Data is part of the foundation of virtually all enterprises in our tech-driven, cloud-first era. Some of the most necessary and sensitive data is what's commonly referred to as "data at rest." It is often tucked away in various storage systems and infrequently accessed.
Having an understanding of data at rest vs. data in transit, and how they should be treated in your broader data management and security efforts, is crucial. Data at rest can include personal information regarding customers and employees, as well as vital financial details and business plans. As such, it's critical that you protect it with a holistic cloud security strategy that includes advanced encryption and a secure data analytics platform.
What is data at rest?
Any data that is stored within a database, data warehouse, data lake, or any other common element of storage infrastructure is categorizable as data at rest. This makes it the polar opposite of data in transit, which refers to data that's moving—through a private network, over the public internet, from on-premises infrastructure to the cloud, from one cloud to another, and so on.
Data in transit becomes data at rest when it reaches its destination and is appropriately stored. It then remains at rest until a user or automated system initiates its movement.
The importance of protecting data at rest
Anyone who works in data security, or even follows the subject closely, can tell you that malicious hackers will attack data no matter where it is. The sheer number of breaches businesses experience each year bears this out: According to the most recent data from the Identity Theft Resource Center (ITRC), U.S. companies were hit by 1,291 breaches between Jan. 1 and Sept. 30 of 2021. That's a 17% year-over-year increase from the 1,108 breaches seen through all of 2020. The U.S. has seen at least 1,000 data breaches each year since 2016. It's among the most troubling data trends in business and shows little sign of slowing down, let alone stopping.
The significant data breach risk that virtually all organizations face poses a critical question for data professionals and cybersecurity experts alike. Are hackers more likely to pursue data at rest or data in transit
Data at rest is typically considered a more attractive target to malicious hackers. To be fair, data can be vulnerable at various points along its paths of transit, but enterprises often transmit it using connections protected by the secure socket layer (SSL) advanced encryption standard. Moreover, when digital data is at rest in a particular storage setting, cyberattackers assume—often correctly—that the data isn't moving because it's meant to be accessed or moved as infrequently as possible. From there, it's only logical to extrapolate that such data is sensitive, making it quite lucrative if stolen. The relational structure of a MySQL database, or even something as simple as file names, can easily tell intruders whether they've found what they were looking for.
Because data at rest is often an organization's highest-value data, its exposure can be devastating. Not only can it lead to crippling losses for the business, its customers, and its partner organizations, but a breach of such information could also damage the enterprise's reputation for years and expose it to civil liability. Criminal penalties also aren't out of the question, as demonstrated by the federal charges filed against former Uber chief information security officer (CISO) Joseph Sullivan in August 2020.
Securing at-rest data in the cloud
The severity of the potential outcomes described above comprehensively exemplifies how critical it is for organizations to establish strong protective measures for their data at rest, particularly when such data is stored in the cloud. Data teams can accomplish this goal through a combination of robust security tools and industry-leading best practices.
Key technologies to secure data at rest
Arguably, encryption is the best form of protection for data at rest—it's certainly one of the best. You can encrypt files that will be at rest either before storing them or by encrypting the entirety of a given storage drive or device. The cloud services from all of the major providers, including Google Cloud, Microsoft Azure, and AWS, offer various degrees of automated encryption. Additionally, some cutting-edge encryption tools allow machine learning models and their encrypted data to be securely deployed in the cloud.
Also known as firewall as a service (FWaaS) solutions, cloud-based firewalls can bring all of the functionality of next-generation firewalls (NGFWs) to data at rest that is stored in your enterprise's cloud infrastructure. Key features include advanced URL filtering, intrusion prevention, domain name system (DNS) security, and deep packet inspection (DPI) tools. An FWaaS is also built to natively handle traffic protected with SSL, unlike traditional NGFWs. If any of your data at rest needs to be moved, the firewall's SSL compatibility helps ensure it stays protected. Also, FWaaS tools can protect both cloud and on-premises data at rest, making them particularly well-suited to hybrid cloud architectures.
Data loss prevention
Some security risks can't necessarily be mitigated by standard anti-malware software or firewalls—notably, phishing attacks and insider sabotage. That's where data loss prevention (DLP) solutions take over. These access control tools prevent data theft in various ways, which include blocking unauthorized USB or external hard drive connections to enterprise devices and preventing file transfers to personal email addresses.
Best practices for protecting at-rest data
Some enterprises' data at rest will be subject to federal regulations like HIPAA, as well as industry standards like PCI DSS for payment card data, and the GDPR for any employee or customer data pertaining to individuals residing in the EU. These stipulations often include precise instructions as to encryption and authentication methods, protective capabilities, and physical protections that must be observed. It's critical that the security strategy for your data at rest meets or exceeds such standards wherever they apply.
Many cybersecurity solutions allow you to establish policies that, once implemented, apply specific protections for specific data. Perhaps you want to limit access to financial records to certain members of your organization, or set up automated encryption for certain file types once they come to rest in your storage infrastructure. It's imperative to choose security tools that allow custom policy creation.
You must precisely identify, locate, and classify data at rest to properly secure it. Priority-based classification is one useful method. For example, the data workload of your enterprise resource planning (ERP) cloud app would be high-priority. Classifying data based on the risks resulting from its exposure is also helpful for encryption key setup and management—e.g., HIPAA-protected information requires exhaustive encryption.
Strengthening data protection with analytics
To truly protect your enterprise's data at rest, it's of the utmost importance that you fully understand your organization's data ecosystem. This takes several forms:
- Creating clear procedures and policies governing permissible, "whitelisted" access to data at rest.
- Establishing comprehensive visibility into all at-rest data via integration of multiple data sources, allowing you to more easily spot abnormal patterns or vulnerabilities.
- Monitoring data at rest in real time and dynamically adjusting policies, encryption keys, access permissions, and other security tools or practices as your enterprise's needs evolve.
Teradata Vantage simplifies the processes of identifying and securing your data at rest, as well as implementing comprehensive and exhaustive best practices for maintaining a security posture across cloud and on-premises storage infrastructure.
To learn more about Vantage's benefits, download the 2021 edition of Gartner's report on Critical Capabilities for Cloud Database Management Systems for Analytical Use Cases. Teradata's flagship solution ranks highest in all four use cases examined in the research.