Data at rest

What is data at rest?

Data at rest refers to all data that is stored passively in databases, file servers, endpoints, removable storage devices and offline backups. Data at rest is inactive and often considered less of a target (by admins) than other data classifications, so it is often secured with inadequate controls. However, sensitive data at rest, like PII, ePHI and credit card information stored in unsecure locations, are a major source of cybersecurity weakness and magnets for malicious entities looking to steal data.

Classification of data states

Data at rest is one of the three classifications of data states. The other classifications are data in motion and data in use. Data in use is data that is currently being accessed, modified or processed by an organization and its stakeholders. Data in motion is data that leaves the periphery of the company to be used by external stakeholders or taken out by employees working remotely. The classifications for these three data states are useful in planning and implementing data leak prevention (DLP) policies.

Data at rest vs. data in motion

Each data state warrants a different approach to security and control. The points of difference can be viewed from data use, transmission, vulnerability to attacks, and security controls.

Point of difference Data at rest Data in motion
Usage Static data that is not currently accessed, modified, or processed by users Data that is being shared
Transmission Only on demand or never Continuously or frequently shared
Vulnerability to attacks High: For cloud storage backups
Low: For offline backups
Always high: Unencrypted data passing through the internet, unsecure removable storage devices used to carry data
Effective security control Offline backups with high physical safety controls Encryption of data passing through the internet, restricting USB devices, and file copy activity to control data transferred using a data leak prevention solution

Threats to data at rest

The various threats that data at rest can be exposed to include:

  • Hackers trying to gain access to cloud backups of datat
  • Poor physical security controls for offline backups
  • Data loss due to inadvertent physical storage damage
  • Unauthorized access gained by users
  • Careless employees exposing data stored in an organization's devices during remote work situations

How to secure and protect data at rest

Data at rest should be protected based on dual perspectives: protection against insider activity and protection from external entities. Unintentional mistakes by careless employees or calculated data theft attempts by insiders can damage the company massively if a data breach occurs. Controls that authorize use for appropriate users will help limit risks. For data stored passively in endpoints, a DLP solution can help track and block exfiltration of data. Stringent user permissions management is essential to reduce insider incidents.

It is difficult to ensure that all security holes are plugged and that all risks are eliminated. However, organizations can safeguard against hackers by employing encryption as one of the security layers that shields enterprise data. As a last resort, secure offline backups are a must to lessen the impact of data theft.

Data leak prevention with DataSecurity Plus

ManageEngine DataSecurity Plus is a unified data visibility and security platform that provides granular monitoring, analyzing, and reporting of events generated from file servers, databases, or endpoints. With the data leak prevention capabilities of DataSecurity Plus, you can:

  • Monitor sensitive files accessed and shared in your endpoints to quickly detect malicious activity.
  • Track file copy events to identify suspicious user activity and set predefined responses to stop unauthorized copy actions.
  • Screen outbound emails for classified attachments and block them to prevent business-critical data from leaving the organization.
  • Restrict or block USB storage devices to avoid organizational data from being leaked or shared outside the organization.
  • Allow only organization-approved removable storage devices to be used by employees.
  • Audit printer activity to analyze users trying to reproduce information in print.

Explore these features and more with a free, fully functional, 30-day trial.

Download now
Email Download Link