Table of Contents
Data at rest refers to all sensitive information stored digitally– anything from customer records in databases to emails living in your Office 365 archive to propriety research files on shared folders.
Unlike data in motion, data at rest sits in persistent storage media, both on-premises or in the cloud. It accumulates endlessly over time, often left unclassified and unprotected.
This data sprawl causes 2 major problems:
-
You don‘t know where all your sensitive information resides. Lacking visibility, you can‘t reasonably protect it.
-
Attackers rely on organizations not bothering to classify and safeguard data at rest. They count on finding lightly secured treasure troves of personal data, intellectual property and more.
High profile examples showcase what‘s at stake when attackers infiltrate data stores that companies assumed was safely tucked away in internal systems:
-
Anthem Health Breach: Hackers broke into a database storing over 78 million healthcare records including names, birthdates, social security numbers and medical IDs. Estimates put the breach costs over $100 million.
-
Target Credit Card Hack: Cyber criminals installed malware on point of sale systems to steal debit and credit card data on over 41 million customers. Total damages hit $292 million.
-
Sony Hack: North Korean hackers infiltrated Sony Pictures servers, downloading over 100 terabytes of films, emails and employee records. Losses stretched into the tens of millions.
These incidents underscore why locking down data at rest must become a top priority. For companies handling financial information, healthcare records, intellectual property and other sensitive assets, data discovery, classification and strong protections serve as a critical foundation.
What Qualifies as Data at Rest?
Broadly speaking, data at rest encompasses all persistent information across an organization outside of memory and not actively transmitting from one endpoint to another. This stretches far beyond just files stored on hard drives. Specific examples include:
Structured Databases
- Transactional records in HR, CRM, finance and other databases
- Archives in data warehouses and data lakes
- Sensitive information in log files
Email and Collaboration Platforms
- Historical message stores in Exchange and Office 365
- Project files, sensitive documents in Sharepoint and file shares
Desktops and Servers
- Files on employee PCs and MACs
- Application data hosted on servers
Cloud Storage
- SaaS platforms like Google Drive, Dropbox, Box
- Data stored in IaaS storage buckets (AWS S3, Azure Storage, Google Cloud Storage)
And many other reservoirs accumulating regulated data.
Why You Need Data at Rest Protections
With data breaches now costing firms an average of $4.35 million per incident globally, locking down these inactive stores provides enormous risk reduction at relatively low effort.
Beyond financial damages, data breaches erode customer trust that‘s extremely hard to rebuild. By safeguarding sensitive information proactively, you reduce likelihood of front page exposes around loss of personal data, IP theft or compliance failures.
Additionally, regulations with stiff penalties mandate protections and audit trails for any regulated data your business handles. These includes frameworks like:
- HIPAA protecting healthcare records
- PCI DSS safeguarding credit card data
- GDPR guarding EU citizen information
- State privacy laws like the CCPA governing CA resident data
Depending on your industry, this regulated data likely sits untouched in databases, file shares, archives and other dark corners of your digital estate. Identifying it, classifying it appropriately and applying controls prevents nasty lawsuit consequences down the road.
Core Data at Rest Protection Capabilities
Safeguarding diverse sensitive information at rest relies on capabilities working in concert across people, process and technology controls. Core components include:
Discovery
Identifying where regulated data hides allows you to measure risk levels and apply appropriate controls. Discovery frequently unearths vast unknown stores of sensitive data accumulated over the years.
Classification
Once discovered, sorting data by associated level of risk ensures you classify higher sensitivity assets separately from more general public information. This prevents overprotecting less risky data needlessly.
Encryption
Rendering data unreadable without an encryption key provides fundamental protection against compromised credentials, insider risks and data leaks. Applied properly to relevant data stores using robust algorithms, encryption significantly reduces attack surface.
Access Controls
Managing permissions to open, read, modify and export sensitive datasets limits exposure to only appropriate end users. This reduces insider threat potential.
Activity Monitoring
Tracking all access attempts, unusual user behaviors and policy changes provides an audit trail to understand the sequence of a compromise or pinpoint excessive data handling.
Key Management
Storing and managing encryption keys represents its own security challenge. Keeping keys protected yet accessible requires hardened infrastructure detached from encrypted data stores.
These six foundational pillars enable a defense in depth posture for securing data at rest scalably across any size organization.
The 13 Best Data at Rest Encryption Solutions for 2023
Now that we‘ve covered essential security concepts, below we evaluate the top 13 platforms purpose-built for enterprise data at rest protection:
| **Solution** | **Best For** | **Key Features** |
| DigiCert Data Protection | Encryption key management at enterprise scale | – Central policy engine with granular key controls – Encryption analytics and compliance reporting – High availability with geo-distributed architecture |
| Micro Focus Voltage | Format-preserving encryption for databases | – Specialized database and file encryption – Centralized encryption platform – Field-level protection options – Tokenization |
| PKWARE Smartcrypt | Automated protection workflows | – Auto-discovers sensitive information – Transparent encryption controls – Workflow engine automation – Dashboard monitoring |
| Thales Vormetric | Protecting containerized applications | – Application-layer data security – Protects Docker, Kubernetes – Encryption down to row/cell level – Supports cloud object storage apps |
| Netskope | Cloud access security broker (CASB) | – Advanced cloud data loss prevention – Identifies risky behaviors – Machine learning detection – Client-side encryption options |
| comforte AG | Securing business systems (CRM, ERP) | – Lightweight data protection modules – API-based integrations – Specializes in SAP encryption – Format-preserving controls |
| HelpSystems GoAnywhere | File and database column encryption | – Folder, file share and document-level encryption – Database column and cell encryption – Simplified key management – Detailed audit logs |
| WinMagic | Full disk encryption for endpoints | – Encrypts hard drives on laptops, desktops – Manages native OS encryption controls – Central policy administration console – Asset inventory and risk reports |
| Micro Focus Voltage | Format-preserving database encryption | – Specialized for databases – Balances security and performance – Tokenizes structured data fields – Broad compliance certifications |
| Zettaset XCrypt | Transparent encryption controls | – Encrypts without application changes – Software-defined protection – Container orchestrator support – Tight SIEM platform integration |
| Fortanix Self-Defending Key Management Service | External cloud key management | – Hardened external key service – Enforces strict separation of duties – FIPS 140-2 Level 3 compliance – Automates encryption key policies |
| SecurEnds Data Privacy Suite | Classification-driven data protections | – Automated sensitive data discovery – Risk-aware data classifications – Tailored protection plans based on 28+ data types – 50+ compliance reports |
| TitaniumCloud | Public cloud data security posture management | – Unified visibility across AWS, Azure, Google Cloud – 30+ compliance frameworks – Identifies overexposed data – Easy remediation workflow |
This cross section covers specialized capabilities like structured database encryption, automated classification-driven protections, simplified key orchestration platforms, and external key management detached from encrypted data stores.
Selecting the right platform depends on your environment – whether you need to lock down encryption sprawl across a complex hybrid infrastructure or simply strengthen controls around a single critical database.
Let‘s explore some key considerations when evaluating options.
On-Premises vs External Key Management
A core decision point rests between handling cryptographic keys used to encrypt and decrypt data internally on-premises or externally through a cloud service designed specifically for hardened key management separated from data resources.
On-prem key management utilizes hardware security modules (HSMs) or key management appliances kept inside data centers and private clouds. It allows keeping encryption keys close to encrypted data operationally while hardening storage and access controls. On-prem key management affords physical control and reduces latency during encryption/decryption tasks.
External key management physically isolates keys outside the infrastructure secured by those keys, typically using a cloud service dedicated to cryptography like Fortanix. This increases security assurance by preventing keys from falling prey to underlying storage vulnerabilities but can increase operations latency. External key management works especially well for organizations reliant on public cloud IaaS wanting extra isolation between regions.
The right approach depends on operational risk appetite, hybrid architecture complexity, compliance demands, geographic distribution and whether you intend to encrypt data universally or just regulated subsets.
For smaller firms reliant on just one physical site, internal key management provides satisfactory assurance. Larger entities operating globally distributed multi-cloud environments will likely want to investigate external key management for higher trust levels.
Understanding Critical Data Type Risks
Not all data warrants the same level of protection. Focus first on safeguarding regulated data with contractual protections or tied to compliance mandates like HIPAA and PCI DSS rather than attempting broad encryption unconditionally.
Common high risk data types demanding strict controls include:
Financial Information: customer banking data, credit card numbers, accounting data with competitive intelligence
Healthcare Information: medical records, patient treatment plans, insurance details and payment info
Employee Records: performance reviews, banking details, social security numbers, background checks
Student Information: financial aid numbers, grades, standardized test scores
Intellectual Property: proprietary algorithms, manufacturing processes, copyrighted works
Approaching protection by selectively handling these regulated data types provides better efficiency than attempting coverage universally across all files and databases regardless of sensitivity. Prioritize safeguards and auditing around data with retention requirements, contractual privacy commitments or handling exposure (like credit card numbers).
Embedding Security Earlier into Applications
Too often data protection gets relegated to storage teams rather than shifting left into application development. The result? Unprotected data needlessly moves from app to database to file shares lacking adequate controls until repositories eventually get compromised.
Embedding safeguards like encryption, tokenization and masking directly into apps and databases provides stronger data-centric protection from inception without reliance on adjacent controls.
Specialized data protection platforms like comforte AG focus explicitly on data-aware embedded controls across business systems like ERPs and CRMs handling regulated data types. This inside out approach does incur some development costs upfront but reduces risk surface further as apps operate directly on protected data elements from the start.
Getting Started with Data at Rest Protection
Hopefully this guide provides greater visibility into core data at rest encryption concepts, leading products and key decisions like on-prem vs external key management.
Deploying effective data protections relies first on educating stakeholders horizontally across security, applications, cloud infrastructure and compliance teams rather than operating in silos.
Next focus on capability mapping to your real world environment – identifying regulated data types, monitoring existing stores,rationalizing apps handling sensitive data and evaluating friendly encryption options requiring less restructuring.
By inventorying your existing data landscape then applying controls strategically rather than haphazardly, you balance security with operational sustainability while still upholding privacy commitments to customers and partners.
Now is the time to get serious about limiting data at rest risks before less ethical attackers forcibly demonstrate those risks for you through your next breach headline.