SELECTING THE RIGHT ENCRYPTION APPROACH

Vormetric Data Security Products

The Optimal Solution will Vary According to Use Case, Threats Addressed, and Acceptable Deployment Complexity

At the board-room level, data encryption may easily be viewed as a binary matter: data encryption is employed and the company’s assets are secure, or they’re not encrypted and it’s time to panic. However, for the security teams chartered with securing sensitive assets, the realities are not so simple.

When determining which data encryption solution type will best meet your requirements, there are several considerations. At a high level, data encryption types can be broken out by where they’re employed in the technology stack. There are four levels in the technology stack in which data encryption is typically employed: full-disk or media, file system, database, and application.

In general, the lower in the stack that encryption is employed, the simpler and less intrusive the implementation will be. However, the number and types of threats these data encryption approaches can address are also reduced. On the other hand, by employing encryption higher in the stack, organizations can typically realize higher levels of security and mitigate more threats.

Security and deployment complexity

Security and deployment complexity increases when implemented higher in the stack

Following are more details on the advantages and disadvantages of encryption at each level in the computing stack. These descriptions can help guide you as you look to select the best encryption approach and product for your specific environments and use cases.

Full-Disk Encryption

When employing full-disk encryption (FDE) or self-encrypting drives (SED), all information is encrypted as it is written to the disk and decrypted it as it is read off the disk.

Advantages:

  • Simplest method of deploying encryption.
  • Transparent to applications, databases, and users.
  • High-performance, hardware-based encryption.

Limitations:

  • Addresses a very limited set of threats—protects only from physical loss of storage media.
  • Doesn’t offer any safeguards against advanced persistent threats (APTs), malicious insiders, or external attackers.
  • Meets minimal compliance requirements and doesn’t offer granular access audit logs.

The takeaway:

  • FDE makes sense for laptops, which are highly susceptible to loss or theft. However, these encryption approaches aren’t suitable for the most common risks faced in data center and cloud environments.

Learn More:

File-Level Encryption

File-Level approaches offer security controls by employing software agents that are installed within the operating system. The agents intercept all read and write calls to disks and then apply policies to determine if the data should be encrypted or decrypted. The more mature file-system encryption products offer strong policy-based access controls, including for privileged users and processes, and granular logging capabilities.

Advantages:

  • Transparent to users and applications, meaning organizations don’t have to customize applications be locked into a storage vendor or change associated business processes.
  • Supports both structured and unstructured data.
  • Establishes strong controls that guard against abuse by privileged users and that meet common compliance requirements.
  • Offers granular file access logs and SIEM integration that can be used for security intelligence and compliance reporting.

Limitations:

  • Requires deployment with database activity monitoring (DAM) products to protect against a malicious database administrator or SQL injection attack.
  • Agents are specific to operating systems, so it is important to ensure the solution selected offers coverage of a broad set of Windows, Linux, and Unix platforms.

The takeaway:

  • For many organizations and purposes, file encryption represents the optimal approach. Its broad protections support the vast majority of use cases, and it is easy to deploy and operate.
  • Look for solutions that offer a complementary gateway that can protect data moving to cloud storage.

Learn more:

Database Encryption (TDE)

This approach enables security teams to encrypt a specific subset of data within the database or the entire database file. This category includes solutions from multiple database vendors that are known as transparent data encryption (TDE).

Advantages:

  • Safeguards data in databases, which are critical repositories.
  • Establishes strong safeguards against a range of threats, including malicious insiders—even in some cases a malicious database administrator.

Limitations:

  • Offerings from one database vendor can’t be applied to databases from other vendors.
  • Don’t enable central administration across multiple vendor databases or other areas in environment.
  • Only encrypt columns or tables of a database, leaving configuration files, system logs, and reports exposed.

The takeaway:

  • While database encryption technologies can meet specific, tactical requirements, they don’t enable organizations to address security across heterogeneous environments. As a result, they can leave organizations with significant security gaps.

Learn more:

Application Encryption

When employing this approach, application logic is added to govern the encryption or tokenization, of data from within the application.

Advantages:

  • Secures specific subsets of data, such as fields in a database.
  • Encryption and decryption occur at the application layer, which means data can be encrypted before it is transmitted and stored.
  • Offers highest level of security, providing protections against malicious DBAs and SQL-injection attacks.
  • Tokenization can also significantly reduce PCI DSS compliance costs and administrative overhead.

Limitations:

  • These approaches need to be integrated with the application, and therefore require development effort and resources.

The takeaway:

  • These approaches may be optimal in cases in which security policies or compliance mandates require specific sets of data to be secured. In addition, variants of application-layer encryption, including tokenization and format-preserving encryption, can help reduce the impact on databases.
  • Look for solutions with well-documented, standards-based APIs and sample code to simplify application development.

Learn more:

Application Encryption

ANALYST REPORT

Encryption as an Enterprise Strategy

Vormetric Data Security Platform

Offers survey results and analysis on creating an enterprise-wide encryption strategy.  

Download >>

ANALYST REPORT

Selecting Encryption for “Data-At-Rest” In Back-End Systems: What Risks Are You Trying To Address

Vormetric Data Security Platform

Provides actionable information that can help you secure your most crucial asset, your data.  

Download >>

ANALYST REPORT

Encryption Architecture

Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers and Applications by Securosis

Download >>

WEBCASTS

Encryption Architecture

The Right Tools for the Job: Encryption for Data-at-Rest in Back-End Systems

Watch Now >>

The Vormetric Digital Digest on Data Security

Customer and Partner Success

  • Rackspace Cloud Partners
  • McKesson
  • AWS
  • Google Compute Engine
  • Microsoft
  • IBM
  • CenturyLink
  • QTS
  • Teleperformance Secures
  • Delta Dental