Data at Rest Security Controls

Data at rest security controls govern the protection of stored data — files, databases, archives, and backups — when that data is not actively moving across a network or being processed by an application. This reference covers the definition and regulatory scope of these controls, the mechanisms by which they function, the environments in which they are commonly applied, and the decision logic used to select appropriate control types. The subject spans enterprise storage infrastructure, cloud repositories, mobile endpoints, and regulated industries subject to federal and state data protection mandates.

Definition and scope

Data at rest refers to persistent data residing on physical or logical storage media, including hard drives, solid-state drives, tape archives, cloud object storage buckets, and database servers. Unlike data in transit security, which addresses information moving between systems, or data in use protection, which addresses data loaded into active memory, data at rest controls are applied at the storage layer and remain active whether or not the system is connected to a network.

The regulatory scope of these controls is broad. The National Institute of Standards and Technology (NIST) addresses data at rest protection under NIST SP 800-53 Rev. 5, specifically under control families SC (System and Communications Protection) and MP (Media Protection). The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, administered by the Department of Health and Human Services Office for Civil Rights, requires covered entities to implement technical safeguards for stored protected health information. The Payment Card Industry Data Security Standard (PCI DSS), maintained by the PCI Security Standards Council, mandates encryption of stored cardholder data under Requirement 3. The Federal Information Processing Standard (FIPS) 140-2 and its successor FIPS 140-3, published by NIST, define validated cryptographic module requirements applicable to federal systems handling sensitive data.

How it works

Data at rest security operates through four primary control categories:

1. Encryption — Cryptographic algorithms convert plaintext stored data into ciphertext readable only with the appropriate decryption key. Full-disk encryption (FDE) operates at the volume or device level, while file-level encryption targets individual files or directories, and database encryption (transparent data encryption, or TDE) operates within the database engine itself.
2. Access controls — Role-based and attribute-based access control policies restrict which users, services, or processes can read, write, or delete stored data. Data access controls are enforced through operating system permissions, database authorization layers, and cloud identity and access management (IAM) policies.
3. Key management — Encryption is only as strong as the lifecycle governance of its keys. Secure key generation, storage, rotation, and revocation policies are governed by frameworks such as NIST SP 800-57. Hardware Security Modules (HSMs) provide tamper-resistant key storage. See key management practices for sector-specific implementation patterns.
4. Media controls — Physical and logical media sanitization, secure disposal, and hardware-level protection prevent data recovery from decommissioned devices. NIST SP 800-88, Guidelines for Media Sanitization, defines three sanitization categories: Clear, Purge, and Destroy.

Encryption algorithms in active use for data at rest include AES-256 (Advanced Encryption Standard with 256-bit keys), which NIST designates as appropriate for TOP SECRET-classified federal information, and RSA-4096 for asymmetric key exchange operations.

Common scenarios

Data at rest controls are applied across five major infrastructure environments:

• Enterprise on-premises storage — Database servers holding personally identifiable information or financial data are encrypted at the tablespace or volume level, with access tiered by job function.
• Cloud object storage — Providers such as Amazon S3, Azure Blob Storage, and Google Cloud Storage offer server-side encryption options; compliance frameworks including FedRAMP (managed by GSA) require encryption at rest for all government cloud deployments.
• Backup and archive repositories — Backup data is a frequent ransomware target; backup and recovery security controls include encrypted backup streams, offsite key storage, and immutable backup policies.
• Endpoint devices — Laptops and mobile devices subject to loss or theft require full-disk encryption enforced through mobile device management (MDM) platforms. Microsoft BitLocker and Apple FileVault are common FDE implementations at the endpoint layer, covered further under endpoint data security.
• Structured and unstructured data repositories — Column-level encryption in relational databases protects structured records, while object-level encryption addresses unstructured content in document stores and data lakes. The distinctions between these data types affect control selection; see structured vs. unstructured data security.

Decision boundaries

Selecting appropriate data at rest controls depends on intersecting regulatory, risk, and operational variables. Organizations subject to HIPAA choose between addressable and required implementation specifications — encryption is classified as addressable under the Security Rule, meaning it must be implemented unless an equivalent alternative is documented and justified. PCI DSS Requirement 3.5 mandates that primary account numbers (PANs) stored anywhere must be rendered unreadable using one of four defined methods: one-way hashes, truncation, index tokens with secured pads, or strong cryptography.

The distinction between FDE and file-level encryption reflects a key operational trade-off: FDE protects data on powered-off devices but provides no granular access differentiation once the volume is mounted; file-level encryption allows per-file access policies but adds operational complexity and potential performance overhead.

Data classification frameworks determine which control tier applies to a given dataset — public, internal, confidential, or restricted — and map those tiers to required encryption strength and access control rigor. Data at rest controls also intersect with data loss prevention policies when stored data is subject to exfiltration monitoring, and with data retention and disposal policies when encrypted data reaches the end of its retention lifecycle and requires cryptographic erasure or physical destruction.

References

• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-57 Part 1 Rev. 5 — Recommendation for Key Management
• NIST SP 800-88 Rev. 1 — Guidelines for Media Sanitization
• FIPS 140-3 — Security Requirements for Cryptographic Modules (NIST)
• HIPAA Security Rule — HHS Office for Civil Rights
• PCI DSS v4.0 — PCI Security Standards Council
• FedRAMP Program — U.S. General Services Administration