Data velocity: Data in-motion vs. data at-rest


Data-Centric Security: Protecting “In-Motion” Data vs. “At-Rest” Data

By Phil Hochmuth, Program Director, Enterprise Mobility Research, IDC

The relationship between workers and their computing devices is more intimate than ever — 1 in 4 employees now brings his/her own smartphone to work. And employees more and more use personal mobile devices, cloud services, and even their own PCs. All of this is forcing IT teams to rethink a long-held assumption: that controlled/managed devices and networks equate to secure data and apps.

Unmanaged devices regularly access and interact with business data in these uncontrolled environments — cloud platforms, cellular networks, and the Internet. Given this scenario, to secure corporate data, businesses must actually start securing corporate data. It’s not a glib statement. Businesses for years have relied on the containers and conduits of business data — company-owned PCs and devices, datacenters and private networks — as the underlying security architecture. Applying controls that specifically stick with data, no matter where it moves or where it’s stored, is the only approach that will address the new challenges of BYOD and shadow IT services now widely used.

A data-centric protection strategy starts with understanding the states in which corporate data can exist, and how to protect data in each state. First, there is data at rest —information stored on a mobile device, PC hard drives, or removable media. The biggest risks to at-rest data are physical theft or device loss. Another at-rest concern is unauthorized access. This can come from device loss/theft, and also extends to non-physical device scenarios, such as hacking or unauthorized access into cloud platforms, network file shares, or SaaS applications.

Data in motion is the transmission of data from node to node. This includes file uploads to cloud services, app data transmitted to/from a private or public host server, as well as financial transactions and authentication credential exchanges. Communications with Websites, social media platforms, and cloud applications all involve complex data-in-motion aspects, where sensitive information is passed between Web browsers and apps to back-end Websites and cloud platforms. Data in motion is subject to theft from “man-in-middle” attacks, where attackers intercept transiting data by deception or Web protocol manipulation. Additionally, many “legitimate” mobile apps available can, unknown to the user, transmit data such as phone contacts or location information to unknown/undesirable locations such as third-party servers.

A data-centric security strategy protects both data in-motion and at-rest. A wide range of security technologies and approaches can address both scenarios. Encryption — full-disk, file-level — are standard for at-rest data protection, especially on enterprise mobile devices and laptops. Other factors include identity and enterprise rights management — the ability to enforce access polices of at-rest data based on a user’s identity, role, and other context and situational factors. (For example, blocking data access if an authorized user is in/on an untrusted device, network, or physical location.) Data classification, data-loss prevention, and ERM platforms also come into play here, as these tools can be used to detect types of data that needs protection, and enforce file- or device-level encryption

From the in-motion perspective, traffic encryption via SSL is a common protection approach. But it’s challenging to ensure all sensitive data in transit is always encrypted. This is also where data classification/rights management is key, as this allows applications, upstream gateways, or cloud services (such as cloud application security brokers, or CASBs) to enforce encryption on sensitive in-motion data transfers and app traffic. To that end, content security gateways are another component to a data-centric security architecture. These include appliances and SaaS services that inspect traffic “on the wire” and enforce policy on data in motion — whether it’s emails, Web, or app traffic.

The ultimate challenge for enterprises is coordinating all these moving parts into a cohesive data-centric security strategy. While all the security tools mentioned can exist on their own, one-off deployments of technology won’t ensure consistent enforcement of policy across both data in motion and at rest. The only effective way to do this is to implement these in-motion and at-rest security measures as part of an overall data-centric security architecture. This involves common policy for data access control, usage, and governance that spans both at-rest and in-use scenarios, and ties back to a common identity and management framework. This approach is key to transforming untrusted computing environments — personal mobile devices and cloud services — into productivity-driving assets for a business.

For more information contact us here.