Applied Information Management

Data-at-Rest (DAR): Protecting Sensitive Information in Mobile Information Systems (ISs)

As the number of mobile ISs increases, so does the amount of DAR and the likelihood of exposure.

Once data is stored on any storage device, it is called data-at-rest (DAR). Failing to protect DAR places both individuals and organizations at risk. Individuals face the risk of identity theft, which can result in thieves draining personal bank accounts, purchasing cars, taking out a home loan, and even assuming the victim's identity all together. Organizations face the risk of serious financial repercussions, which may include loss of reputation and payment of large fines. Many organizations and individuals are not doing enough to protect themselves from having sensitive information either stolen or lost. The table below describes three key factors that drive the need for DAR protection.

Factors Driving the Need for DAR Protections
Lost or stolen devices The need for a data-at-rest (DAR) security solution is ever present with the number of companies dependent on a mobile workforce that requires traveling with laptops, smart phones, personal digital assistants (PDA), and other electronic devices holding sensitive information.
Regulations and policies Regulations mandate the use of protection measures to secure DAR; government policies and legislation help pass additional regulations or lay the groundwork for other regulations that are intended to protect sensitive information.
The need to protect data at the source Identity Finder, LLC (2009) reveals that 44 percent of all data breaches occur from lost or stolen digital media and 22 percent of data breaches occur from hackers gaining access to the data source. This suggests that 66 percent of all data breaches could have been prevented by securing data at the source. The cost associated with implementing a DAR security solution is less than the cost associated with data breaches that cause damage to reputation or require support services for affected individuals.

Figure 1—Factors Driving the Need for DAR Protections

The United States government has started to put policies and regulations into place intended to give the general public guidance on protecting sensitive information. A list of thirteen DAR standards, regulations and policies follows:

  • Sarbanes-Oxley Act
  • California (CA) 1798
  • Health Insurance Portability and Accountability Act (HIPAA) of 1996
  • Personal Information Protection Act
  • Gramm-Leach-Bliley Act
  • European Union (EU) Data Protection Directive
  • National Data Privacy laws
  • OMB Memorandum M-06-16
  • OMB Memorandum M-06-17
  • Federal Information Security Management Act (FISMA) of 2002
  • Federal Agency Data Breach Protection Act
  • Personal Data Privacy and Security Act of 2007
  • Telework Enhancement Act of 2007

Not every organization or individual can mitigate every security risk associated with protecting data-at-rest (DAR). However, to ensure compliance with policies, regulations, and/or laws governing them, some sort of protection needs to be put into place to ensure that everything that can be done is being done. According to Strohmeyer (2010), applications may be the quickest way to implement some sort of security measures and are normally lower in cost than other solutions. Encryption is the best route to take when trying to protect information and it is the preferred method in policies and regulations (NRS 597.970, 2008). Utilizing an application and/or encryption that is greater than 128 bits is in keeping with best security practices, gives a means of trying to locate the lost/stolen device, and provides a deterrent for criminals (Greenwood, 2009).


  • Greenwood, B. (2009). Stolen laptop leads police to identity theft ring. Information Today, 26(8), 44.
  • Identity Finder, LLC. (2009). Data loss prevention: Data-at-rest vs. data-in-motion. (White Paper).
  • NRS 597.970. (2008, October 1). Restrictions on transfer of personal information through electronic transmission. (Nevada State Law).
  • RSA Security, Inc. (2002). Securing data at rest: Developing a database encryption strategy. (White Paper).
  • Strohmeyer, R. (2010). Lost! PC World, 28(5), 85-91.
  • United States Congress. Senate Committee on Homeland Security and Governmental Affairs. (2010).
  • Vamosi, R. (2010). Big headaches from little data breaches. PC World, 28(9), 41-42.
AIM alumnus Jeff McLean

Research Paper Author: Jeffery S. McLean, information security systems engineer (ISSE), Harris Corporation—2011 AIM Graduate

Abstract: As the number of mobile information systems (ISs) increases, so does the amount of data-at-rest (DAR) susceptible to attacks. Literature published from 2001 to 2010 is examined to describe (a) thirteen selected standards, regulations, and policies requiring DAR security solutions; and (b) currently available DAR security solutions of two types: hardware (encryption) and applications. Focus is on affordability and interoperability. Solutions are presented as a guide to help curb loss of DAR and identity theft.

Download the entire Capstone research project