Data at rest is stored data that resides on a disk and/or in a file. Data in motion is data that is being transferred across a network. Each form of data requires different controls for protection, which we will discuss next.
Drive and Tape Encryption
Drive and tape encryption protect data at rest is one of the few controls that will protect data after the physical security has been breached.
These controls are recommended for all mobile devices and media containing sensitive information that may physically leave a site or security zone.
Whole-disk encryption of mobile device hard drives is recommended. Partially encrypted solutions, such as encrypted file folders or partitions, often risk exposing sensitive data stored in temporary files, unallocated space, swap space, etc.
Media Storage and Transportation
All sensitive backup data should be stored at offsite, whether transmitted to offsite via networks or physically moves as the backup media.
Sites using the backup media should also follow the strict procedures for rotating the media offsite.
You ought to always use a bonded and insured company for offsite media storage. The company should employ secure vehicles and store media at a secure site.
Ensure that the storage site is unlikely to be impacted by the same disaster that may strike the primary site, such as the flood, earthquake, or fire.
Never ever use the informal practices, such as the storing backup media at employees’ houses.
Protecting Data in Motion
Data in motion is the best protected via standards-based end-to-end encryption, such as the IPsec VPN.
This of course includes the data which is sent over the untrusted networks such as the Internet, but VPN’s may also be used as an additional defense-in-depth measure on internal networks like a private corporate WAN or private circuits like T1s leased from a service provider.