• Richard Blech

Cyber Resilience and Protecting Data-at-Rest

When we speak of data-at-rest, we refer to data that is kept in some type of storage instrument. This can include file storage, servers, private object storage, databases, cloud storage, containers, block storage and endpoints, like IoT or IIoT devices. The data, such as file data and multimedia, may not be retrieved or modified regularly. However, protection for data in this state is just as critical to the overall security of an organization’s overall cyberinfrastructure as protection for data that is being utilized and data that is in transit.

Threats to data-at-rest exist both inside and outside an organization. For malicious actors, it is a tempting target that tends to have a much larger volume of information than the minute data that is traveling back and forth on a network in packets. Data-at-rest is also particularly vulnerable to employee negligence, especially now, when due to the prevalence of IoT and remote work, the endpoints of a typical organization’s network extends well-beyond the physical boundaries of a building and the adherence to the security measures that would otherwise prevent unauthorized access to data in those devices is not followed.


Organizations of all industries have to contend with some set of security standards, general requirements or regulations regarding data. For example, under HIPAA, health organizations in the United States are required to use encryption technologies to protect medical data-at-rest; this is based on the DHH’s deferral to NIST’s Guide to Storage Encryption Technologies for End User Devices. Also, vendors that supply cloud computing services to the IRS are required to encrypt federal taxpayer data that is at rest on their systems. There are consequences for failing to comply with the standards and regulations, not to mention the likely financial fallout of a cyberattack that was facilitated by insufficient data protection measures. Additionally, regular harvesting of encrypted data by foreign-state adversaries, such as China and Russia, is and has been a regular occurrence.


Safeguarding data-at-reset is a necessary part of creating a viable data protection environment. Here are some actions and principles organizations can implement to help protect their data-at-rest:

  • Know the Location and Classification of all Data-At-Rest. Implementing security measures for data-at-rest will be for naught if the data that is supposed to be protected is not properly identified and treated as sensitive data. Organizations should conduct an inventory of all data, maintain thorough records of the location of all sensitive data and have that data correctly classified according to risk. This will entail routinely reassessing data to fully determine risk and protection levels.

  • Encryption Is Fundamental To Data At-Rest Protection. At the heart of protecting data-at-rest is the encryption. As a defense-in-depth technique, it is one of the most important elements of a layered cybersecurity approach and is most effective when working in conjunction with other security measures, like access control. The encryption of sensitive data, as well as any associated metadata, can be implemented by encrypting the data before it is stored or by encrypting the storage medium itself. Whichever method that is used, it is not a security measure that should be overlooked or skipped. It is the fail-safe solution that will keep the data unreadable should a device or the cloud be infiltrated and the data is stolen.

  • Use the Right Cryptographic and Encryption Technology. The type of cryptographic technology organizations use to encrypt their data can make all the difference. In this modern age, it is necessary to use cryptographic solutions that are robust enough and optimized for today’s systems to withstand current attacks and attacks that will be implemented in the future using quantum computers to attack legacy systems and classical cryptography. The encryption should be applicable to any type of data that has to be stored, easy to integrate into a cybersecurity framework and easily scaled to adjust to the changing cybersecurity needs of an organization. Many current cryptographic technologies use the AES algorithm, which can yield a maximum encryption strength of 256 bits and may be vulnerable to a post-quantum attack from Grover’s Algorithm or side-channel attacks. However, future-ready solutions like the FIPS 140-2 validated XSOC CORP Cryptosystem provides quantum-safe protection for data-at-rest and does so with encryption strength that can range variably from 512 bits to 51200 bits, initialized with a quantum-safe entropy source, without performance impact. The XSOC CORP solution is the ideal encryption tool because it was designed to be easily integrated with only two lines of code.

  • Develop and Enforce Access Control Policies. Access to any data should be strictly regulated so that access to sensitive data is available to only the authorized parties. The access should be allowed only after the parties have been authenticated, preferably by multifactor authentication. MFA is a necessary aspect of authentication because it serves as yet another layer of protection against unauthorized users.

  • Use Isolation Principles When Storing Data. While this can be implemented as a way to regulate access and help enforce a Zero Trust approach to securing data, allocating individual data elements in different locations can make it significantly unlikely that malicious actors will be able to obtain enough data to ransom or to disrupt an organization’s operations. Of course, any data that has been encrypted with the right encryption solution will be unusable to the malicious actors.


Data is always at risk, when it is at rest, in motion or in use. XSOC CORP is an award-winning technology company that provides a range of quantum-safe cryptographic solutions that can help organizations keep their data safe and remain in compliance with the data protection regulations for their industry. Contact us to learn how our award-winning products can be easily integrated in your existing cybersecurity infrastructure to mitigate data breaches and strengthen your cyber resilience.