May 02, 2022 by Marko Dinic

A Complete Guide to Encryption — Data at Rest, Data in Motion and Data in Use

As businesses increasingly rely on technology to facilitate day-to-day operations, strict security controls are necessary to shield sensitive or confidential data from unauthorized access.

Unauthorized access to data can compromise customer privacy and expose companies to significant financial risk.

Data encryption is a key security control used to protect data at rest, in transit, and in use.

In this article, we will look at the differences between data at rest vs data in transit vs data in use and everything you need to know about data in use, data at rest and data in transit encryption.

What exactly is data encryption?

Data encryption transforms your data into unreadable code (ciphertext) using a cryptographic algorithm.

In order for unauthorized users to decode and access sensitive information, they need to first decrypt the ciphertext using a cryptographic key – a secret key randomly generated by an algorithm.

Corporations, governments, and individuals use encryption to safeguard data stored on their computing systems as well as information that moves in and out of their organizations.

This last issue is especially important for multinational enterprises, with the EU establishing new compliance standards for data traded between the US and EU member states.

The fact that data security and compliance standards are getting more strict and complex calls for an equally sophisticated security strategy.

What are the three different states of data?

The first step in selecting the correct encryption technique is to understand the distinctions between three types of data states – data at rest, data in motion and data in use – and the security concerns that each poses.

  • Data in transit refers to information that is traveling from one point to another. This includes email, collaborative tools, instant messengers, and nearly any public communication channel. Given its accessibility over the internet or private business network as it travels from one location to another, this data is often less secure than inactive data. As a result, data in transit is a potential target for hackers.
  • Data at rest refers to data that is not actively traveling between devices or networks. Because this data is often kept or preserved, it is less risky than data in transit. Data at rest can be information saved in a database or data kept on a hard drive, computer, or portable device.
  • Data in use refers to data that is actively being accessed and processed by users. Data is most vulnerable in this stage, whether it’s being read, processed, or updated, because it’s immediately available. This leaves it exposed to attack or human mistake, both of which can have serious implications. Encryption is critical for securing data in use, and many companies may supplement their encryption solutions with additional security measures such as authentication and data access restrictions.

How encryption helps protect data in motion vs data in use vs data at rest

While the risk profile for data in transit and data in use is higher than for data at rest, attackers target information in all three phases. They will hunt for assets or intellectual property that are the easiest to breach.

Encryption is essential throughout all three data states, whether protecting data at rest and in motion or encrypting files before storing them to offer an extra layer of protection against assaults on its internal servers.

Any data that is not encrypted or secured is vulnerable. Businesses’ risk criteria will vary depending on the type of their information and whether it is in transit, in use, or at rest, but encryption is a critical component of their protection on all fronts.

Before delving into particular strategies for protecting data in its three forms, there are two things you should keep in mind.

First, reactive data protection is ineffective. Once a company’s data is compromised, the focus switches from protection to risk management and damage control. Instead of playing catch-up, firms should assess which data is in danger and implement proactive protection methods to prevent attacks from occurring.

Second, smart classification is crucial for smart protection. Companies will be in the greatest position to adopt the most effective security methods if they categorize all of their data and understand its risk profile in each state.

Implementing automated protocols will also guarantee that accurate defensive mechanisms are activated as data switches between states, ensuring that it is always protected.

Best practices for data in transit

  • Create strong foundations — Firewalls and authentication are basic but powerful network security technologies for defending against malicious assaults and attempted breaches.
  • Implement automated policies and controls — Today’s data security solutions include automated rules that prevent dangerous files, warn users when they are in danger, and automatically encrypt data in transit. This assists businesses in safely managing an increasing number of email attachments, portable disks, and information transfers.
  • Implement email encryption — Encrypting email guarantees that its contents are secure and that any attachments are encoded. Encryption can be used to aid with security and categorization in email delivery, directory sync, and email archiving.
  • Prevent data loss with a DLP solution — A data loss prevention (DLP) solution assists businesses in preventing the loss of intellectual property, customer data, and other sensitive information. DLPs monitor all emails and attachments for possible leaks by employing configurable rules based on keywords, file hashes, pattern matching, and dictionaries. Suspicious emails can then be banned, quarantined for inspection, or sent through a secure messaging gateway, depending on the regulations of the organization.

Best practices for data in use

  • Implement data controls before usage — Before anybody can access the information, safeguards for data in use should be put in place. There’s no way to regulate what a hacker does with the data they’ve obtained after a sensitive document has been hacked.
  • Increase your identity management efforts — Identity theft is on the rise, especially as people share more of their personal information online than ever before. Identity management systems lower the risk of fraud by helping organizations to ensure that users are who they say they are before granting access to any paperwork and sensitive data.
  • Manage access rights — Whether using digital rights protection, information rights management (IRM), or another way, you should deploy security solutions to limit the actions a user may perform with the data they access.

Best practices for data at rest

  • Use complete disk encryption to be safe — A misplaced laptop or tablet may only cost a few hundred dollars, but the data on its hard disk may be worth a lot if it gets into the wrong hands. Malicious users cannot access the data on a lost drive without the proper logins thanks to full disk encryption.
  • Implement DLPs — In addition to safeguarding data in transit, DLP solutions enable organizations to search for and discover sensitive material on their networks, as well as prohibit access for certain individuals.
  • Extend loss prevention to the cloudCloud access security brokers (CASBs) let businesses apply DLP policies to data that is stored and shared in the cloud. This can be seen in back-end systems and collaboration platforms like Slack and Microsoft 365. The way a CASB works is similar to that of a DLP, but its policies and features are tailored to the cloud.
  • Secure mobile devices — Mobile phones and tablets are commonplace in the modern workplace, and mobile device management (MDM) is a popular method of managing the data stored on these devices. MDM technologies restrict data access to corporate applications, ban devices that fall into the wrong hands, and encrypt whatever data they contain so that it is indecipherable by anybody other than authorized users.

In conclusion

Data encryption is a critical component of data protection and securing sensitive information while it is in transit, in use, or at rest.

Companies can safeguard their information from data loss, as well as the fines, legal bills, and income loss that usually accompany a large security breach by using the correct processes, methods and solutions.

Jatheon is a data archiving specialist with an AWS-based cloud solution for the long-term retention, use and retrieval of corporate business communications, primarily used for litigation support, FOIA requests and compliance with industry and state-specific laws. Apart from encryption, Jatheon’s cloud platform boasts other security features such as geofencing, multi-factor authentication and 24/7 proactive monitoring.

To learn more about archiving your corporate email, chat, social media and phone records with us, contact us or book a demo of our system.


What data should be encrypted?

There are many types of data that should always be encrypted to ensure protection against unauthorized access. This includes personally identifiable information, financial records, customer information, confidential business data, and any other information that could lead to privacy breaches or legal implications. Encryption should be applied to all three data states to provide the most protection.

When should data be encrypted?

Your data should be encrypted at all times while it isn’t in use, meaning whenever it is stored or being sent from one place to another. Having rest data encrypted ensures nobody can access its information and encryption in-transit data ensures nobody can eavesdrop while you are sending or receiving data. The outlier is when someone wants to read and use this data. In this situation it should be decrypted while in use and encrypted as soon as its use is no longer needed.

What types of data encryption are there?

There are three types of data encryption. Symmetric encryption uses a single key to both encrypt and decrypt data making it quick at performing encryption, but easy to crack if someone obtains the key. Asymmetric encryption uses a pair of keys, one for encryption and the other one for decryption. These keys can be public or private allowing them to be easily shareable and secure. Hashing is a one-way encryption method that converts data into fixed-size values based on a mathematical formula. Hashed data is supposed to be irreversible and is used as a verification mechanism.

Which encryption is most secure?

Currently AES 256-bit encryption is the most secure encryption standard available. It uses a 256 bit key length and is widely used in symmetric encryption as a highly secure and robust option to data protection. AES 256 is the evolution of the AES 128-bit encryption standard which has never been broken in the past and would take hundreds of years to break. This means that AES 256 which is much more advanced is sure to keep any data safe without a reliable way to be cracked.

Is data encryption expensive?

The cost of data encryption varies on many different factors like the encryption method, the scale of implementation, and resources required for data and key management. This means that there are expensive and cost-effective encryption solutions available suited for different business sizes and requirements. It should be noted that the benefits of encryption far outweigh the potential risks of data breaches and legal risks involved if data isn’t encrypted.

Can encrypted data be hacked?

In theory, yes, any data encryption can be hacked, but it requires a significant amount of time and computing power to crack. Encryption greatly reduces the chances of successful hacking to nearly zero. Properly implementing encryption and using strong algorithms and keys make it extremely challenging for hackers to decrypt your data without the correct key especially if you are using asymmetric encryption. However no security measure is invulnerable and hacking techniques are getting better and better meaning it’s crucial to use up-to-date encryption methods to prevent hacking.

About the Author
Marko Dinic
As Jatheon’s CEO, Marko Dinic oversees new business development and has a leadership role in shaping the company’s vision, strategy, and product development. Outside work, he loves visiting places off the beaten path, investing, and space travel.

See how data archiving can simplify compliance and ediscovery for your organization

Book a short demo to see all the key features in action and get more information.

Get a Demo

Share via
Copy link
Powered by Social Snap