You need data security controls that protect your data as it is stored, used and transmitted.
- Understanding data states. The industry identifies three data states:
- Data at rest is data stored on a storage medium (disk, tape, etc.).
- Data in motion is data moving from a source (such as a computer) to a destination (such as another computer).
- Data in use is data that is actively being worked on (for example, a person editing a spreadsheet).
- Scoping and tailoring. Scoping is the process of finalizing which controls are in scope and which are out of scope (not applicable). Tailoring is the process of customizing the implementation of controls for an organization.
- Standards selection. Standards selection is the process by which organizations plan, choose and document technologies and/or architectures for implementation. For example, you might evaluate three vendors for an edge firewall solution. You could use a standards selection process to help determine which solution best fits the organization. Vendor selection is closely related to standards selection but focuses on the vendors, not the technologies or solutions. The overall goal is to have an objective and measurable selection process. If you repeat the process with a totally different team, then they should come up with the same selection as the first team. In such a scenario, you would know that your selection process is working as expected.
- Data protection methods. The options for protecting data depend on its state:
- Data at rest. You can encrypt data at rest. You should consider encryption for operating system volumes and data volumes, and you should encrypt backups, too. Be sure to consider all locations for data at rest, such as tapes, USB drives, external drives, RAID arrays, SAN, NAS and optical media.
- Data in motion. Data is in motion when it is being transferred from one place to another. Sometimes, it is moving from your local area network to the internet, but it can also be internal to your network, such as from a server to a client computer. You can encrypt data in motion to protect it. For example, a web server uses a certificate to encrypt data being viewed by a user, and you can use IPsec to encrypt communications. There are many options. The most important point is to use encryption whenever possible, including for internal-only web sites available only to workers connected to your local area network.
- Data in use. Data in use is often in memory because it is being used by, say, a developer working on some code updates or a user running reports on company sales. The data must be available to the relevant applications and operating system functions. There are some third-party solutions for encrypting data in memory, but the selection is limited. In addition to keeping the latest patches deployed to all computing devices, maintaining a standard computer build process, and running anti-virus and anti-malware software, organizations often use strong authentication, monitoring and logging to protect data in use.