Protecting Data in Transit and at Rest
Your data needs protecting in two very different situations, and a system can guard one of them well while leaving the other wide open. The first situation is when data is moving — travelling across a network from your device to a website. The second is when data is sitting still — saved on a disk, a phone, or a backup somewhere.
Security people have names for these two states. Data crossing a network is in transit. Data parked in storage is at rest. From here on we will use those terms.
When Olivia sends a message, that message needs guarding both while it travels and while it is stored at the other end — and it can be attacked in different ways at each stage. Think of moving money: an armored truck protects the cash while it is being driven across town, and a vault protects it once it arrives. Guarding the truck does nothing if the vault is left open, and a sealed vault does not help cash that is still out on the road. In transit is the truck; at rest is the vault.
In Transit: Protecting Data While It Moves
When Olivia types a message and hits send, that message does not teleport. It is broken into pieces and passed from machine to machine across the network until it reaches its destination. Every machine along that path could, in principle, look at what passes through it.
If the message travels as plain readable text, anyone positioned along the route can read it as it goes by. Reading data as it passes is called eavesdropping — quietly listening in on the line.
The defense is to scramble the data before it leaves, so that it travels as unreadable nonsense and is unscrambled only at the far end. This is encryption in transit, and it is exactly what the "S" in HTTPS provides. With it, an eavesdropper sees scrambled bytes instead of Olivia's words.
At Rest: Protecting Data While It Is Stored
Once Olivia's message arrives, it usually gets saved — written to a disk so it is still there tomorrow. The same is true of her photos, her account details, and a copy kept in a backup. All of that is data at rest.
Stored data faces a different threat. Nobody is listening on a wire here; instead, the worry is that the storage itself gets taken — a stolen laptop, a lost phone, or a database copied by an attacker who got inside. If that storage holds plain readable data, whoever took it can read everything on it.
The defense is to store the data scrambled, so that the raw disk is meaningless without the key to unscramble it. This is encryption at rest. A thief who walks off with the drive ends up holding noise.
Two Separate Protections
The catch most people miss: protecting one state does nothing for the other. A website can use HTTPS so your data is encrypted in transit, and then save that same data to disk completely unencrypted at rest. The reverse can happen too — carefully encrypted storage reached over an unprotected connection.
So they are two independent questions. "Is the data protected while it moves?" and "Is the data protected while it is stored?" are answered separately, and a yes to one tells you nothing about the other.
Why Both Matter
Olivia's data is exposed at different moments, and attackers come at it from different directions. Eavesdropping steals data in transit, while it is on the wire. A data breach — where attackers reach a company's storage — usually steals data at rest, in bulk, by the millions of records.
Because the moment of exposure is different, the defense has to cover both. A system that locks the road but leaves the vault open is still robbed; a sealed vault on an open road still leaks. Defenders protect transit and rest as two separate jobs.
- "HTTPS means my data is encrypted everywhere." HTTPS protects data in transit, on its way to the site. How the site stores that data afterward — at rest — is a separate question that HTTPS says nothing about.
- "Encryption at rest stops a live breach." If attackers get in through a path that is already logged in and running, the storage may already be unlocked for normal use. Encryption at rest mainly defends a disk that is physically stolen, not an attacker working through a live system.
- "Data only needs protecting while it's moving." Stored data is a prime target. Most large breaches steal data at rest, in bulk — so the vault matters at least as much as the road.
- It explains why "they used HTTPS" does not mean a breach couldn't expose stored data — those are two different protections.
- It gives you two distinct questions to ask about any system: is the data protected while it moves, and is it protected while it is stored?
- It connects the news you hear to the mechanism: eavesdropping targets transit, a breach usually targets data at rest.
Knowledge Check
What does it mean for data to be "in transit" rather than "at rest"?
- It is moving across a network, not sitting in storage
- It is encrypted, rather than left as plain readable text
- It is brand new data, rather than old data kept for a long time
- It belongs to someone else, rather than belonging to you
A laptop holding a company's customer list is stolen from an office. Which protection would have kept that data unreadable to the thief?
- Encryption at rest
- HTTPS on the company website
- Encryption in transit
- A long password on the login screen
A website uses HTTPS for every page. Why does that not, by itself, mean stored customer data is safe?
- HTTPS only covers data while it moves, not how it is stored
- HTTPS doesn't really encrypt anything and is mostly for show
- Protecting data in transit automatically protects it at rest too
- HTTPS leaves data unprotected while it travels across the network
You got correct