Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Uncovering the Data Security Triad

Data Must be Protected as it Exists at All Points in the Processing Lifecycle

Data Must be Protected as it Exists at All Points in the Processing Lifecycle

Data is often an organization’s largest and most valuable asset, making it a prime target for all types of adversaries both criminal and nation-state. Nearly every week a new data breach is announced, serving as a consistent reminder that data security matters. In the first half of 2018 alone, 944 breaches led to 3.3 billion data records being compromised. But what does true data security look like? Numerous solutions herald the necessity of and their ability to provide ‘end-to-end protection’ but when we break through the buzzwords, do we have a clear picture of what it means to secure data? 

With attack vectors emerging from every possible angle and attackers becoming increasingly sophisticated, it has become clear that every part of data security matters — from secure data storage, transit, and processing to access control and effective key management. If one aspect is vulnerable, it undermines the effectiveness of the other security measures that have been put in place.

This multi-dimensional risk requires a holistic, data-centric approach to security, one focused on protecting the data itself at all points in its lifecycle rather than concentrating efforts only on its perimeter of surrounding networks, applications, or servers. Organizations must ensure data is secured at all times by: 

1. Securing Data at Rest on the file system, database, or storage technology

2. Securing Data in Transit as it moves through the network

3. Securing Data in Use, while the data is being used or processed

Data Security Triad

Together, these elements form the Data Security Triad, representing the trifecta of protection required to ensure data is secure throughout its entire lifecycle. 

At the core of this protection strategy is encryption. Encryption renders data useless to an attacker, making it unreadable and therefore removing its value. Thus, encryption is able to undermine the attackers’ purpose – stealing assets of value – and makes the target infinitely less appealing. 

Experience tells us that if there is data of value at stake, attackers will find a way to find and reach it – we can’t just lock the front door; every point of entry needs to be protected.  Consequently, limiting encryption to only a portion of the Data Security Triad is a dangerous oversight. It is critical to protect data at rest, in transit, and in use.

• Data at Rest: Inactive data stored in any digital form, Data at Rest may be located on the hard drive or in databases, data lakes, cloud storage, or countless other locations. Often thought of as the safest state of data, we typically see perimeter-based technologies and solutions implemented as a first line of defense, with additional layers added depending on the purpose and sensitivity of the data itself. These extra measures include keeping sensitive data encrypted whether stored on premise or in the cloud. Due to the aggregated nature of data storage, Data at Rest is an attractive target for attackers interested in exfiltrating large quantities of valuable data.  

• Data in Transit: Data is vulnerable while in transit, whether moving through a private network, local devices, or a public/untrusted space. It is widely recognized that encrypting Data in Transit is standard practice – it’s typically one of the first areas of focus for a security team as they look to lock down data assets. It’s a must have – and as long as businesses adhere to proper protocols, transport encryption is an efficient and effective line of defense. 

• Data in Use: If the two previously described states of data can be simplistically labeled as the best understood and most solutioned, Data in Use should be referred to as most overlooked. As such, it has quickly become the point of least resistance for an attacker. At the most basic level, the challenge in the Data in Use arena is tied to a lack of recognition of the problem itself. The vulnerability has been ignored in part because some in the security world incorrectly assume that protecting Data at Rest and Data in Transit means their work is done. However, the increasing sophistication of attackers coupled with the foundation-rattling disclosures regarding flaws in the processing mechanisms of ubiquitous computer chips requires that businesses of all sizes open their eyes to the importance of protecting Data in Use. Data is most valuable when we’re using it to extract insights, which can be accomplished by executing searches or analytics to deliver critical information. Beyond access controls and user authentication, which are important parts of any security plan, there are a variety of commercially available solutions and technical methods being used to combat this vulnerability including homomorphic encryption, secure multiparty compute, and secure enclave technologies. 

We know attackers are evolving and our security practices must evolve as well. Protection schemes must recognize and secure data as it exists at all points in the processing lifecycle, whether at rest, in transit, or in use.   

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...