Data Encryption at Rest and In Transit

Encryption is the safety net under every other control

You can harden servers, train staff, and lock down access, and a determined attacker may still get through — or a laptop may simply be left in a taxi. Data encryption is what makes those failures survivable. When data is properly encrypted at rest and in transit, a stolen disk is a useless brick and an intercepted connection is gibberish. It does not prevent every attack, but it converts many would-be breaches into non-events. Understanding the two states data lives in — sitting still and moving — is the foundation.

Encryption at rest: protecting stored data

Data at rest is anything written to a disk, database, backup, or USB drive. Encrypting it means that physical access to the storage does not grant access to the contents.

• Full-disk encryption on every laptop and workstation is non-negotiable. A lost encrypted laptop is a lost asset; a lost unencrypted one is a data breach with legal and reputational consequences.
• Database and volume encryption protects server-side data, so a copied disk image or a misplaced backup tape reveals nothing.
• Encrypted backups matter especially — backups are full copies of your most important data, often shipped offsite, and an unencrypted backup is the softest target in the building.

The catch with at-rest encryption is that it only protects data when the system is off or the volume is locked. On a running, unlocked machine the data is decrypted for use, which is exactly why encryption complements access control rather than replacing it.

Encryption in transit: protecting data on the move

Data in transit is anything crossing a network — a web request, an API call, a file sync, an email between servers. Without encryption, anyone positioned along the path can read or tamper with it.

• TLS everywhere is the baseline. Every web service, internal or external, should be served over HTTPS with a current certificate and modern protocol versions; plain HTTP has no place handling real data.
• Encrypted connections for everything else — database links, administrative sessions, file transfers — not just the public website.
• VPN or private networking for traffic between sites or into cloud environments, so internal communication is not exposed on shared infrastructure.

Retire outdated protocols and weak cipher suites. Encryption that uses a broken algorithm offers false comfort, which is more dangerous than no encryption at all because it stops you looking for the real gap.

The hard part is the keys

Encryption is only as strong as the protection around its keys, and key management is where most real-world implementations fall down. A key stored in plain text next to the data it protects offers no protection whatsoever. Keys belong in a dedicated key management system or hardware security module, with access tightly controlled and logged. Plan for rotation so a single key does not guard everything forever, and plan for recovery — because a lost key can mean permanently lost data, turning your safety net into a self-inflicted outage. Treat keys as the crown jewels they are.

Match the effort to the data

Not all data needs identical treatment, and pretending it does wastes effort and budget. Classify what you hold — public, internal, confidential, regulated — and let that drive the controls. Customer records, financial data, and anything covered by law warrant the strongest protection and the closest attention to key handling. Knowing what you have and where it lives is the unglamorous prerequisite: you cannot protect data you have not catalogued, and most over-spend and under-protection both come from skipping this step.

Remember the gaps encryption leaves

Encryption is powerful but not total, and treating it as a complete answer creates dangerous blind spots. Two limits matter most in practice. First, data in use — decrypted in memory while an application processes it — is not protected by at-rest or in-transit encryption, which is why access control and endpoint security remain essential rather than optional. Second, encryption protects confidentiality, not availability: ransomware works precisely by encrypting your data against you, so tested backups, not encryption, are what save you there. Hold both ideas at once — encrypt thoroughly, and keep the other controls that cover what encryption cannot.

• Pair encryption with strong access control, since decrypted data is only as safe as the account that can reach it.
• Keep offline, tested backups so an attacker who encrypts your live data cannot also hold your recovery hostage.
• Do not let "it's encrypted" become a reason to relax monitoring or patching — the layers work together.

How BSH can help

BSH Technologies implements encryption at rest and in transit across endpoints, servers, databases, and backups — and, crucially, sets up the key management to back it. As part of our cybersecurity and managed IT services, we will classify your data, close the gaps where it sits exposed, and make sure a lost device or intercepted connection stays a non-event. If you are unsure what is encrypted and what is not, that audit is where we start.