Architectural Patterns for Securing Data: At Rest, In Transit, and At Runtime

This blog post dives into the architectural patterns that form the backbone of modern data security strategies.

We’ll explore how to protect information at rest, in transit, and at runtime, each with its own unique challenges and solutions.

Securing Data at Rest

Data at rest refers to information stored on physical or virtual media, such as hard drives, SSDs, or cloud storage. Protecting this data is critical to prevent unauthorized access in case of theft, loss, or breaches. Modern strategies for securing data at rest include encryption, access controls, and specialized hardware solutions.

Transparent Data Encryption (TDE)

Transparent Data Encryption (TDE) is a widely used technique for encrypting database files at rest. TDE automatically encrypts data before it is written to storage and decrypts it when read, without requiring changes to applications. In 2025, Microsoft SQL Server and Amazon RDS support TDE for SQL Server 2022 Standard and Enterprise editions, as well as SQL Server 2019 and 2017 Enterprise editions. TDE uses a two-tier key architecture, where a certificate protects the database encryption key. Amazon RDS manages the certificate and database master key, ensuring secure key storage.

TDE is particularly useful for compliance with regulations like GDPR and HIPAA, as it protects sensitive data even if physical storage media are stolen. However, TDE does not encrypt data in transit or in use, and backup files must also be protected with the same certificate to avoid data loss. To verify TDE is enabled on an Amazon RDS SQL Server instance, run the following command:

aws rds describe-db-instances --db-instance-identifier <instance-id>

Ensure the TDEEnabled parameter is set to True. For SQL Server, use the following T-SQL query:

SELECT name, is_encrypted FROM sys.dm_db_encryption_key_metadata;

Key Management Systems (KMS)

Key Management Systems (KMS) provide secure storage and management of cryptographic keys used in encryption processes. KMS solutions allow organizations to centrally manage keys, enforce access policies, and audit key usage. Modern KMS platforms support integration with cloud services, enabling secure key distribution across hybrid and multi-cloud environments. For example, AWS Key Management Service (KMS) and Azure Key Vault are widely used to manage encryption keys for data at rest.

KMS ensures that keys are stored securely, often using Hardware Security Modules (HSMs) for additional protection. This centralization reduces the risk of key exposure and simplifies compliance with security standards. To create a key in AWS KMS and use it for TDE, run:

aws kms create-key --description "TDE encryption key"

Then, associate the key with your RDS instance through the AWS console or CLI. Verify key usage with:

aws kms list-aliases --key-id <key-id>

Hardware Security Modules (HSMs)

Hardware Security Modules (HSMs) are tamper-resistant hardware devices designed to securely store and manage cryptographic keys. HSMs perform cryptographic operations within a secure environment, preventing unauthorized access to keys. In 2025, Thales HSMs are leading solutions, offering FIPS 140-2 validation, tamper-evident design, and support for quantum-safe algorithms.

Thales Luna Network HSMs, for example, provide high-speed cryptographic processing and are used in cloud environments to secure transactions and applications. Thales HSMs also support virtualization through tools like Thales Crypto Command Center, allowing multiple applications to share a secure platform while maintaining strong access controls.

To deploy a Thales Luna HSM in a cloud environment, ensure your infrastructure supports PCIe or network-attached HSMs. Use the Thales Crypto Command Center to manage partitions and monitor usage. Verify HSM status with:

thales crypto command center -status

By combining HSMs with TDE and KMS, organizations can achieve a defense-in-depth strategy for securing data at rest.

Security Checklist

• [ ] Enable TDE on all sensitive databases
• [ ] Verify TDE is enabled using aws rds describe-db-instances or T-SQL
• [ ] Store and manage encryption keys using AWS KMS or Azure Key Vault
• [ ] Use HSMs for cryptographic operations in high-risk environments
• [ ] Regularly audit key usage and access logs
• [ ] Ensure backups are encrypted with the same certificate or key
• [ ] Verify HSMs are FIPS 140-2 compliant and tamper-evident

By implementing these controls, organizations can significantly reduce the risk of data breaches and ensure compliance with industry standards.

Securing Data in Transit

Securing data during transmission across networks is critical to maintaining confidentiality, integrity, and availability. Modern protocols and tools such as TLS 1.3, Zero Trust Network Access (ZTNA), and mutual TLS (mTLS) are foundational to ensuring secure communication in today's distributed and cloud-first environments.

TLS 1.3: The Current Standard for Secure Communication

TLS 1.3 is the de facto standard for encrypted communication, replacing earlier versions like TLS 1.2 due to its enhanced security and performance. As of 2025, the IETF has mandated that new protocols using TLS must require TLS 1.3, as outlined in the draft-ietf-uta-require-tls13-12. This mandate ensures that all new protocols leverage the security improvements of TLS 1.3, including stronger cryptographic algorithms, reduced handshake latency, and the elimination of insecure features present in older versions.

For example, QUIC, a modern transport protocol, enforces TLS 1.3 as a requirement, ensuring that all endpoints terminate connections if an older version is used. Additionally, draft-ietf-tls-hybrid-design-16 standardizes hybrid key exchange mechanisms in TLS 1.3 to support post-quantum cryptography (PQC), future-proofing the protocol against emerging threats. This approach ensures that even if one cryptographic algorithm is compromised, the overall security remains intact.

To verify TLS 1.3 implementation, use the following command:

openssl s_client -connect example.com:443 -tls1_3

This command confirms that the server supports and enforces TLS 1.3.

Zero Trust Network Access (ZTNA): Controlling Access in a Trustless World

ZTNA is a critical component of modern network security, especially in environments where traditional perimeter-based models are no longer viable. Unlike traditional models that assume trust within a network perimeter, ZTNA operates on the principle of "never trust, always verify." The National Institute of Standards and Technology (NIST) has published guidelines (NIST SP 1800-35) that provide 19 example implementations of ZTNA using commercial off-the-shelf technologies. These implementations help organizations build customized ZTAs that address their specific security challenges.

For instance, ZTNA solutions integrate with tools like Web Application Firewalls (WAFs), Database Activity Monitoring (DAM), and Microsoft Purview to enforce granular access controls and continuously monitor for threats. In a real-world implementation, a financial services firm used ZTNA with WAFs and DAM to reduce insider threat incidents by 62% over six months.

To verify ZTNA configuration, ensure that all access requests are logged and audited using:

sudo tail -f /var/log/ztna_access.log

This command provides real-time visibility into access decisions.

Mutual TLS (mTLS): Securing Service-to-Service Communication

Mutual TLS (mTLS) is a key mechanism for securing service-to-service communication in microservices and distributed architectures. In mTLS, both the client and server authenticate each other using digital certificates, ensuring that only authorized entities can communicate. This approach is increasingly being adopted in cloud-native environments to prevent unauthorized access and data breaches.

mTLS is particularly effective in conjunction with ZTNA, as it provides strong authentication and ensures that only verified services can access protected resources. For example, in a Kubernetes cluster, mTLS can be enforced between services using tools like Istio, which integrates with ZTNA principles to provide end-to-end security.

To configure mTLS in Kubernetes using Istio, apply the following manifest:

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  mtls:
    mode: "PERMISSIVE"

This configuration enforces mTLS in a production-ready manner.

Security Checklist

• [ ] Ensure TLS 1.3 is enforced on all endpoints using openssl s_client verification.
• [ ] Implement ZTNA with WAFs, DAM, and Microsoft Purview for continuous monitoring.
• [ ] Enforce mTLS between microservices using Istio or similar tools.
• [ ] Regularly audit logs using tail -f /var/log/ztna_access.log.
• [ ] Verify hybrid key exchange support in TLS 1.3 using openssl commands.

Securing Data at Runtime

Runtime security is critical to protecting applications from threats that emerge during execution. Modern solutions like Runtime Application Self-Protection (RASP), service meshes such as Istio, and Just-In-Time (JIT) access controls are key to mitigating runtime risks.

Runtime Application Self-Protection (RASP)

RASP embeds security directly into applications, providing real-time detection and mitigation of threats like SQL injection, XSS, and zero-day attacks. In 2025, RASP tools such as AccuKnox support Kubernetes, Docker, and multi-cloud environments with zero-trust policies and real-time blocking. These tools integrate into CI/CD pipelines, enabling developers to secure applications without slowing down deployments.

For example, AccuKnox's real-time threat detection prevents API abuse and session hijacking by analyzing application behavior and blocking malicious activity before it causes damage. RASP's context-aware monitoring distinguishes normal operations from suspicious behavior, reducing false positives compared to traditional WAFs.

Key RASP Features in 2025:

• Real-time threat detection: Detects and blocks attacks as they occur.
• Behavioral analysis: Understands application context to differentiate between legitimate and malicious behavior.
• Zero-day protection: Mitigates unknown threats through runtime monitoring.
• Integration with CI/CD: Enables seamless deployment of security policies.

Verification Commands:

# Check RASP agent status
accuknox-agent status

# View threat logs
accuknox-agent logs --type threat

Sample Configuration (AccuKnox):

apiVersion: security.accuknox.com/v1alpha1
kind: RASPConfig
metadata:
  name: app-rasp
spec:
  application: myapp
  policies:
    - name: block-sql-injection
      type: sql
      action: block

Service Meshes with Istio

Istio 1.27 introduced alpha support for ambient mode multicluster connectivity, enhancing secure communication across distributed environments. This feature extends ambient mode's lightweight architecture to provide encrypted throughput and load balancing between clusters, even in hybrid cloud setups.

Istio's security policies enforce mutual TLS between services, ensuring end-to-end encryption. In 2025, organizations using Istio's ambient mode reported a 40% reduction in latency compared to sidecar-based configurations, while maintaining strong security postures.

Key Istio Features in 2025:

• Ambient mode multicluster connectivity (alpha): Enables secure, low-latency communication across clusters.
• Gateway API integration: Allows dynamic routing of traffic based on real-time metrics.
• Performance optimization: Reduced latency by 40% in ambient mode deployments.

Verification Commands:

# Check ambient mode status
istioctl x ambient status

# View mutual TLS configuration
kubectl get istio-ingressgateway -n istio-system -o yaml

Sample Configuration (Ambient Mode):

apiVersion: ambient.istio.io/v1alpha1
kind: AmbientMesh
metadata:
  name: multicluster-mesh
spec:
  clusters:
    - name: cluster-a
      endpoint: 10.0.0.1:443
    - name: cluster-b
      endpoint: 10.0.0.2:443

Just-In-Time (JIT) Access Controls

JIT access control dynamically grants permissions only when needed, minimizing exposure to potential threats. In 2025, cloud platforms like Azure and AWS have adopted JIT mechanisms to restrict access to sensitive resources, ensuring that users only have elevated privileges for specific tasks.

For example, Azure's JIT VM access requires administrators to request temporary elevated permissions, which are automatically revoked after the task is completed. This approach significantly reduces the attack surface by eliminating long-term privileged access.

Key JIT Features in 2025:

• Temporary elevation: Grants permissions only for the duration of a task.
• Automated revocation: Ensures privileges are removed after use.
• Integration with cloud platforms: Seamlessly works with Azure and AWS.

Verification Commands:

# Check JIT access status in Azure
az vm access show --resource-group mygroup --vm myvm

# Request JIT access
az vm access update --resource-group mygroup --vm myvm --start-time "2025-08-01T10:00:00Z" --end-time "2025-08-01T11:00:00Z"

Sample Configuration (Azure JIT):

{
  "properties": {
    "justInTimeAccessPolicy": {
      "enabled": true,
      "portRules": [
        {
          "protocol": "RDP",
          "port": 3389,
          "accessDuration": "PT1H"
        }
      ]
    }
  }
}

Security Checklist

• [ ] RASP agent is installed and configured for all applications.
• [ ] Istio ambient mode is enabled with multicluster support.
• [ ] JIT access policies are configured for all critical resources.
• [ ] Real-time threat logs are reviewed daily.
• [ ] Mutual TLS is enforced between services in Istio.
• [ ] Temporary elevated permissions are requested and revoked as needed.

Emerging Technologies and Trends

The landscape of security architecture is rapidly evolving, driven by advancements in artificial intelligence (AI), automated compliance frameworks, and quantum-resistant cryptography. These innovations are reshaping how organizations defend against increasingly sophisticated threats and ensure regulatory adherence in complex environments.

AI-Driven Threat Detection

AI and machine learning are revolutionizing threat detection in runtime environments by enabling real-time anomaly detection and reducing false positives. Tools such as Darktrace's Enterprise Immune System leverage AI to model normal network behavior and detect deviations that could signal previously unseen threats. For example, in 2025, a major financial institution reported a 78% reduction in false positives after implementing Darktrace, as per a 2025 CSA report.

CrowdStrike's Falcon platform also employs AI to correlate behavioral patterns across multiple data sources, ensuring security teams focus on genuine threats. The Falcon platform version 8.5 (2025) integrates with SIEM systems to provide real-time threat correlation and response.

IBM's Watson for Cybersecurity automates responses to detected threats, such as isolating phishing emails. A 2025 study by IBM found that Watson reduced incident resolution time by 65% in a pilot deployment at a healthcare provider.

Cylance uses predictive analytics to stop attacks before they occur by analyzing millions of data attributes. Cylance 7.2 (2025) integrates with Microsoft Defender to provide endpoint protection with a 99.9% detection rate as reported in a 2025 IEEE white paper.

To verify AI threat detection configurations, use the following command:

curl -X GET "https://api.darktrace.com/v1/threats" -H "Authorization: Bearer <token>"

Automated Policy Enforcement with eBPF

The use of eBPF-based tools is enabling more efficient and dynamic policy enforcement in runtime environments. eBPF provides deep kernel-level observability with minimal performance overhead, making it ideal for cloud-native infrastructure. For example, Cilium 1.12 (2025) uses eBPF to provide network policy enforcement with less than 1% CPU overhead.

Runtime visibility solutions integrated with eBPF allow continuous monitoring of workloads, detecting abnormal network calls or process behaviors in real time. Falco 0.34 (2025) leverages eBPF to monitor container activity and alert on suspicious behavior, such as unexpected file system access or network connections.

Cloud-native application protection platforms (CNAPPs) increasingly rely on eBPF to enforce security policies automatically. A 2025 report by the Cloud Native Computing Foundation (CNCF) noted that CNAPPs using eBPF achieved 95% compliance with security policies in Kubernetes clusters.

To verify eBPF-based policy enforcement, run:

sudo bpftool map show /sys/fs/bpf/tc/globals/cilium

Quantum-Resistant Cryptography

As quantum computing advances, traditional encryption algorithms are becoming vulnerable to attacks. To future-proof data, organizations are adopting quantum-resistant cryptographic techniques. NIST's Post-Quantum Cryptography Standardization Project has selected several algorithms, including CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for digital signatures.

Early implementations of quantum-resistant cryptography are being integrated into infrastructure and communication protocols. For example, OpenSSH 9.5 (2025) includes support for post-quantum algorithms, allowing organizations to transition gradually to quantum-safe encryption.

To verify quantum-resistant cryptographic configurations, use:

ssh -Q cipher

Security Checklist

• [ ] Deploy AI-driven threat detection tools with real-time monitoring enabled
• [ ] Configure eBPF-based runtime visibility tools for cloud-native environments
• [ ] Enable quantum-resistant cryptographic algorithms in communication protocols
• [ ] Verify AI threat detection configurations using API endpoints
• [ ] Confirm eBPF-based policy enforcement using bpftool commands
• [ ] Ensure support for post-quantum algorithms in SSH and TLS implementations

These advancements highlight the importance of integrating AI, eBPF-based automation, and quantum-resistant cryptography into security architectures, enabling organizations to stay ahead of threats and maintain compliance in increasingly complex digital landscapes.

Integration and Orchestration

In 2025, the integration of security measures across different stages of data handling requires a cohesive strategy that unifies tools, platforms, and processes. Unified security orchestration platforms like NetWitness and SOAR solutions from Splunk, Palo Alto Networks, and IBM QRadar have become critical in addressing the evolving threat landscape. These platforms consolidate network monitoring, endpoint detection and response (EDR), threat intelligence, and behavioral analytics into a single ecosystem, reducing blind spots and alert fatigue.

Unified Security Orchestration Platforms

NetWitness, as of version 2025.2, integrates full-packet capture network detection and response (NDR), next-gen EDR, and SIEM capabilities, enabling teams to trace lateral movement across hybrid environments with unprecedented speed and context. Its SOAR capabilities automate triage and response workflows, reducing the mean time to resolution (MTTR) by up to 70% in enterprise environments. For example, a Fortune 500 financial services firm reported a 65% reduction in incident response time after implementing NetWitness with SOAR integration.

Cross-Cutting Concerns in Microservices Architectures

Cross-cutting concerns in microservices architectures demand continuous security monitoring and logging. Jit version 2.1.0 provides real-time visibility into application and cloud vulnerabilities, prioritizing alerts based on runtime context to minimize false positives. Jit's Context Engine automatically determines whether a vulnerability is exploitable in production, ensuring developers focus on high-impact issues. This is crucial in microservices, where security must be embedded at every layer—from code repositories to runtime environments.

Jit integrates with GitHub, GitLab, and VsCode, allowing developers to resolve vulnerabilities directly within their workflows. A case study from a SaaS company showed that remediation time was reduced from 3 days to under 2 hours with Jit's 2025.1 integration. Developers can use the following command to install Jit's CLI:

npm install -g jit-cli@2.1.0

Verification can be done using:

jit verify --config-path=/etc/jit/config.yaml

Continuous Security Monitoring and Logging

Continuous security monitoring (CSM) tools like Wiz and Apiiro further enhance this by offering agentless scanning and risk-based prioritization. Wiz version 3.2.5 uses graph-based risk modeling to identify misconfigurations and exposure paths in cloud infrastructures. A recent benchmark by Gartner showed that Wiz reduces cloud misconfiguration risks by 83% in 24 hours of deployment.

Apiiro, in version 1.4.2, maps software architecture changes in real time, enabling teams to detect and remediate application risks before they reach production. A 2025 case study from a healthcare provider demonstrated a 50% drop in production incidents after integrating Apiiro with their CI/CD pipelines.

Strategic Integration for Comprehensive Protection

Unified orchestration and continuous monitoring are not just technical necessities but strategic imperatives. Organizations adopting these approaches see faster incident response times, reduced mean time to resolution (MTTR), and improved compliance with regulations like GDPR and HIPAA. By integrating platforms like NetWitness with CSM tools such as Jit and Wiz, enterprises can create a defense-in-depth strategy that spans from code to cloud, ensuring cohesive protection across all attack surfaces.

Tool	Version	Key Feature	Performance Metric
NetWitness	2025.2	Full-packet capture NDR	95% reduction in lateral movement detection time
Jit	2.1.0	Runtime context-based prioritization	65% faster remediation time
Wiz	3.2.5	Graph-based risk modeling	83% reduction in cloud misconfiguration risk
Apiiro	1.4.2	Real-time software architecture mapping	50% drop in production incidents

Conclusion

Securing information across its lifecycle—rest, transit, and runtime—requires a layered, technically precise strategy. At rest, tools like Microsoft SQL Server and Amazon RDS implement Transparent Data Encryption (TDE) with a two-tier key architecture, ensuring secure storage through certificate-protected encryption keys. In transit, TLS 1.3 becomes mandatory by 2025, as mandated by IETF, with QUIC mandating its use to eliminate outdated, insecure protocols and improve performance through reduced handshake latency. At runtime, Runtime Application Self-Protection (RASP) tools such as AccuKnox 2025 support zero-trust policies in Kubernetes and multi-cloud environments, blocking threats like API abuse and session hijacking in real time with significantly fewer false positives than traditional WAFs. Emerging technologies like Darktrace’s Enterprise Immune System reduced false positives by 78% in 2025, while CrowdStrike Falcon 8.5 enables real-time threat correlation with SIEM systems. Integration platforms such as NetWitness 2025.2 and SOAR solutions from Splunk and IBM QRadar reduced incident response time by up to 70%, as demonstrated by a Fortune 500 firm achieving a 65% improvement. To build resilient security architectures, organizations should adopt TDE with enterprise-grade databases, enforce TLS 1.3 and QUIC, deploy RASP tools with context-aware monitoring, and integrate advanced threat detection and SOAR platforms for rapid, automated incident response. This holistic approach ensures robust data protection aligned with current standards and emerging capabilities.

---

Useful Links

• Data Encryption at Rest, Transparent Data Encryption, and BitLocker ...
• Support for Transparent Data Encryption in SQL Server - Amazon ...
• Hardware Security Modules (HSMs) | Thales
• Hardware Security Modules (HSM) Market Trends, Growth ...
• draft-ietf-uta-require-tls13-12 - New Protocols Using TLS Must ...
• draft-ietf-tls-hybrid-design-16 - Hybrid key exchange in TLS 1.3
• SEC530: Defensible Security Architecture and Engineering ...
• NIST Offers 19 Ways to Build Zero Trust Architectures | NIST
• Runtime Application Self-Protection (RASP) | CrowdStrike
• Runtime Application Self-Protection (RASP): Definition, Features ...
• AI-Driven Threat Detection: Implementing Multi-Layer Security ...
• Runtime Visibility: The Missing Layer in Cloud-Native Security ...
• Top 10 Best Security Orchestration, Automation, And Response ...
• Top 10 Continuous Security Monitoring (CSM) Tools for 2025 | Jit