Selecting the Right Encryption Approach

The Optimal Solution will Vary According to Use Case, Threats Addressed, and Acceptable Deployment Complexity

At the board-room level, data encryption may easily be viewed as a binary matter: data encryption is employed and the company’s assets are secure, or they’re not encrypted and it’s time to panic. However, for the security teams chartered with securing sensitive assets, the realities are not so simple.

When determining which data encryption solution type will best meet your requirements, there are several considerations. At a high level, data encryption types can be broken out by where they’re employed in the technology stack. There are four levels in the technology stack in which data encryption is typically employed: full-disk or media encryption, file system encryption, database encryption, and application encryption.

In general, the lower in the stack that encryption is employed, the simpler and less intrusive the implementation will be. However, the number and types of threats these data encryption approaches can address are also reduced. On the other hand, by employing encryption higher in the stack, organizations can typically realize higher levels of security and mitigate more threats.

Security and deployment complexity increases when implemented higher in the stack

Full-Disk Encryption
File-Level Encryption
DB Encryption (TDE)
App Encryption
Resources

Full-disk encryption (FDE) and self-encrypting drives (SED) encrypt data as it is written to the disk and decrypt data as it is read off the disk.

FDE/SED Advantages:

Simplest method of deploying encryption
Transparent to applications, databases, and users.
High-performance, hardware-based encryption

FDE/SED Limitations:

Addresses a very limited set of threats—protects only from physical loss of storage media.
Lacks safeguards against advanced persistent threats (APTs), malicious insiders, or external attackers
Meets minimal compliance requirements
Doesn’t offer granular access audit logs

Key takeaways:

Mainstream cloud providers offer the functional equivalent of FDE with its attendant limitations listed above
FDE makes sense for laptops, which are highly susceptible to loss or theft. But FDE isn’t suitable for the most common risks faced in data center and cloud environments

Learn More:

Analyst Resources:

Relevant Thales eSecurity solutions:

You can use Vormetric Key Management to manage encryption keys for on-premises FDE storage
To enhance compliance with organizational and industry mandates around encryption key management, users of cloud provider encryption (essentially equal to FDE) can use either the CipherTrust Cloud Key Manager or nShield Bring Your Own Key to take control of data encryption keys from cloud providers.

Encrypting data at the file or volume (typically used for databases) level offers security controls with software agents installed in the operating system. Agents intercept disk reads and writes and apply policies to determine if the data should be encrypted or decrypted. Mature file-system encryption products offer strong policy-based access controls, including for privileged users and processes, and granular logging capabilities.

File-Level Encryption Advantages:

Transparent to users and applications, meaning organizations don’t have to customize applications or change associated business processes
Supports both structured and unstructured data
Establishes strong controls that guard against abuse by privileged users and that meet common compliance requirements
Offers granular file access logs and SIEM integration that can be used for security intelligence and compliance reporting

File-Level Encryption Limitations:

Encryption agents are specific to operating systems, so it is important to ensure the solution selected offers coverage of a broad set of Windows, Linux, and Unix platforms

Key takeaways:

For many organizations and purposes, file encryption represents the optimal approach. Its broad protections support the vast majority of use cases, and it is easy to deploy and operate.

Relevant Thales eSecurity solutions and capabilities:

Vormetric Transparent Encryption offers encryption of structured and unstructured files along with strong privileged user access controls.
Vormetric Security Intelligence offers robust capabilities for leveraging granular security logs.

Other considerations:

File-level encryption can protect any database that is in a file on a supported operating system. This is common in Microsoft Windows SQL Server for smaller databases. Volume-level encryption can provide encryption for very large databases. Database protection is typically multi-layered. A good security practice beyond database encryption is a database activity monitoring (DAM) product to protect against such threats as malicious database administrator or compromised DBA credentials, or SQL injection attack.

This approach enables security teams to encrypt a specific subset of data within the database or the entire database file. This category includes solutions from multiple database vendors that are known as transparent data encryption (TDE).

Advantages:

Safeguards data in databases, which are critical repositories.
Establishes strong safeguards against a range of threats, including malicious insiders—even in some cases a malicious database administrator.

Limitations:

Offerings from one database vendor can’t be applied to databases from other vendors.
Doesn’t enable central administration across multiple vendor databases or other areas in environment.
Only encrypts columns or tables of a database, leaving configuration files, system logs, and reports exposed.

The takeaway:

While database encryption technologies can meet specific, tactical requirements, they don’t enable organizations to address security across heterogeneous environments. As a result, they can leave organizations with significant security gaps.

Learn more:

Relevant Thales eSecurity solutions:
- Vormetric Data Security Platform offers several database security solutions.
- Vormetric Key Management can be used to manage TDE cryptographic keys.

When employing this approach, application logic is added to govern the encryption or tokenization, of data from within the application.

Advantages:

Secures specific subsets of data, such as fields in a database.
Encryption and decryption occur at the application layer, which means data can be encrypted before it is transmitted and stored.
Offers highest level of security, providing protections against malicious DBAs and SQL-injection attacks.
Tokenization can also significantly reduce PCI DSS compliance costs and administrative overhead.

Limitations:

These approaches need to be integrated with the application, and therefore require development effort and resources.

The takeaway:

These approaches may be optimal in cases in which security policies or compliance mandates require specific sets of data to be secured. In addition, variants of application-layer encryption, including tokenization and format-preserving encryption, can help reduce the impact on databases.
Look for solutions with well-documented, standards-based APIs and sample code to simplify application development.

Learn more:

Relevant Thales eSecurity solutions:
- Vormetric Application Encryption simplifies the process of adding encryption into existing applications.
- Vormetric Tokenization simplifies the process of adding tokenization and dynamic data masking into existing applications.

Application Encryption

White Paper : The Enterprise Encryption Blueprint

Download this white paper to be set in the right direction to discover, define and deploy the enterprise data encryption strategy that is best for your organization.

Download

White Paper : Selecting Encryption for “Data-At-Rest” In Back-End Systems: What Risks Are You Trying To Address

"By Derek E.Brink, CISSP, Vice President and Research Fellow, IT Security and IT GRC. This report will provide you with explanations and actionable information that will help you secure your most crucial asset, your data."

Download

Vormetric Encryption delivers what we need it to do – without any fuss or drama – knowing it’s in place is one less thing to worry about. Albert AvilaBusiness Solutions Specialist, Fujitsu America, Inc.

Thales eSecurity is our standard. Whenever an encryption solution is needed, the answer is always, ‘let’s start with Thales eSecurity. Damian McDonaldVice President of Global Information Security, Becton, Dickinson and Company

There is absolutely no noticeable impact on the performance or usability of applications. I am very excited at how easy the solution is to deploy and it has always performed flawlessly. Christian MuusDirector of Security for Teleperformance EMEA

Implementing Vormetric has given our own clients an added level of confidence in the relationship they have with us; they know we’re serious about taking care of their data. Audley Deansenior director of Information Security,
BMC Software

Vormetric’s approach of coupling access control with encryption is a very powerful combination. We use it to demonstrate to clients our commitment to preserving the security and integrity of their test cases, data and designs. David VargasInformation Security Architect
Cadence Design Systems

My concern with encryption was the overhead on user and application performance. With Thales eSecurity, people have no idea it’s even running. Karl MudraCIO
Delta Dental of Missouri

The Vormetric solution not only solved all of our encryption needs but alleviated any fears of the complexity and overhead of managing the environment once it was in place. Joseph Johnson,chief information security officer CHS

As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected Thales HSMs to provide robust security, unmatched performance and superior scalability across… Joe Majka,Chief Security Officer

play