Frequently customers have questions about when to encrypt data and in particular the difference between encrypting data in transit and in motion. It is a tough topic for security and IT because there is not a clear definition of data in motion. In fact, if you look up the definition on Google, you will find that in transit and in motion are about the same.
This blog post is designed to be an informative discussion about the subject of action based encryption and when to apply, when not to apply as it pertains to regulations. I hope it also spurs some debate and defines that elusive category of data in motion. What we do not do here is discuss categories of data to encrypt, what fields to encrypt and is not a discussion about the differences between file/folder and column level encryption vs full disk encryption. That is reserved for a whole other post, or frankly series of posts.
I already drew a line in the sand, but to be clear, we are proposing that data in transit does not necessarily mean data in motion from a security perspective. I understand that looking up definitions on Google will give you definitions for the two that are quite similar. However, it is our belief in the security space that these definitions are changing and becoming more distinct and refined as described here.
Data In Transit is defined as data moving outside of the server such as between client and server, server to server, web app server to DB server and vice / versa.
Data In Motion is defined as it is in preparation of transmission, moving around or place to pace on or within the server itself but not transiting off of the server, or sometimes between servers when the connection between servers is a direct private connection such as data moving from server to SAN/NAS, not over a traditional LAN.
If you think this is not supported by regulation, standard or even best practice, think again. This distinction is most clearly seen in the difference between NIST 800-53R4 statements SC-8(2) and SC-8(1),(3) and (4). -8(1), (3) and (4) is clearly speaking of “in transit” and thus the use of “Crypto Mechanisms” that must be applied when in transit where in -8(2) it speaks of “in preparation for transmission” (IE inside the server) and that statement is void of the terms / requirements for “Crypto Mechanisms.” See below statements from NIST, emphasis added:
(1) – The information system implements cryptographic mechanisms to [Selection(one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by[Assignment: organization-defined alternative physical safeguards].
(3) – The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
(4) – The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment:organization-defined alternative physical safeguards].
As noted, (2) talks about the preparation leading up to transmission and breakdown after transmission – or in motion on the sending / receiving device. Notice it doesn’t use the term and therefore require the use of “Crypto mechanisms” like the other three do when in preparation for transmission. It instead talks about the selection of maintaining confidentiality and / or integrity, which can admittedly be done through hashing, crypto mechanisms or alternatively a whole host of other means including access controls and physical controls.
(2) – The information system maintains the [Selection (one or more): confidentiality;integrity] of information during preparation for transmission and during reception.
From a security perspective this has implications. In transit, data should clearly be encrypted (“crypto mechanisms”) because it can be sniffed on the wire or over the air, it is moving between systems in a space that generally cannot be entirely controlled. In motion data on the other hand can be protected by other means, such as access control, point to point cables etc.
The way compliance regulations are currently written, such as NIST800-53R4, PCI-DSS and HIPAA, they require or address encryption in transit (and at rest) but it is not necessarily spelled out or is lightly mentioned for in motion (or as NIST puts it, in preparation) which means that the data owner can make the choice on how to handle it outside of the regulation (which is partly why this term “in motion” has come into existence, to be legalistic about security controls).