Protect sensitive data

Sensitive data is data that could cause harm if unauthorized people access it. Examples of sensitive data include personally identifiable information, financial records, passwords, and confidential business information. Protecting sensitive data helps prevent identity theft, fraud, and other security risks.

Sensitive data most commonly falls into the confidential or restricted data classification categories.

Why protect sensitive data

Defend against data exposure across the lifecycle: Sensitive data moves through multiple stages: creation, storage, use, archival, and deletion. A vulnerability at any stage can expose personally identifiable information, financial records, or confidential business data. Without protections at each stage, a single gap can compromise the entire dataset.

Detect and remediate leaked secrets before attackers exploit them: Secrets such as API keys, database credentials, and encryption keys can end up in version control, documentation, or project management tools. Once exposed, attackers can use leaked credentials to access systems and exfiltrate data. Proactive scanning identifies exposed secrets so teams can rotate or revoke them before damage occurs.

Encrypt data consistently across transit and storage: Protecting data only in transit or only at rest leaves gaps that attackers can exploit. A defense-in-depth approach requires encrypting data at every stage.

Common phases of a data lifecycle management framework include:

• Create (including data acquisition): Establish secure data generation processes, implementing proper validation and sanitization procedures, and ensuring you classify data appropriately from the moment of creation or ingestion.

• Store: Implement secure storage with appropriate access controls, encryption at rest, and regular security assessments of storage infrastructure and configurations.

• Use and share: Enforce strict access controls, monitor data usage patterns, implement secure sharing protocols, and maintain audit trails of all data interactions.

• Archive (including backup): Ensure long-term storage security through encrypted backups, regular restoration testing, and maintain access controls even for archived data.

• Delete: Implement secure deletion procedures that ensure data is completely removed from all systems, including backups and temporary files.

Once you have developed a data classification scheme for your organization and classified your data, you should encrypt all confidential and restricted data throughout its lifecycle.

How to protect sensitive data

Protecting sensitive data requires a defense-in-depth approach because data moves across the network through multiple stages of the data lifecycle. Data in transit requires all applications to use encrypted interfaces. Enable HTTPS on your web servers and redirect all traffic attempting to connect over HTTP to HTTPS. Protecting data in transit prevents attackers from intercepting and altering data during transmission from service to service.

Data at rest requires encryption of both the data and the underlying storage service. If you only encrypt the data, or only encrypt the storage service, the data is still vulnerable to unauthorized access.

HashiCorp Vault lets you encrypt data using the transit secrets engine. Vault does not store the data. Instead, Vault provides an encryption service that you can use to encrypt data received from your applications before writing to your application's storage service. When using Vault Enterprise, you can also configure your application to use the Transform secrets engine, which supports NIST-vetted cryptographic standards such as format-preserving encryption (FPE). Vault is available as a self-hosted application, or you can get started quickly using the HashiCorp Cloud Platform.

HCP Vault Radar scans connected data sources such as Azure DevOps, GitHub, Confluence, and Jira to ensure no secrets or sensitive data is in version control, documentation, and project management tools.

HashiCorp Consul encrypts traffic using mutual transport layer security (mTLS) between services connected to the Consul service mesh. mTLS adds an additional layer of encryption transmitting data between services. Consul is available as a self-hosted application.

HashiCorp resources

• Learn to encrypt data in transit with Vault
• Learn to transform sensitive data with Vault using format-preserving encryption
• Scan a repository for secrets with HCP Vault Radar
• Connect your services securely with Consul service mesh

External resources

• Read about rethinking defense playbooks as cyber criminals move faster
• Learn about data management concepts and strategies
• Learn about data lifecycle management frameworks
• Read the NIST methods for format-preserving encryption specification

Next steps

In this section of how to Secure data, you learned about common ways to secure sensitive data using HashiCorp Vault, HCP Vault Radar, and Consul. Protect sensitive data is part of the Secure systems pillar.

Visit the following documents to continue building your data protection strategy:

• Protect data at rest to implement storage encryption strategies for classified data
• Protect data in transit to secure data as it moves between systems
• Tokenize data to replace sensitive values such as credit card numbers or patient records with non-sensitive tokens
• Use policy as code to enforce data protection requirements across your infrastructure