a VPN connection that uses secure protocols to encrypt the traffic, regardless of the higher-level protocol — meaning a clear text HTTP request over an IPSEC VPN connection would still be encrypted most of the way through.
An encrypted protocol is terminated somewhere. This could be “End to End” or maybe a dedicated network device that handles the encryption and then moves the data in clear text up to the server.
Encryption is the secure encoding of data used to protect data confidentiality. The Encryption at Rest designs in Vaultree use symmetric cryptography to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:
A symmetric encryption key is used to encrypt data as it is written to storage.
The same encryption key is used to decrypt this data as it is ready to be used in memory.
Data can be partitioned, and different keys can be used for each partition.
Keys must be stored in a secure location with identity-based access control and auditing policies. Data encryption keys stored outside secure locations are encrypted with a key encryption key kept in a secure location.
Encryption at rest provides data protection for stored (at rest) data. Attacks against data at rest include attempts to gain physical access to the hardware on which data is stored and then to compromise the data contained therein. In this attack, a server’s hard drive may have been mishandled during maintenance, allowing an attacker to remove the hard drive. Later, the attacker could place the hard drive on a computer under their control to attempt to access the data.
Encryption at rest is designed to prevent an attacker from accessing unencrypted data by ensuring that data is encrypted when on disk. If an attacker has a hard drive with the data encrypted but does not have the encryption keys, he would need to bypass the encryption to read the data. This attack is much more complex and resource intensive than accessing unencrypted data on a hard drive. For this reason, encryption at rest is highly recommended and is a high-priority requirement for many organisations.
Encryption at Rest Vs. In-Transit
While encryption at rest and in-transit both rely on cryptography to keep data safe, the two processes greatly differ. The table below outlines the main differences:
How Vaultree encrypts data end-to-end: at rest, in transit, and in use
With Vaultree you can encrypt your data all the time, at rest, in transit, and IN USE, from simple searches to complex computations, with very little increase in processing time.
Vaultree’s SDK helps information security leaders at organisations ensure they’re protected against cybersecurity threats to their databases, stay insurable, encrypt and process all their data in an always-encrypted live production database environment. Never leave it vulnerable to plain text disclosure, whatever you do with it.
Schedule a free demo to understand how to keep your databases safe with our Solution.
Vaultree’s Encryption-in-use enables businesses of all sizes to process (search and compute) fully end-to-end encrypted data without the need to decrypt. Easy to use and integrate, Vaultree delivers peak performance without compromising security, neutralising the weak spots of traditional encryption or other Privacy Enhancing Technology (PET) based solutions. Follow Vaultree on Twitter (@Vaultree), LinkedIn, Reddit (r/Vaultree), or dev.to. Visit www.vaultree.com, and sign up for a product demo and our newsletter to stay up to date on product development and company news