Selecting the Right Encryption Approach

Selecting the Right Encryption Approach

The Optimal Data Encryption Solution will Vary According to Use Case, Threats Addressed, and Acceptable Deployment Complexity

At the board-room level, data encryption may easily be viewed as a binary matter: data encryption is employed and the company’s assets are secure, or they’re not encrypted and it’s time to panic. However, for the security teams chartered with securing sensitive assets, the realities are not so simple.

When determining which data encryption solution type will best meet your requirements, there are several considerations. At a high level, data encryption types can be broken out by where they’re employed in the technology stack. There are four levels in the technology stack in which data encryption is typically employed:

  • full-disk encryption or media
  • file system level encryption
  • database level encryption
  • application level encryption

In general, the lower in the stack that encryption is employed, the simpler and less intrusive the implementation will be. However, the number and types of threats these data encryption approaches can address are also reduced. On the other hand, by employing encryption higher in the stack, organizations can typically realize higher levels of security and mitigate more threats.

Selecting the Right Encryption Approach

Security and deployment complexity increases when data encryption is implemented higher in the stack

Both, Full-disk encryption (FDE) and self-encrypting drives (SED) are data encryption types that encrypt data as it is written to the disk and decrypt data as it is read off the disk.

FDE/SED Advantages:
  • Simplest method of deploying encryption
  • Transparent to applications, databases, and users.
  • High-performance, hardware-based encryption
FDE/SED Limitations:
  • Addresses a very limited set of threats—protects only from physical loss of storage media.
  • Lacks safeguards against advanced persistent threats (APTs), malicious insiders, or external attackers
  • Meets minimal compliance requirements
  • Doesn’t offer granular access audit logs
Key takeaways:
  • Mainstream cloud providers offer the functional equivalent of FDE with its attendant limitations listed above
  • FDE makes sense for laptops, which are highly susceptible to loss or theft. But FDE isn’t suitable for the most common risks faced in data center and cloud environments
Learn More:
  • Analyst Resources:
    • Aberdeen short video: Selecting Encryption for “Data at Rest” in Back-End Systems
    • Aberdeen webinar: The Right Tools for the Job Encryption for Data at Rest in Back-End Systems
Relevant Thales eSecurity solutions:

File-Level encryption approaches offer security controls by employing software agents that are installed within the operating system. The agents intercept all read and write calls to disks and then apply policies to determine if the data should be encrypted or decrypted. The more mature file-level encryption products also offer strong policy-based access controls for users and privileged users and file access logging with easy SIEM integration.

File-Level Encryption Advantages:
  • File-level encryption is transparent to users and applications, meaning organizations don’t have to customize applications or change associated business processes
  • File-level encryption supports both structured and unstructured data.
  • File-level encryption establishes strong controls that guard against abuse by privileged users
  • File-level encryption offers granular file access monitoring logs and SIEM integration that can be used for security intelligence to accelerate breach detection and compliance reporting
File-Level Encryption Limitations:
  • Encryption agents are specific to operating systems, so it is important to ensure the solution selected offers coverage of a broad set of Windows, Linux, and Unix platforms
Key takeaways:
  • For many organizations file-level encryption represents the optimal approach. Its broad protections support the vast majority of use cases, and it is easy to deploy and operate.
Relevant Thales eSecurity solutions and capabilities:

Transparent Data Encryption (TDE) is encryption that is native to common database vendors such as Microsoft and Oracle.

  • Safeguards sensitive data in databases
  • Establishes safeguards against a range of threats, including malicious insiders
  • Offerings from one database vendor can’t be applied to databases from other vendors increasing training and operational costs
  • Doesn’t support central administration across multiple vendor databases
  • Older database versions may not support TDE, creating exposure
  • Only encrypts columns or tables of a database, leaving configuration files, system logs, and reports vulnerable
The takeaway:
  • While database encryption technologies can meet specific, tactical requirements, they don’t enable organizations to address security across heterogeneous environments or protect data residing outside of the databases. As a result, they can leave organizations with significant security gaps.
Relevant Thales eSecurity solutions:

Application-layer Encryption is a suite of products that expose APIs to streamline adding strong encryption, tokenization, masking and other cryptographic capabilities to existing applications.

  • Developers don’t need to develop cryptography skills. They use published APIs for crypto functions and FIPS 140-2 key management
  • Secures targeted subsets of data, such as sensitive fields in a database
  • Encryption and decryption occur at the application-layer, which means data is encrypted before it is transmitted and stored
  • Offers highest level of security, providing protections against malicious DBAs and SQL-injection attacks
  • Tokenization can also significantly reduce PCI DSS compliance costs and administrative overhead
  • These approaches need to be integrated with the application, and therefore require development effort and resources
The takeaway:
  • These approaches may be optimal in cases in which security policies or compliance mandates require specific sets of data to be secured.
  • Application-layer encryption, including tokenization and format-preserving encryption maintain data formats avoiding database schema changes
  • Look for solutions with well-documented, standards-based APIs and sample code to simplify application development
  • Expect FIPS 140-2 key management to ensure compliance and strong security
Relevant Thales eSecurity solutions:
  • Vormetric Application Encryption simplifies the process of adding encryption and format preserving encryption, as well as other cryptographic functions, to existing applications
  • Vormetric Tokenization simplifies the process of adding tokenization and dynamic data masking, as well as other cryptographic functions, to existing applications.
  • Vormetric Batch Data Transformation is a tool that quickly encrypts or tokenizes large data sets quickly to accelerate data security deployments and for static data masking.

Application Encryption

White Paper : A common platform for database encryption: lower cost, reduced risk

Most enterprises rely on a diverse database infrastructure to meet specific business objectives, but this complexity increases risk and costs. With databases housing our most sensitive and highly regulated information, organizations need better database security strategies.


White Paper : The Enterprise Encryption Blueprint

Download this white paper to be set in the right direction to discover, define and deploy the enterprise data encryption strategy that is best for your organization.


White Paper : Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers and Applications by Securosis

This paper cuts through the confusion to help you pick the best encryption and tokenization options for your projects. The focus is on encrypting in the data center and IaaS: applications, servers, databases, and storage.

Visionner notre démo interactive Explorer
Programmer une démo en direct Programmer
Entrer en contact avec un spécialiste Nous contacter