Artwork for podcast Modern Digital Business
Securing Data at Rest and in Motion
Episode 145th December 2022 • Modern Digital Business • Lee Atchison
00:00:00 00:13:01

Share Episode

Shownotes

Creating a secure application requires many actions, but by far the most important are those that involve securing the data in the application; these are the most difficult actions. When it comes to securing application data, there are two unique and distinct types of data that must be secured:

  • Data at rest. This is data that is stored in a datastore, database, cache, or other mechanism. This includes data anywhere from the application’s database, to log files, to application and system configuration files. 
  • Data in motion. This is data that is being actively accessed and used by the application. Typically from a security standpoint, it refers to data that is being transferred from one part of the application to another part of the application, or between two different applications.

Typically, data at rest is data that is stored in a database, ready to be used by some part of the application, while data in motion is data being sent to another application or service, or is being received from another application or service.

Keeping data safe and secure is critical in most modern digital applications. Virtually every modern business requires safe and secure communications in order to provide their business services. Bad actors abound, so keeping applications—and their data—safe and secure is critical to keeping your business operational.

Today on Modern Digital Business.

Useful Links

About Lee

Lee Atchison is a software architect, author, public speaker, and recognized thought leader on cloud computing and application modernization. His most recent book, Architecting for Scale (O’Reilly Media), is an essential resource for technical teams looking to maintain high availability and manage risk in their cloud environments. Lee has been widely quoted in multiple technology publications, including InfoWorld, Diginomica, IT Brief, Programmable Web, CIO Review, and DZone, and has been a featured speaker at events across the globe.

Take a look at Lee's many books, courses, and articles by going to leeatchison.com.

Looking to modernize your application organization?

Check out Architecting for Scale. Currently in it's second edition, this book, written by Lee Atchison, and published by O'Reilly Media, will help you build high scale, highly available web applications, or modernize your existing applications. Check it out! Available in paperback or on Kindle from Amazon.com or other retailers.

Don't Miss Out!

Subscribe here to catch each new episode as it becomes available.

Want more from Lee? Click here to sign up for our newsletter. You'll receive information about new episodes, new articles, new books, and courses from Lee. Don't worry, we won't send you spam, and you can unsubscribe anytime.

Mentioned in this episode:

Atchison Academy

What do 100,000 of your peers have in common? They've all boosted their skill set and career prospects by taking one of my online courses. https://mdb.fm/courses

Transcripts

Lee:

Bad actors abound.

Lee:

It's a fact of life.

Lee:

Your application is constantly under attack.

Lee:

While there are many reasons why a bad actor might attack your

Lee:

application, a common reason is to get access to your data.

Lee:

Data breaches are expensive, trust destroying company ending tragedies.

Lee:

So keeping data safe is absolutely critical to the successful

Lee:

operation of your business.

Lee:

But keeping data that's at rest, safe and secure is entirely different than

Lee:

keeping data that's in motion safe.

Lee:

Let's take a look at some of the ways applications can keep sensitive data safe

Lee:

while the data is stored in the database or is being transported over a network.

Lee:

Are you ready?

Lee:

Let's go.

Lee:

Creating a secure application requires many actions, but by far the most

Lee:

important are those that involve securing the data in the application.

Lee:

These are the most difficult actions.

Lee:

When it comes to securing application data there are two unique and distinct

Lee:

types of data that must be secured.

Lee:

The first is data at rest.

Lee:

This is data that is stored in a data store, database,

Lee:

cache, or other mechanism.

Lee:

This includes data anywhere from the applications database

Lee:

to log files to application and system configuration files.

Lee:

The second is data in motion.

Lee:

This is data that is being actively accessed and used by the application.

Lee:

Typically, from a security standpoint, it refers to data that is being

Lee:

transferred from one part of the application to another part of

Lee:

the application, or between two different applications or services.

Lee:

Let's take a look at some examples of each kind.

Lee:

An example of data at rest is your user profile on an online applications website.

Lee:

This might include things like your username, password, profile picture,

Lee:

email address, physical address and other contact information.

Lee:

It might include application information about how you're

Lee:

using a given application.

Lee:

In a more local setting, data at rest is all the files on your

Lee:

computer, your spreadsheets, word documents, presentations.

Lee:

Any file or document that you are storing on your computer.

Lee:

Data in the database is considered data at rest because it's being stored.

Lee:

It's not currently being used or transmitted anywhere.

Lee:

It's just sitting available in the database ready to be used.

Lee:

A simple example of data in motion in the same online application is

Lee:

when the application asks you to log in using your username and password.

Lee:

That information is being transferred from your computer, tablet, or phone to the

Lee:

backend servers of the web application.

Lee:

While it is being transmitted, the data is said to be in motion.

Lee:

Any data you type on your keyboard or send in an email or put into a text

Lee:

message or send in an API request, all of that is data in motion.

The key is this:

the techniques you use to secure data at rest are very

The key is this:

different than the techniques you use to secure data that's in motion.

The key is this:

Let's take a look at each turn.

The key is this:

First, data at rest.

The key is this:

There are two primary strategies for securing data at rest, securing the

The key is this:

storage mechanism used to store the data and encrypting the data itself.

The key is this:

A secured storage mechanism is the least secure model.

The key is this:

It involves ensuring that the database or data store that contains the data is

The key is this:

physically inaccessible from bad actors.

The key is this:

This usually involves firewalls and other physical restrictions.

The key is this:

This works fine to keep outside bad actors from accessing the data, but if

The key is this:

a bad actor is able to infiltrate your system, all data at rest stored this way

The key is this:

is now vulnerable and can be compromised.

The key is this:

This model should only be used for less sensitive data.

The key is this:

A more secure method of storing sensitive data involves encrypting

The key is this:

the data as it is stored.

The key is this:

That way, if anyone were to attempt to access the data from the inside

The key is this:

or the outside, they won't be able to read and leverage the information

The key is this:

without the proper encryption and decryption keys and permissions.

The key is this:

A critical issue with encrypting stored data is where and how do

The key is this:

you store the encryption keys?

The key is this:

You do not want to store them in the same location as the

The key is this:

data itself, as that removes the security advantages of decryption.

The key is this:

For the same reason you don't store your front door key to

The key is this:

your home, under your door mat.

The key is this:

Instead, the key should be stored in an independent location that

The key is this:

is inaccessible to a bad actor if the data at rest is compromised.

The key is this:

There are many options, some simple and some complex.

The key is this:

One excellent option for a cloud application is to use your cloud

The key is this:

provider's key storage service.

The key is this:

For example, AWS offers the AWS KMS, or key management service

The key is this:

for exactly this purpose.

The key is this:

In addition, destroying your encryption and decryption keys, such services

The key is this:

provide assistance, and organizing the keys and changing the keys regularly.

The key is this:

Sometimes securing data at rest is best done by not storing the data at all.

The key is this:

A classic example is credit card information.

The key is this:

There is very little reason for most modern websites to ever store credit

The key is this:

card information encrypted or not anywhere within the application.

The key is this:

This applies to e-commerce stores as well as things like content subscription sites.

The key is this:

Even sites that charge a customer's credit card on a recurring amount

The key is this:

do not need to store the credit card information within the application.

The key is this:

Instead, the best practice is to make use of a credit card processing

The key is this:

service, a third party service, and let them store the credit cards for you.

The key is this:

Then you only need to store a token given to you by the processor that

The key is this:

refers to the credit card in order to give your application access to the

The key is this:

credit card for a given transaction.

The key is this:

There are many credit card processing services including

The key is this:

Stripe, Square and PayPal.

The key is this:

Additionally, large e-commerce stores provide credit card processing

The key is this:

services such as Amazon and Shopify.

The key is this:

These companies provide all of the security requirements and meet all

The key is this:

the legal restrictions to successfully store and process credit cards.

The key is this:

By using tokens, you can still provide an interface to your customers that

The key is this:

looks like you are natively processing the credit cards for yourself.

The key is this:

Yet you'll never store the credit cards and hence never need to

The key is this:

worry about their security.

The key is this:

Now let's talk about data in transit.

The key is this:

Protecting data and transit is the process of preventing data from

The key is this:

being hijacked as it is sent from one service to another, one application

The key is this:

to another, or to and from a customer.

The key is this:

Data in transit involves both communications internally between internal

The key is this:

services as well as communications externally between unrelated services

The key is this:

or directly with a customer's web browser or mobile application.

The key is this:

Here there are three primary risks for data in transit.

The key is this:

The first data read.

The key is this:

A data read threat is when sensitive data is sent between services.

The key is this:

If data is useful or sensitive, if exposed, then protecting the

The key is this:

data from being read by a bad actor in transit is critical.

The key is this:

Data read risk means simply having the data read by a bad

The key is this:

actor would be sufficient to generate a compromising situation.

The key is this:

Examples of data read vulnerabilities include reading passwords,

The key is this:

credit card numbers, and other personally identifiable data.

The key is this:

The second risk is data change.

The key is this:

A data change threat is when sensitive data is vulnerable for being changed

The key is this:

by a bad actor, while it is being transmitted from one location to another.

The key is this:

The bad actor changes in flight data.

The key is this:

This could be used to give the bad actor additional access or could

The key is this:

damage the data and the consumer of the data in some manner.

The key is this:

Examples of data change vulnerabilities include changing the dollar amount

The key is this:

of a bank transaction that's in transit, or the destination where

The key is this:

a wire transfer is being sent.

The key is this:

Such a change made in transit could positively impact the bad actor and

The key is this:

negatively impact the proper recipient.

The key is this:

The third risk for data in transit is data origin change.

The key is this:

A data origin threat is when a bad actor can generate data and make it look like

The key is this:

the data was created by someone else.

The key is this:

This is similar to the data change threat and results in the same types of outcomes.

The key is this:

But rather than simply changing data such as changing the dollar amount of

The key is this:

a deposit, the bad actor can actually create new messages with new meanings.

The key is this:

Examples of data origin vulnerabilities include creating fraudulent bank

The key is this:

transfers from scratch, or issuing illegal or damaging requests on

The key is this:

behalf of an unsuspecting victim.

The key is this:

When we think about protecting data in transit, we normally

The key is this:

talk about encrypting the data.

The key is this:

We do this to prevent data read attacks, and data change attacks.

The key is this:

For data origin attacks, additional strategies must be used to ensure

The key is this:

messages come from the proper location.

The key is this:

Such as authentication tokens, signed certificates, and other strategies.

The key is this:

In modern applications, TLS and SSL are the primary tools

The key is this:

to protect in-transit data.

The key is this:

These provide end-to-end encrypted communications along with certificates

The key is this:

to ensure proper origination of messages.

The key is this:

Today on the fly SSL encryption is so simple and commonplace that almost all web

The key is this:

applications make use of SSL, specifically using the HTTPS protocol for all webpage

The key is this:

communications, whether sensitive data is being transferred or not.

The key is this:

Sites often do this to prevent data origin attacks.

The key is this:

Keeping data safe and secure is critical in most modern digital applications.

The key is this:

Virtually every modern business requires safe and secure communications in order

The key is this:

to provide their business services.

The key is this:

Bad actors abound, so keeping applications and their data safe and secure is critical

The key is this:

to keeping your business operational.

The key is this:

Thank you for tuning into Modern Digital Business.

The key is this:

We release new episodes every other Monday.

The key is this:

We also occasionally release short topic episodes on Tuesdays,

The key is this:

which we call Tech Tapas Tuesday.

The key is this:

To make sure you get every new episode when they become available, click

The key is this:

subscribe in your favorite podcast player or go to mdb.fm/listen.

The key is this:

If you want to learn more from me than check out one of my books,

The key is this:

courses, or articles by going to leeatchison.com and sign up for

The key is this:

emails from me at mdb.fm/follow.

The key is this:

Thank you for listening and welcome to the modern world of

Chapters