Protecting Data "At Rest" – Encryption Is Not Enough

Data ProtectionComputer data spends most of its life "at rest." Whether it is stored on your desktop hard drive or somewhere in the cloud, "data at rest" is any data that is not, at a particular moment, being transmitted or acted upon.

Encryption is often regarded as a main line of protection for sensitive data. But historically encryption has been associated with messages – that is to say, "data in motion," being transmitted, and encrypted to protect it from eavesdroppers during the transmission process.

Computer technology reinforces this association of encryption with "data in motion." Encryption keys can be created on the fly, and destroyed when the message-sending process is completed. But "data at rest" is inherently persistent, and any encryption keys used to protect it must also be persistent. The key must be stored along with the data it protects, and is therefore itself vulnerable to theft. (If a key is encrypted, some other non-encrypted key is needed to make use of it.)

In particular, encryption offers no protection against unauthorized use of data by insiders, who have access to the keys, and thus to the data a key is supposed to protect. Other means of protection are therefore needed to ensure the security of "data at rest."

One such alternative is Data Masking. In this technique, sensitive components of data - such as account numbers or personal identifiers - are replaced by harmless data (such as a row of # symbols). With Data Masking in place, information can manipulated without risk of compromising sensitive information. Gartner identified several vendors as leaders in Data Masking: Camouflage, Informatica, and IBM.