Database Backups 101: In-Transit Encryption Basics

Database Backups 101: In-Transit Encryption Basics

Sarojini Devi Nagappan
13 February 2020

Data transferred or moving around between transactions is known as data-in-motion (or data-in-transit). The data moving between the server and client while browsing web pages is a good example of data-in-transit. Since it’s always on the move, it needs to be protected with proper encryption to avoid any theft or alteration to the data before it reaches its destination. In this blog,  you will be given an outline of the encryption methods commonly used for data while it is in transit.

What is Data-in-Transit Encryption?

Before looking at the different types of encryption, it is good to know how data in transit can be vulnerable to attacks. When data is exchanged in a client-server environment, both ends might have implemented data-at-rest encryption, but whether the moving data is encrypted depends on the protocol used to transmit the data. 

This is often a weak spot that allows hackers to intercept and gain access to data. So, the idea of encryption here is to mitigate the risk of access to the data-in-motion by encrypting it at the source and then decrypting it at the destination. 

The encryption methods, of course, depend on the application where the data is in transit. For example, the common encryption method for emails, chats, and SMS is end-to-end encryption and email server encryption, while web browsers have browser-based encryption implemented as the protection method.

The Goal is Always End-to-End Encryption

The ideal situation to protect data-in-transit is to have the data encrypted before it moves and is only decrypted when it reaches the final destination. 

In-transit data encryption methods performed by security protocols, encryption tools, or compression tools have limitations though at the point of encryption and decryption. End-to-end encryption, on the other hand,  ensures only the end party is able to decrypt and read the message. It ensures any interception of a message in the middle or at both sender and receivers end are secure. 

Chat services often use this type of encryption method to ensure communication security and privacy.

Encrypted Web Connections

This method provides better web communication protection via HTTPS with Secure Sockets Layer (SSL) or transport layer security (TLS) protocols. Protocols using SSL or TLS uses certificates to exchange public keys. The public keys are then used to securely exchange private keys. These encryption keys have access to the encrypted data communicated between the browser and the server and put a barrier for any data attack in web communication. 

Encrypted Email Servers

Email data is another place where attackers commonly lookout to retrieve valuable data especially if it belongs to organisations dealing with sensitive or valuable information. S/MIME (Secure/Multipurpose Internet Mail Extensions) public encryption key provides SMTP (Simple Mail Transfer Protocol) to send and receive encrypted email text.

Pre-Encryption for Cloud

At present, data-at-rest is commonly stored using cloud storage. It is good to have the data encrypted before it is moved to the cloud because it avoids data theft or data alteration during the transit from the local premises to the cloud environment. 

This pre-encryption, also known as cloud encryption, is usually provided by the cloud provider. E-Commerce, financial industries, and healthcare organizations would need cloud encryption to meet regulatory requirements. However, this approach requires high bandwidth to encrypt such a large amount of data at the source and can incur a high cost. This is the reason cloud providers only provide encryption for a limited amount of data, alternatively, clients may choose to encrypt the data on their own before it moves to the cloud.

Conclusion

As a summary, protecting data-in-transit is equally important as protecting data-at-rest. Security concerns for moving data are usually related to user data theft and potential data alteration during communication via the web or any communication network. 

The encryption methods given above are categorised based on context, as the data-in-the motion risk profile differs on where and at what state the data is in during communication. 

Data security breaches often happen at a weak spot, hence the IT security policy should identify what are the data communication methods widely used in the organisation and implement the data protection methods accordingly.