Encryption overview: data-at-rest vs. data-in-motion

We recently received a question from a client completing their cyber liability coverage questionnaire which asked : Indicate whether the Applicant encrypts private or sensitive date while at rest in the Applicant’s database or on the Applicant’s network?

They were confused… Encrypt how?   What am I missing?

When talking about encrypting data, there are two categories to consider… data-in-motion, such as when you send info in an email, or when we replicate backup data off-site to a 2nd location (which is encrypted in our ProtectSuite Backup and Recovery Solution, by the way), and data-at-rest, when it’s sitting on a hard drive or other storage media.

So start by asking, when the data in question is at rest, is it on your server, the servers of a hosted (SaaS/Software-as-a-Service) provider, or on your local PCs or laptops?  Each requires different solutions or research to answer definitively. Since the likelihood of losing data due to accidental loss or theft is greater when the device is portable, we usually recommend starting with laptops.

Newer versions of Windows  come with BitLocker, and Macs come with FileVault, and both work great.  However, they inherently don’t have any sort of centralized management to manage encryption of multiple systems.  Therefore, Suite3 offers centralized management as a service to manage encrypted devices for our clients that have encryption.

Some clients also choose to encrypt desktops, but many feel the risk of having a PC stolen from their office is low. However, many do choose to encrypt PCs in reception areas and other locations where the likelihood of a quick smash-and-grab crime of opportunity is higher.

When talking about data on a server, the conversation gets trickier.  We  typically do not endorse the use of full-drive encryption on a server – it bogs down performance in a major way, and even our clients in highly-regulated industries don’t typically leverage full-drive encryption on their servers.  However, the most sensitive data is quite often stored in some sort of database application, and if the database engine is some flavor of SQL (Microsoft or other), database encryption is an option, so that is usually turned on to some extent.  In that case, a client’s data may be encrypted in the database, but Word and Excel files on a file server may not be encrypted.

If your business runs a SQL application provided by a vendor, then your best bet is to ask them if their application is encrypting data-at-rest.  Similarly, if you are running any hosted/SaaS applications, you need to inquire if your data is encrypted at rest in their hosting facility.

We often find that software vendors will choose for key data to be encrypted, but non-key data will not.  For example, fields that hold Social Security Numbers, passwords, or other critical info gets stored in encrypted fields, while a street address or other non-personal data will not.  That keeps the search speeds and overall performance up since the database engine doesn’t have to decrypt non-sensitive info all the time.