How Encryption At-rest and In-transit Works
Corey McCraw is a staff writer covering VoIP and Unified Communications. Corey has over a decade of experience in marketing, tech writing, and corporate communications and has even penned content for the former First Lady Michelle Obama’s Let’s Move initiative.
Silvana is a staff writer at Fit Small Business who covers business technology, audio and video conferencing tools, and phone services.
This article is part of a larger series on VoIP.
There are two types of data encryption: at-rest and in-transit, also known as data in motion. Data at-rest refers to inactive data not moving between devices or networks and tends to be stored in data archives. On the other hand, data in-transit is moving between devices or two network points. Data in-transit tends to be more vulnerable and requires additional security protocols to ensure data security.
To maintain the privacy and safety of data at-rest and in-transit, companies rely on data encryption, which translates a piece of data into seemingly meaningless text that unauthorized entities cannot decipher. Each type requires specific encryption techniques for optimized protection, which we break down in detail below.
Data Encryption: At-rest vs In-transit
Data at-rest refers to data residing in computer storage in any digital form. At-rest data encryption protects data during storage, whether on a mobile device, computer, tablet, data warehouse, or in the cloud. Data at-rest is a target for hackers because of its static data storage and logical structure. Data at-rest typically houses valuable, private information, such as financial documents, contracts, intellectual property, and supply chain details.
Encryption for at-rest data entails encrypting stored data to prevent unauthorized access. The encryption scrambles the data into ciphertext and requires a decryption key to unscramble it into its initial state. Hackers who steal and attempt to access the encrypted data without the decryption key must override the encryption (a difficult task) to decipher the data. Without at-rest encryption, hackers load the data onto their computers and access everything.
On the other hand, encryption in-transit protects data in motion or while it’s being transferred. Data is more vulnerable during this time and needs additional security protocols to protect it. For instance, many in-transit encryption services also include steps to authenticate the sender and receiver before decrypting the information upon arrival using Transport Layer Security (TLS).
This added security layer then helps to protect data when uploading or downloading a document or media file. It is also used to protect your business when you send an email or data packets using voice-over-internet-protocol (VoIP) business calling solutions.
In both cases, encryption doesn’t necessarily make data theft impossible—it makes it more complex and resource-consuming. That’s why data encryption in-transit and at-rest is just one of many security layers businesses can use to protect their information. However, if best practices aren’t observed, both types of encryption have drawbacks and risks.
At-rest: Benefits, Drawbacks & Best Practices
| PROS | CONS |
|---|---|
| Provides additional security for sensitive information | Makes it difficult to recover your data |
| Maintains data integrity during hardware replacement, repair, and upgrade | Hackers sometimes discover decryption keys |
| Stretches across multiple devices and secures from in-person data theft attempts | May turn out to be costly, requiring upgrades and maintenance for optimal performance |
It’s important to know how to protect and secure data at-rest, which is typically stored in one location, such as hard drives, flash drives, or cloud storage. When data at-rest is encrypted through hardware-based software and devices, personally identifiable information and sensitive content are protected from unauthorized people trying to access or steal the data.
Data at-rest is generally less vulnerable to hacking; hackers tend to find the data more valuable than data in-transit because at-rest data often has higher levels of sensitive information. Some best practices when using at-rest encryption include the following:
File-level encryption only protects individual files, whereas full disk encryption secures everything on a hard drive. If a hard disk is lost or stolen, all the data is secure and accessible only through the encryption key.
Separating the keys from the data and storing them offline makes them less vulnerable to hackers. Limit users with access to the keys or rotate your keys on a schedule.
Make it more challenging for hackers to access at-rest data stored in the cloud by ensuring robust access protocols, including best practices for username and password security and keeping login pages private.
Data encryption isn’t your first or only defense. Store and dispose of hardware appropriately to prevent bad actors from encountering your encrypted data.
Utilize mechanisms that prevent users from having direct access to sensitive data and systems during normal operations. For example, use a dashboard instead of direct data access to run queries.
In-transit: Benefits, Drawbacks & Best Practices
| PROS | CONS |
|---|---|
| Prevents data access from common hacking strategies like eavesdropping and data breach | It’s not always possible to hide metadata (sender, recipient, and date) |
| Reduces the potential attack surface for hackers | Encryption gives third parties too much security, protecting them from law enforcement and investigations |
| Prevents hackers from using data if they intercept communications | Requires cooperation to follow protocols by all parties involved |
To give a clearer picture of what data in-transit is, some examples of a file in-transit include sending an email over the internet, colleagues exchanging files over a corporate network, and transferring data from a USB to a co-worker’s laptop. Data in-transit is more vulnerable than static or at-rest data kept in an offline database. Moving data has unique risks, such as snooping intermediaries intercepting moving data or sending errors leading to data leaks.
The best practices when using an in-transit encryption service include the following:
Before a breach happens, develop data protection policies for your business based on best practices, hire a data network security consultant to provide recommendations, and invest in cybersecurity insurance to protect your company from liability.
Use firewalls and network access control to ensure it’s safe to transmit data to and from your network.
Set up spam filters, phishing blocks, and malicious file-sharing detection to protect your data further. Use tools like GuardDuty to automatically detect unauthorized attempts to move or access data, such as Trojans trying to copy data to unknown or untrusted networks.
In addition to encryption, require strong passwords with a minimum of eight characters containing a combination of letters, numbers, and special symbols.
Remember that any unencrypted or unprotected data is at risk. Instead of playing catch-up, businesses must prioritize their data and associated risks, then build defense mechanisms before attacks materialize. Business data is stored, used, and transmitted daily. The company website, video conferencing, and email communications must be secured, but data encryption needs to be applied to all channels, including voicemails and data storage.
How VoIP Encryption Works
The availability and functionality of VoIP business phones have streamlined how businesses of all sizes communicate. Teams coordinate and share personal or privileged information with clients and colleagues through internet-based solutions. Therefore, all conversations over VoIP channels must be encrypted and modified into cluttered voice data packets to prevent them from being intercepted while in transit.
Call and phone system encryption prevents terrible actors from intercepting messages and using the information for malicious purposes. Our VoIP statistics article details that more companies are switching from traditional phone systems to VoIP because VoIP solutions increase productivity and provide cost-effective benefits.
There are three basic steps to VoIP encryption: first, creating a secure connection during a call, and then your audio is broken down into data packets sent through an SRTP (Secure Real-time Transport Protocol). The third step entails unpacking the packets once your message arrives at the destination. This entire process happens milliseconds between when you speak and when the caller hears you.
Here’s the summary of what happens during each step:
First, a phone call is initiated. A secure connection is made between the two parties to begin transferring information.
When you speak, VoIP breaks your voice call into data packets and sends them to the other caller using a transport protocol called SRTP (Secure Real-time Transport Protocol). This protocol encrypts the messages with Advanced Encryption Standard (AES) to prevent interception and theft.
Once your message arrives safely at the end destination, it’s reassembled using the decryption key. Your data packets are unpacked, and the receiver hears your voice played as audio. All this happens during the milliseconds between when you speak and your caller hears you.
Unified communications as a service (UCaaS) uses a similar process to encrypt text messages, chat, and video conferencing calls. Encryption protocols scramble messages and make them unreadable during transit. The end-user receives and decrypts the data to use the information inside the message. When this data is warehoused, it is where at-rest encryption comes into play to ensure it remains safe.
VoIP security is necessary because of the rise in cybercrimes. According to the 2022 Data Breach Investigations Report, small businesses are the primary target because they typically do not have adequate security systems. Verizon reports that small businesses account for 28% of data breach victims. Even if your data is backed up and restored, there may be damage to your reputation and credibility that will affect your business operations and returns.
VoIP Providers With Both Types of Encryption
VoIP services, like other business phone systems, have certain security threats and risks. However, companies mitigate risks by choosing a provider offering secure and encrypted services. When choosing a provider, select one that provides VoIP and UCaaS security features and encryption. Additionally, there are government regulations for handling personal information, like the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The three providers listed offer data at-rest and data in-transit encryption, are HIPAA-compliant, and have protocols like physical data protection, secure communications, and breach notifications in place. This is particularly important for businesses in the healthcare industry as you need a HIPAA-compliant VoIP business phone system. Read this to learn more about different types of compliance.
Nextiva is an all-in-one VoIP business phone software with collaboration and customer management capabilities. It offers a 99.999% uptime guarantee and a secure calling environment. Each transmission uses Transport Layer Security (TLS) and SRTP encryption between all endpoints to prevent interception.
Nextiva conducts regular third-party audits, including white-hat hacker communities and 24/7 monitoring. Call encryption is an optional service, available by request to all Nextiva Voice customers on specific phone models.
This provider offers three tiered pricing plans, volume-based discounts, and lower pricing for annual prepayment. Subscriptions for one to four users start at $30.95 per user, paid monthly. All Nextiva plans include toll-free minutes and unlimited internet faxing.
RingCentral’s Secure Voice safeguards voice communications on RingCentral devices with call encryption that prevents eavesdropping and call tampering. This is available to all customers with RingCentral Office editions. This feature provides privacy and data integrity between two communicating endpoints within RingCentral services.
RingCentral features robust security measures, including TLS and SRTP encryption between all endpoints, to prevent interception of communications. This is why RingCentral is on our list as one of the top business phone systems.
This cloud-based business communications solution includes message, video, phone, and contact center services. It has four subscription plans and offers discounts for user volume and annual prepayment. Monthly user rates start at $29.99 for one to 20 users.
Dialpad is a cloud-based platform that offers enterprise-level encryption with calls made over the VoIP network and in-transit web requests encrypted using TLS. With Dialpad, data at rest is secured in the Google Cloud Platform, encrypted with AES 256-bit or greater ciphers. During live phone calls and conferences, data transferred is encrypted and authenticated using SRTP.
This provider offers internet-based business communications, a contact center, video conferencing, and sales dialer tools. It has three subscription plans with discounts for annual prepayment. Its Standard plan starts at $23 per user when billed monthly and $15 when billed annually.
Interested to learn more about VoIP? Now that you’ve learned about VoIP data encryption in flight and at-rest and how it helps keep your data secure, read our guide on how to set up a VoIP system to learn more.
Frequently Asked Questions (FAQs)
How do small businesses avoid getting hacked?
Develop a cybersecurity plan and work with phone system providers that offer quality encryption services. Measures that must be included in your data privacy protocols include using strong passwords, enabling two-factor authentication, security protocol training, and banning the use of public connections to access sensitive information.
Does GDPR require encryption of data at-rest?
The General Data Protection Regulation (GDPR) is a European Union law that protects an internet user’s privacy and security while browsing websites online. However, it doesn’t necessarily require at-rest data encryption. Encryption is more than a regulatory compliance issue. It reduces the probability of a successful breach—protecting your business, employees, and clients. Protecting your data also helps you avoid costly fines and damaged trust.
How do I secure my VoIP network?
Choose a VoIP provider with extensive security protocols and encryption in-transit and at-rest in addition to other essential VoIP business phone features. Furthermore, your organization is responsible for safeguarding passwords, monitoring access, reviewing call logs, deactivating inactive accounts, and using a virtual private network (VPN) for remote staff.
If you’re looking for a VoIP provider with a 99.999% uptime guarantee and a secure calling environment, consider Nextiva. Its security features include 24/7 monitoring, biometric checkpoints, and an audited data center based on ISO certification. Read our comprehensive Nextiva review to learn about the pricing plans and features.
What are the most secure encryption techniques?
Whether you’re securing data at-rest or data in-transit encryption, AES and Rivest-Shamir-Adleman (RSA) are the most common and trusted encryption techniques. AES encryption is used for in-transit and at-rest encryption, while RSA is typically used for transmitting data between two endpoints.
Bottom Line
Now that you know about data at-rest vs data in-transit, you know security is essential to every business. Data is a great asset, and once you are entrusted with private information, you have a responsibility to clients and employees to safeguard their data. Any disruption to your system, including your business phone—misuse, breaching, or theft—could be one of your greatest liabilities, which is why data protection and privacy are non-negotiable.
Data encryption at-rest and in-transit is a must-have security protocol for all online business communications, including VoIP services. Having both data at-rest and data in-transit encryption strengthens data protection. Before choosing a provider, ensure it has the encryption standards your business demands, including specific industry regulations, such as HIPAA compliance.
