There are basically two ways to keep data out of the hands of hackers. One is to protect every endpoint leading to it, making it essentially inaccessible. The other is to encrypt the data, so that even if hackers get to the document they cannot read it. But where should encryption be applied?
For many organizations, encryption is a requirement wherever sensitive data resides on their network. But what happens when that data leaves the network, or moves to another location? Is caution thrown to the wind?
In this article, we’ll demonstrate why Encryption at rest isn’t always enough to secure sensitive data.
But first, let’s get some pesky definitions out of the way.
Data at Rest vs. Data in Transit
This is a relatively simple definition, as far as cybersecurity terms go—Data at rest is data that is sitting, i.e. resting, in one place. Any data that is not actively moving from one place to another, such as device to device or network to network, is considered data at rest. On the other hand, Data in transit, or data in motion, is data that is moving from one location to another, whether from device to device, or across a private network or the internet. Pretty basic, right?
Why Encrypt Data at Rest?
For many companies that already have robust security controls in place, it can seem like a moot point to encrypt data resting on your servers. After all, what’s the point of encrypting all that data and slowing things down when someone needs to retrieve it if a hacker could never get to it in the first place?
This is dangerous thinking, though. Ask any security pro, and they’ll tell you that no network is truly safe. Even if you have a firewall and stringent network access controls in place, it’s unlikely that you can be 100% successful in keeping bad guys off of your network. Even if your company is using a firewall, a DMZ, and a reverse proxy, you're still connected to the outside world. And that’s why it’s essential that any data that can possibly leave your network should be encrypted at rest.
When you encrypt data at rest, you make a hacker's job a lot harder. Any successful hacker would not only have to break into a server, but they would also have to break the encryption or find the key to decrypt the data. This will make their task exponentially longer, or even near impossible.
But data isn’t only vulnerable when it’s at rest, in fact it can be an even easier target when it’s in transit.
Why Encrypting Data in Transit Matters
Not only is it important to encrypt data as it rests on your home server, but it's equally important to encrypt data as you transfer files from one server to the next—i.e., data in transit.
Any time data is traveling over a network—whether local, across the internet, or from local storage to cloud storage, there is some risk that it could be intercepted by a third party, read, and stolen. So, it stands to reason, that if you are simply encrypting data at rest, say via the automatic encryption on an Amazon S3 bucket, but are transferring it to that bucket unencrypted, that data is exposed at the most vulnerable stage of its lifecycle.
To combat that risk, it's essential to use end-to-end encryption that covers both data at rest and in transit when moving sensitive data.
While simple FTP was once enough, modern IT teams need more secure infrastructure that can mix the ease-of-use of Enterprise File Synchronization and Sharing (EFSS) solutions like Dropbox with the reliability of FTP like WS_FTP, as well as end-to-end encryption. This is where managed file transfer (MFT) can help.
If you're really serious about securing your data, a managed file transfer system (MFT) is one of the best investments you can make to ensure secure communications and file transfers.
