College of Arts, Humanities and Social Sciences

The three states of information

Knowing and understanding the three states of information helps to know what security measures you could apply.

Information at rest

Information is at rest when it is not being accessed, it is located in a database, stored in a local drive, network shared drive or in cloud storage.

A USB key or external hard drive also contains data at rest if they are not being accessed.

To protect its confidentiality and integritym, this data has to be secured with a strong encryption.

To provide assurance of availability this data should be backed up, and should also be allocated a resilient storage mechanism.

Information security awareness week strong passwords poster
Information security awareness week strong passwords poster

Information in use

Information in use is all the data that is not in rest state.

In the IT field we refer to data in use when a process or an application obtains access to, or uses, this data.

When data is in use we have to make sure that only the authorised user or process is accessing it.

If a password is stolen or an account, compromised, an intruder could use this data without any constraints.

To protect data in use we have to strengthen authentication and authorisation.

An OS also has mechanisms to protect data in use. If the OS is properly patched and has an up-to-date antivirus or malware software this will help to prevent any Trojan or malicious process from accessing the data.

Information in transit

When we think in terms of physical information we can think of a postman carrying a letter.

With regards to digital data, transit is when information is transferred from one network node to another, when it is transmitted by e-mail from a sender to the recipient(s), or when bits flow from one host to another.

S/MIME for e-mail system, SSL/TLS for browsers, and IPsec in VPN, are methods to secure the channel of communication.

There is a self-explanatory attack called “man-in-the-middle” in which an attacker could intercept a communication. A secured an encrypted channel would prevent that attacker from reading or tampering with any of that information.