Why is data that is located in the ram of a device considered data in transit?

Data in use is an information technology term referring to active data which is stored in a non-persistent digital state typically in computer random-access memory (RAM), CPU caches, or CPU registers.

Scranton, PA data scientist Daniel Allen in 1996 proposed Data in use as a complement to the terms data in transit and data at rest which together define the three states of digital data.

Alternative definitions[edit]

Data in use refers to data in computer memory. Some cloud software as a service (SaaS) providers refer to data in use as any data currently being processed by applications, as the CPU and memory are utilized.

Concerns[edit]

Because of its nature, data in use is of increasing concern to businesses, government agencies and other institutions. Data in use, or memory, can contain sensitive data including digital certificates, encryption keys, intellectual property (software algorithms, design data), and personally identifiable information. Compromising data in use enables access to encrypted data at rest and data in motion. For example, someone with access to random access memory can parse that memory to locate the encryption key for data at rest. Once they have obtained that encryption key, they can decrypt encrypted data at rest. Threats to data in use can come in the form of cold boot attacks, malicious hardware devices, rootkits and bootkits.

Full memory encryption[edit]

Encryption, which prevents data visibility in the event of its unauthorized access or theft, is commonly used to protect Data in Motion and Data at Rest and increasingly recognized as an optimal method for protecting Data in Use.

There have been multiple projects to encrypt memory. Microsoft Xbox systems are designed to provide memory encryption and the company PrivateCore presently has a commercial software product vCage to provide attestation along with full memory encryption for x86 servers. Several papers have been published highlighting the availability of security-enhanced x86 and ARM commodity processors. In that work, an ARM Cortex-A8 processor is used as the substrate on which a full memory encryption solution is built. Process segments (for example, stack, code or heap) can be encrypted individually or in composition. This work marks the first full memory encryption implementation on a mobile general-purpose commodity processor. The system provides both confidentiality and integrity protections of code and data which are encrypted everywhere outside the CPU boundary.

For x86 systems, AMD has a Secure Memory Encryption (SME) feature introduced in 2017 with Epyc. Intel has promised to deliver its Total Memory Encryption (TME) feature in an upcoming CPU.

CPU-based key storage[edit]

Operating system kernel patches such as TRESOR and Loop-Amnesia modify the operating system so that CPU registers can be used to store encryption keys and avoid holding encryption keys in RAM. While this approach is not general purpose and does not protect all data in use, it does protect against cold boot attacks. Encryption keys are held inside the CPU rather than in RAM so that data at rest encryption keys are protected against attacks that might compromise encryption keys in memory.

Enclaves[edit]

Enclaves enable an “enclave” to be secured with encryption in RAM so that enclave data is encrypted while in RAM but available as clear text inside the CPU and CPU cache. Intel Corporation has introduced the concept of “enclaves” as part of its Software Guard Extensions. Intel revealed an architecture combining software and CPU hardware in technical papers published in 2013.

Cryptographic protocols[edit]

Several cryptographic tools, including secure multi-party computation and homomorphic encryption, allow for the private computation of data on untrusted systems. Data in use could be operated upon while encrypted and never exposed to the system doing the processing.

Encryption: Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data (Source: National Institute of Standards and Technology )

Data resides in numerous places, whether it be desktops, laptops, and removable storage media (USBs, external hard drives, and CD/DVDs). Attention is especially necessary if this data is considered sensitive. In order to protect sensitive information, the use of encryption is a key way to safeguard this data.

Sensitive data stored on any environment, system or media that is subject to loss or theft — including laptops, USB drives, diskettes, CDs/DVDs, personal computers, departmental servers, and cloud environments — must be encrypted whenever not in active use. Encryption is highly recommended for all other systems as well, whenever feasible. Systems susceptible to theft should also be physically secured, e.g. with use of secure laptop cables, whenever possible.

Data-at-Rest vs. Data-in-Transit

• Data-at-Rest: Data-at-Rest (DAR) refers to data on storage devices not actively being used or transmitted. Storage devices include the hard drives in desktops, laptops, and external drives. Examples of external drives include USB drives, external hard drives, and memory cards. External drives are transportable in nature, which means there is an increased chance of being lost or stolen. A key safeguard to protect the DAR on external drives is through the use of encryption.
• Data-in-Transit: Data-in-Transit (DIT) refers to data moving from one location to another. This includes data moving from one network to another, which includes across the internet. The protection of DIT, also known as data in motion, is when safeguards are put in place to protect data while it is moving from one location to another.

Full Drive Encryption vs. Container Encryption

When deciding which encryption method to use for the protection of DAR on storage devices, the two most common options are doing full drive encryption or creating an encrypted file container.

Full Drive Encryption (FDE)

Description

• The entire drive is encrypted, which means files and applications are encrypted

Pros and Cons

• No need to worry if files are encrypted in the event of device theft
• When computer is in use, malware is able to steal the data

Container Encryption

Description

• This is where you create a “container” which can be mounted.
• Files can then be copied, moved, and deleted inside of the “container” like any other drive
• With this option, your encrypted file container appears as a file. This file can be stored on the local hard drive or on an external drive, like a USB drive.

Pros and Cons

• File containers are normal files so you can work with them as with any normal files (file containers can be, for example, moved, renamed, and deleted the same way as normal files). Partitions/drives may be better in regard to performance. Note that reading and writing to/from a file container may take significantly longer when the container is heavily fragmented.

CIS Control 14: Controlled Access Based on the Need to Know

As outlined in the ITS Information Security Minimum Security Standards, encryption is part of the Center for Internet Security’s (CIS) Control 14:

CIS Control 14: Controlled Access Based on the Need to Know: The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

• CIS Control 14.4: Encrypt All Sensitive Information in Transit
• CIS Control 14.8: Encrypt Sensitive Information at Rest

Encryption Setup Guides

This article deals with Data-at-Rest. Below is information on setting up Data-at-Rest encryption for the following devices:

What is meant by data in transit?

Where are data in transit found?

What is the difference between data at rest and data in transit?

What is an example of encryption in transit?