SECURING DATA BY RESTRICTING access to objects using operating system access controls works well for data at rest, or data that are stored at a single location. Access controls limit which subjects can read or write data. This provides a level of security while the data remain on the object’s storage device, accessible only through Windows. The problem with this configuration is that functional data tend to be used. Sensitive data are stored in objects that need to be secured. They are also accessed at some point for the purpose of being presented, manipulated, or transmitted to another subject. Once data leaves its protected storage device, you need to provide additional protection to ensure its security is maintained. Along with provided protection, users of sensitive data need to be held accountable for the manner in which they use that data. Security is a team effort.

In this chapter, you’ll learn about different strategies Microsoft Windows supports to secure data at rest and data in transit. Data that are in transit are being sent from one location to another. Encryption is the most common technique used to secure data in transit. Properly used encryption can make unauthorized accessing, viewing, or changing protected data very difficult. You’ll also learn how encryption can be used to secure data at rest to provide an additional layer of protection over and above solid access controls. Encryption is another valuable strategy for securing your information.