Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Data at rest, in use, and in motion: what teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Securing data across rest, in use, and in motion requires different controls for storage, processing, and transmission, and the article frames encryption, access control, and monitoring as the core layers for reducing exposure. The practical lesson is that data protection fails when teams treat encryption as a single control instead of a state-specific governance model.

NHIMG editorial — based on content published by Netwrix: How to secure data at rest, in use, and in motion

Questions worth separating out

Q: How should teams secure data at rest without relying on encryption alone?

A: Teams should pair encryption at rest with strict key custody, access reviews, and rotation controls.

Q: Why do data in motion controls still fail in well-defended environments?

A: Data in motion controls fail when organisations assume the network path is trustworthy.

Q: How do organisations reduce exposure for data in use?

A: They reduce exposure by limiting which workloads, services, and users can decrypt data during processing, then logging those interactions.

Practitioner guidance

  • Map controls to each data state Define separate control requirements for data at rest, data in use, and data in motion.
  • Treat key management as identity governance Inventory who and what can access encryption keys, vaults, and certificate authorities.
  • Harden session and transport trust Use strong authentication for workloads and users that exchange sensitive data, then monitor transfers for unusual volume, destination drift, or unexpected privilege use.

What's in the full article

Netwrix's full blog post covers the operational detail this post intentionally leaves for the source:

  • Encryption choices and implementation detail for each data state
  • Practical handling of encryption keys, certificates, and secrets in day-to-day operations
  • How to think about protection tradeoffs across storage, processing, and transfer
  • The article's own FAQ-style explanations for common encryption questions

👉 Read Netwrix's guide on securing data at rest, in use, and in motion →

Data at rest, in use, and in motion: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

State-specific protection is the only defensible model for modern data security. Data at rest, in use, and in motion fail for different reasons, so treating encryption as a universal answer creates blind spots. The article is directionally correct in separating the three states, but the deeper governance point is that identity controls and cryptographic controls must be designed together. Practitioners should map each data state to its own access, monitoring, and key-handling model.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs , Key Research and Survey Results.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

A question worth separating out:

Q: What is the difference between protecting data and governing the identities that access it?

A: Protecting data focuses on encryption, masking, and transport safeguards. Governing identities focuses on who or what can use those controls, including service accounts, API keys, and certificates. In practice, the second determines whether the first holds up under real operational pressure.

👉 Read our full editorial: How to secure data at rest, in use, and in motion



   
ReplyQuote
Share: