Data Encryption At Rest vs In Motion in Microsoft 365

Data is the most important resource that a company possesses. Any data loss event can be extremely disruptive, with serious consequences including regulatory fines, major revenue loss, and reputational damage. Data encryption is crucial for any organizations that deal with sensitive data including customer and employee information, payment details, company financials, M&A documents, government and defense data, and more. While data encryption may seem straightforward, data has several different states with each having its own security requirements and limitations.

Understanding the Difference Between Data at Rest, Data in Use, and Data in Motion

Understanding the different states of data is necessary to ensure it is properly protected at any point in its lifecycle.

1. Data in Motion

Data in motion, also referred to as ‘data in transit’ is the action of data transfer from one location to another – be it between storage devices, physical locations, etc. Any type of data movement is considered “in motion”, including transfers, downloads, uploads, and email attachments.

Data in motion is often considered the most vulnerable – since there are entire cyberattack methods used to intercept traffic mid-transfer. One example is Man in the Middle or MitM which is a self-insertion of a malicious actor between the sending and the receiving points of the transfer.

Examples of data in motion include an employee’s work-related data being transferred to a backup storage location, uploading data from a user’s smartphone to a company server, and data transfer from one server to another during a migration process.

2. Data in Use

Data in use is actively being updated, processed, or accessed by a system or end users in office applications, database applications, CPU data, and RAM. The act of “using” data includes editing, creating, deleting, or processing the data in applications (e.g., Word, Excel, PowerPoints, and PDF files). Data in use is particularly vulnerable since the act of “using” it often removes the security precautions, such as encryption, applied to it while at rest.

Examples of data in use could be an open spreadsheet with company finances, a database with business information being modified, and data that is left in RAM after one or several apps were used on that particular system.

3. Data at Rest

Data at rest refers to information in its inactive state, that is not being transferred or modified. It can be stored on hard drives, external portable storage appliances, and cloud file sharing applications like Microsoft SharePoint, One Drive, and other Cloud or on-premises file shares.

It is often considered the most “protected” data state out of the three. However, data at rest is also  very desirable due to the fact that an attacker has more data to choose from. Additionally, this data state is more vulnerable to insider threats where the perpetrator is an employee or contractor that has access to the file storage.

Examples of data at rest include documents stored on a user’s work PC and files stored on a company server or Cloud collaboration tool.

The Role of Encryption

Encryption has become an essential part of enterprise data security efforts. It aims to prevent unauthorized users from accessing data using complex algorithms to hide the contents of specific data parts for confidentiality.

The encryption process has three main parts: an encryption key, an encryption algorithm, and the encrypted bytes. From the perspective of data sovereignty, once encrypted, the bytes can be stored anywhere (the location of storage does not affect the sovereignty of ownership). The keys and algorithm define sovereignty and so are the items requiring tight controls.

The process uses a combination of an encryption algorithm and an encryption key to transform “plaintext” (readable data) into “ciphertext” – a completely unreadable mass of symbols. Ciphertext remains unreadable until it is decrypted or transformed back into its original readable form using the encryption key.

Think of encryption as a door that is secured using a lock and a key – with the lock being the encryption algorithm, and the key being the encryption/decryption key. If a person does not have the key to the door, then they cannot access what is stored behind it. Encryption renders the data inaccessible to anyone who does not have the decryption key to open or in this case decipher it, making it an important tool for data protection.

Regulations that Require Encryption

As digital transformation evolves and more data is digitized, cyber threats have taken center stage and so has encryption. In the quest to safeguard consumer data, global legislators have introduced regional and laws governing data privacy. Many of these require encryption or reference the protection of encrypted data, including, but not limited to:

• General Data Protection Regulation (GDPR) — European Union
• European Banking Authority — European Banks — European Union
• Data Protection Regulation — Denmark
• Bundesdatenschutzgesetz (BDSG) — Germany
• The California Consumer Privacy Act of 2018 (CCPA) — United States
• Federal Information Processing Standards (FIPS) — United States
• Gramm-Leach-Bliley Act — United States
• Healthcare Insurance Portability and Accountability Act (HIPAA)  — United States
• Payment Card Industry Data Security Standard (PCIDSS) — United States
• Personal Information Protection and Electronic Documents Act (PIPIDEA) — Canada

Failure to comply with applicable laws and the associated data protection guidelines, including at rest and in motion encryption mandates, can result in fines that can range from thousands to millions of dollars. If these laws are applicable to your business you need to understand what data protection methods are required such as encryption at rest, in transit, or end-to-end encryption.

Data Encryption Best Practices

It is clear that data encryption is universally considered an important security measure. It’s also vital to be able to apply it to data in all of its stages: at rest, in use and in motion when required.

Protecting Data in Use and In Motion

• Step up your identity management tactics. Credential theft is a serious problem. Employing systems that can make sure the person accessing the data is actually who they say they are (e.g., IAM and MFA), have become necessary to thwart credential theft.
• Control access to data. The best way to secure data in use is to apply granular controls and restrict access to the data itself based on its sensitivity. This can be accomplished by enabling attribute-based access control (ABAC) and obfuscation/hiding files that a user is not authorized to access. After all, you can breach what you can’t see.
• Restrict what users can do with sensitive data in use. Data protection needs to go beyond just approving or denying access. Put controls in place to limit what users can do with sensitive data. Consider secure read-only access to block printing, emailing or copying of highly sensitive files.
• Automatically encrypt sensitive data in use or in transit. Ensure data is encrypted whenever it is moving across any external or internal networks.
• Automatically encrypt sensitive files shared via email to ensure only the intended recipient can access the information.

Protecting Data at Rest

• Locate and secure sensitive data that needs at rest encryption in your document management systems. Automated scanning and discovery solutions can assist with this task.
• Classify sensitive data and monitor any changes to reevaluate sensitivity levels and readjust classification and/or data protection accordingly using automated scanning tools.
• Automatically encrypt select data if required. Not all data needs to be encrypted. By using classifications and other identification methods you can selectively encrypt only the files that require it as long as you have strong access controls in place for other sensitive data.
• Improve security on mobile devices. Restricting access to sensitive data on mobile devices, encrypting data inside of devices when necessary, and being able to outright ban access from devices that are lost or stolen are important preventative capabilities.
• Limit overprivileged access. Your administrators should only be able to open the files required to perform their job. Restricting what an admin or any user can view ensures that even if a hacker steals their credentials, the information they can access is limited.

Which Encryption Type Should Be Used?

Each encryption style adds layers of protection for organizations. So, the question becomes which encryption style should be used? For full protection, all three mechanisms should be deployed together. Encryption at rest should be used to grant NO user access to the file or database data as stored. The other encryption styles should then be layered to re-encrypt the information specifically for each user as they access it (including DLP). This eliminates the risk of rogue admin/privileged users from leaking information, ensures data sovereignty (the encryption keys are stored in-country or exclusively held by the data owner), and prevents breaches in network security from resulting in data loss.

Dynamically Encrypting Data at Rest and In Motion in Microsoft 365, SharePoint Servers & File Shares

Data encryption and key management are a core part of any organization’s security and compliance toolbox for protecting Microsoft 365 (M365) and SharePoint Server data. Microsoft applications include powerful encryption capabilities, but they do have limitations that can be augmented with third-party partner solutions like NC Protect.

NC Protect adds conditional encryption capabilities to the standard Microsoft Purview Information Protection and RMS controls that are enabled as part of your Microsoft Entra ID (formerly Azure Active Directory) domain. Combining these Microsoft controls with NC Protect’s attribute-based access control (ABAC) policies allows you to add dynamic encryption for real-time protection of sensitive and business-critical data.

NC Protect’s dynamic policies can be configured to automatically encrypt data whether the file is at rest or in motion – if the conditions warrant it. It also provides the ability to, for example:

• Easily encrypt SharePoint list data which is not possible using Microsoft technologies.
• If an at rest encrypted file stored on OneDrive is copied to a user’s hard drive, NC Protect can protect the file while in transit and encrypt it on the user’s device. This would not be possible using out-of-the-box encryption options.
• If a document has been digitally signed to authorize the content (legal agreement, government/defense policy, etc.), applying Microsoft encryption will corrupt the digital signature, resulting in an unauthorized document. NC Protect can protect digitally signed documents without invalidating the signature.
• Microsoft encryption is based on the application of a single label. For more granular protection, NC Protect can combine multiple labels (including third party labels) to apply encryption and DLP.
• Encryption in use is limited to a small set of document types when using Microsoft (Office and PDF). NC Protect extends supported document types through its “via DOCX” encryption capability – presenting the contents of documents such as TXT, CSV, etc. in DOCX format so that the user still enjoys the full client DLP experience.
• Even with the tightest Microsoft protection applied to a document (encryption and DLP), a bad actor or malicious user can still photograph the screen and leak data. With NC Protect, the same encryption/DLP can be applied while also redacting information and watermarking the document pages with the current user identification (not just the document author).
• Microsoft is required to comply with the regulations of the US Government. This includes providing access to encrypted information from the Purview platform if legally compelled to do so. NC Protect offers independent key management where only the customer has access to their encryption keys, so the contents of encrypted data remain exclusively controlled by the data owner.

Adding the optional NC Encrypt module provides independent key management capabilities for organizations using NC Protect that prefer to manage their own encryption keys. It allows Microsoft customers to maintain digital sovereignty by keeping encryption keys separated from data in the cloud. NC Encrypt also includes a connector for Thales CipherTrust Manager to leverage existing keys and HSM solutions with M365.

Conclusion

While data encryption is not the only method to prevent data loss, it is still an important, and sometimes mandated, part of any organization’s security toolbox. Being able to encrypt data at rest and in motion, and limit actions that can be taken with data in use, is an important capability to protect against insider threats and evolving cyberattacks. Automating encryption using conditional policies helps to remove the guesswork for users and build comprehensive enterprise-level security best practices.

NC Protect provides the ability to dynamically encrypt files based on their sensitivity in SharePoint Online, OneDrive and Exchange, as well as SharePoint Server and File Shares to keep your data protected no matter where it is stored or travels: in use, in motion and at rest.