Data at Rest vs. Data in Motion

You might be looking for data protection software and wonder what the sales websites mean when they talk about “data at rest” and “data in motion.” Other terms you could see include “data in transit” and “data traffic.” Data can be stolen, damaged, or deleted, and those events can occur when that data is either being moved or static.

Some system activities involve a combination of data in motion and data at rest. For example, the standard for email transmission always consists of storing the email on a mail server. Therefore, to protect data fully, you need to secure it both at rest and in motion.

Here is our list of the four best security systems for data at rest and in motion:

CrowdStrike Falcon Insight (FREE TRIAL) The combination of endpoint-based EDR and a cloud-based SIEM. Versions are available for Windows, macOS, and Linux.
Endpoint Protector This data loss prevention system watches overall points on a system that can be used for data exfiltration. Available as a hosted service, as an app on cloud platforms, or for installation as a virtual appliance.
Acunetix A vulnerability scanner for Web applications and networks. Available as a hosted SaaS platform or for installation on Windows, macOS, or Linux.
ManageEngine DataSecurity Plus A package geared towards data protection for standards compliance with a vulnerability scanner, sensitive data discovery, and file integrity monitoring. It runs on Windows Server.

Protecting data at rest

There are several levels of protection that you can implement for data at rest. However, you will probably end up with at least two layers of security to protect the data stored on your system. The four types of protection that you need to consider for data at rest are:

Endpoint protection
Data loss prevention
File integrity monitoring
Cloud account security

You can read more about these security services in the following sections.

Endpoint protection

An endpoint protection system is usually called endpoint protection and response (EDR) because these security packages include mechanisms to shut down attacks on endpoints. There are two threats to your endpoints – malware, an automated method to steal or damage data, and intrusion, a manual attempt.

The core of an EDR is what used to be known as an anti-malware service. However, as manual threats also need to be spotted and blocked, anti-malware required systems to expand their capabilities; this is how EDR systems came about.

Data loss prevention

There is an overlap in the purpose of EDR and data loss prevention (DLP) systems by the methodologies of the two systems are different. DLP services watch all exits and block unauthorized data transfers. This could be in the form of files attached to emails or chat messages, the copying of files onto a memory stick, transfers over network applications, such as FTP, and, However, as the printing of documents.

DLP is necessary because it also blocks insider threats. Authorized users can disclose or damage data either accidentally or intentionally. The user could be a whistleblower or disgruntled. Tricksters might impersonate colleagues and fool a user into sending data.

Another type of insider threat is the disclosure of credentials because of phishing attacks. The result of a successful phishing attempt is called account takeover (ATOI). It is possible to buy security packages that address this tactic. ATO detection can also be integrated into EDR and DLP packages.

File integrity monitoring

There are two types of file integrity monitoring (FIM) services. The first of these protect critical system files from tampering. For example, log files must be stored and preserved in their original state if a business follows a data protection standard, such as PCI DSS, HIPAA, or GDPR. This is because external auditors will check these files for signs of data disclosure or misuse of personally identifiable information (PII).

Log files are also important sources of security information, and Security Information and Event Management (SIEM) systems mine logs for signs of intrusion or other malicious activity. Thus, log files should be protected from tampering because intruders know that they need to delete records from log files to keep them hidden.

FIM is also used to protect PII from inappropriate use. So, FIM involves finely tuning user groups and ensuring that only those accounts needing access to PII can get at those data stores. FIM for PII requires the security system to know where PII is held and how sensitive that data is. Thus, FIM systems are usually paired with sensitive data eDiscovery services. These categorize data by its degree of sensitivity. Therefore, the FIM system needs to be set up with security policies to direct different levels of security monitoring for specific categories of sensitivity.

Cloud account security

If your business uses cloud-based tools delivered on the Software-as-a-Service model, the package probably also includes storage space for data, such as log files. You might also have an account with a data storage service, such as OneDrive or Google Drive. Another commonly accessed cloud service is Web hosting.

In all of these services, your account is held on the same server as many other accounts. Therefore, you need to be sure that other account holders can’t break into your disk space, and you also don’t want the provider’s technicians to access your data.

Cloud providers ensure account privacy by fully encrypting the disk space allocated to each subscriber. This encryption is usually implemented with the Advanced Encryption Standard (AES) cipher with a 256-bit key. AES provides powerful, uncrackable encryption. Within that cloud account, you will need to set up user accounts.

Most cloud storage and productivity suites, such as Microsoft 365, allow account administrators to set up individual user accounts. The management of these accounts is as essential on cloud services as it is on your network. In addition, they enable the activity tracing services built into cloud systems to provide helpful information.

Data in Motion

Protecting data in motion is a much simpler task than safeguarding data at rest. This is because data security for internet connections has been a big issue for a long time. There are very competent protocols in existence to block hacker attempts on data in transit. Capturing data as it crosses the internet requires excellent technical skills that many hackers just don’t have. The newer scam of tricking credentials out of users is a lot easier to perform.

When protecting data in motion, you need to look at the following services:

Web transactions
File transfers
Team collaboration

As communication is the connective tissue between applications, the issues involved in securing data in transit are closely tied to data management at rest. The task of tracking activity with logs and tightly defining access rights spread across all resources in your system. So, when you have organized your system to secure data at rest properly, you have already performed most of the tasks needed to secure it in motion.

Protecting Web transactions

You no doubt activate and manage HTTPS for all of your Web connections. With that security service in place, you have pretty much covered your Web transaction security. In addition, periodic Web application vulnerability scanning will ensure that hackers do not have inroads into your core systems through your public-facing Web presence.

Web application firewalls can also give constant protection for your Web-based assets.

File transfers

The File Transfer Protocol (FTP) is one of the oldest systems used on the Internet, and it has worked well in all respects other than security. However, you should ensure that all of your data movement systems use SFTP or FTPS instead of FTP. Although you would choose to launch a secure file transfer system to move files, you don’t know what all of your applications are using.

System documentation and vulnerability scanning will give you insights into where file transfer activity is not adequately protected.

Team collaboration

Team collaboration systems require information to be shared. This results in the same data being both at rest and in motion. So, for example, if a group of people have access to the same document that is held on Google Drive and access it through Google Docs, that document is at rest on the Google server, its content is also frequently transferred back and forth between the Google Server and the browsers of the people who are updating it.

Fortunately, the security of those transfers is implemented by HTTPS, and the at-rest security is covered by the account encryption provided as standard by Google. Unfortunately, these security measures don’t block unauthorized disclosure by authorized users. So, your DLP solution will need to have the capability to monitor cloud resources as well as your network’s endpoints.

The best tools to protect Data at Rest and Data in Motion

You need a range of security services to protect data at rest and in motion entirely. Fortunately, some packages cover several of the functions that you should put in place for complete data security.

What should you look for in security for data at rest and in motion? 

We reviewed the market for data security systems analyzed tools based on the following criteria:

A service that can cover several data protection requirements in one package
Options for on-premises installation plus SaaS solutions
A system that is compliant with data privacy standards
A guided service that will automatically cover all data security issues that the system administrator might otherwise overlook or be unaware of
Adaptable methods that can be adjusted by templates or manually.
A free tool or a paid service that offers a free trial or demo for assessment
Value for money, represented by a complete set of functions that provide proper security without costing too much

With these selection criteria in mind, we produced various options to suit businesses of all sizes.

You can read more about each of these tools in the following sections:

1. CrowdStrike Falcon Insight (FREE TRIAL)

CrowdStrike Falcon Insight adds a cloud-based SIEM onto an EDR product of CrowdStrike, called Falcon Prevent. Each Falcon Prevent instance, installed on Windows, macOS, or Linux, acts independently while also uploading activity reports and log data to the Insight cloud module.

Pros:

Spots zero-day malware, including new viruses, spyware, and ransomware
Combines EDR and SIEM
Implements UEBA for activity baselining
Incorporates a threat intelligence feed

Cons:

No file integrity monitoring

You can get a 15-day free trial of Falcon Prevent.

CrowdStrike Falcon Insight’s cloud system gets a threat intelligence feed and applies user and entity behavior analytics (UEBA) to establish an activity standard and then spot anomalous behavior. The cloud system coordinates the activities of the Prevent instances and warns all modules if one experiences an attack. The endpoint agents are equipped to shut down threats by quarantining files, isolating the device, and killing processes.

Get FREE Trial: https://go.crowdstrike.com/try-falcon-prevent.html

2. Endpoint Protector

Endpoint Protector is a data loss prevention system that operates on endpoints. It implements activity tracking on the device, which includes application usage. It also offers a sensitive data discovery and classification service.

With a main module managing monitoring activities, endpoint agents for Windows, macOS, and Linux gather data and implement controls and responses.

Controls include USB activity management that can block all data from being copied onto memory sticks or just ban the movement of classified data. Similarly, the service monitors data movement attempts on cloud services and email systems, such as Outlook, Skype, and OneDrive. The printing of sensitive data can also be controlled. Access rights management tools work with security policies to control access to different levels of sensitive data held in files.

Endpoint Protector is a SaaS system, and it is also available on the relevant marketplaces of AWS, GCP, and Azure. It can also be installed as a virtual appliance.

Pros:

Provides a thorough strategy for the monitoring of sensitive data
Quickly detects threats on an endpoint and communications that activity to other device agents
Implements rapid responses to malware and intruder threats
Controls all possible channels for data movement
Improves access rights management

Cons:

An integrated SIEM would have been nice to have

Endpoint Protector is a great pick for a data security tool because it covers all of the services that data thieves can use to get data out of a network. So whether the con artists manipulate innocent users into sending data out or breaking into the system and stealing it themselves, Endpoint Protector will block them.

Get access to a demo: endpointprotector.com/get-demo

3. Acunetix

Acunetix is a Web application vulnerability scanner that seeks out 7,000 weaknesses, including the OWASP Top 10. There is also a network vulnerability scanner option for Acunetix, which can identify more than 50,000 potential exploits.

Acunetix implements Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST) and also includes an Interactive Application Security Tester (IAST), called AcuSensor. This is an excellent tool for protecting Web applications and thus, blocking ingress by intruders that would like to get hold of your sensitive data.

Pros:

DAST, SAST, and IAST scanning
Web application and vulnerability management
Offers scans on-demand or continuously

Cons:

No sensitive data monitor

This tool is suitable for businesses that need to prove compliance with PCI DSS, HIPAA, and ISO 27001. Acunetix is offered as a hosted SaaS platform, and you can also download the software for installation on Windows, macOS, and Linux. Assess Acunetix by accessing the demo system.

4. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is a data loss prevention system with auditing and risk assessment functions. Useful features of this package include a vulnerability scanner, sensitive data discovery and classification service, and file integrity monitoring.

The sensitive data management service in DataSecurity Plus covers cloud servers as well as on-premises endpoints. As well as tracking down sensitive data, it helps you configure security policies and scans your access rights management system, producing recommendations for improvements. The resulting file integrity monitoring service offers a finely tuned and graded protection service for different data classifications. Other security features of this package include USB and email attachment controls.