Business Security

Data in transit encryption

Avast Business Team, 25 April 2020

Find out everything you need to know about data in transit encryption and encrypting data at rest. From emails to IaaS, encryption ensures your data stays safe.

Data in Transit Encryption

The difference between data at rest and data in transit 

When data collects in one place, it is known as data at rest. This data is stable and inactive, and therefore cannot travel across a network or within the system. When at rest, data can be stored on hard drives, backup tapes, in offsite cloud backup and on mobile devices. As it is not moving through any networks, it is not being operated by any application. Data at rest should always be encrypted and where possible additional layers of security should be put in place, such as multi-factor authentication, cloud antivirus and both digital and physical access controls.  

Data in transit is the opposite of data at rest. Data in transit is active and can be transferred via cables and wireless transmission to other locations either within or between computer systems. This data can travel across a network and is capable of being read, updated or processed. Examples include data in motion from local to cloud storage or an email being sent – when data arrives in the recipient’s inbox, it becomes data at rest.

How encryption keeps data safe?

Encryption is a powerful and effective technique for data security. It encodes the data into an indecipherable format to enable authorized access only. Using an algorithm to encrypt data and then a key for the receiving party to decrypt, the security measure creates ciphertext – referring to data in an unreadable form. Encryption keys are used to decrypt ciphertext back into readable plaintext; therefore, without a key, information is unusable.

Encrypting important, organizational data can be beneficial in the event of a data breach – enforcing security and safeguarding measures that comply with GDPR regulations. Encryption is used to prevent data being read or manipulated by a machine or cybercriminal between the source and destination.

As the move to the public cloud is driven strongly by the speed at which companies can build and deploy globally available, highly scalable applications, many businesses opt to use Infrastructure as a Service (IaaS). IaaS enables organizations to replicate on-premises architectures in cloud environments. However, as with any other cloud service, it comes with security risks businesses must understand. 

With IaaS, users can have direct access to the cloud infrastructures, hardware and networks. Therefore, privileged users – such as the organization’s employees – can become security liabilities if identity and access control policies are not strictly controlled. IaaS is also vulnerable to attackers gaining access via encryption breaking, resulting in man-in-the-middle attacks to steal or modify data. Cybercriminals may try to capture IaaS resources to run botnets, mine cryptocurrency or launch denial-of-service attacks. IaaS security strategies need to be implemented into business to protect cloud environments and prevent cyber breaches. 

Encrypting data in transit

Encryption of data in transit should be mandatory for any network traffic that requires authentication or includes data that is not publicly accessible, such as emails. End-to-end encryption can ensure that data is protected when users communicate – either via email, text message or chat platforms. As soon as one user sends a message to another, the data in transit is encoded to prevent anyone being able to read it – such as cybercriminals or telecom and internet providers. The data will remain encrypted until it arrives to the recipient.

Two methods to encrypt and decrypt data in transit include symmetric encryption with a set session key or a certificate and asymmetric encryption to securely exchange session keys. Cryptographic protocols like Secure Sockets Layer (SSL) or Transport Layer Security (TSL) that authentic data transfer between servers or systems are also recommended, providing endpoint encryption systems that prevent unauthorized access.

Most encrypted protocols include a hashing algorithm to ensure data is not altered in transit. This can also help defeat man-in-the-middle attacks, as the act of decrypting and re-encrypting data allows an attacker to alter the signature but not change the key data. 

Cybercriminals often aim to deceive victims into trusting their certificates, which can then enable man-in-the-middle attacks in which an encrypted session is established. This creates access to data traffic, that attackers can then intercept.

Data at rest encryption 

When securing cloud-based data at rest, most encryption uses a symmetric algorithm – allowing timely encryption and decryption. This can include using PIN codes or passwords to secure the symmetric key. Hashing algorithms can be used to validate if any files have been modified.

Examples of encryption at rest include the AES-encrypted portable media, some of which include a fingerprint reader for two-factor authentication, and Bitlocker in Windows operating systems to secure both the system drives and external media.

Transparent Data Encryption (TDE), the data-encryption technology, encodes SQL Server, Azure SQL Database, and Azure Synapse Analytics (SQL DW) data files. You can take several precautions to help secure the database, such as designing a secure system, encrypting confidential assets and building a firewall around the database servers. One solution is to encrypt sensitive information in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned in advance.

Avast Cloud Antivirus 

Avast Cloud Antivirus safeguards your data while it’s on the move. 

Get Avast cloud antivirus now to enable data in transit encryption, or try it for free for 30 days.