Selecting the Right Encryption Approach

Both, Full-disk encryption (FDE) and self-encrypting drives (SED) are data encryption types that encrypt data as it is written to the disk and decrypt data as it is read off the disk.

FDE/SED Advantages:

• Simplest method of deploying encryption
• Transparent to applications, databases, and users.
• High-performance, hardware-based encryption

FDE/SED Limitations:

• Addresses a very limited set of threats—protects only from physical loss of storage media.
• Lacks safeguards against advanced persistent threats (APTs), malicious insiders, or external attackers
• Meets minimal compliance requirements
• Doesn’t offer granular access audit logs

Key takeaways:

• Mainstream cloud providers offer the functional equivalent of FDE with its attendant limitations listed above
• FDE makes sense for laptops, which are highly susceptible to loss or theft. But FDE isn’t suitable for the most common risks faced in data center and cloud environments

Learn More:

• Analyst Resources:
  • Aberdeen short video: Selecting Encryption for “Data at Rest” in Back-End Systems
  • Aberdeen webinar: The Right Tools for the Job Encryption for Data at Rest in Back-End Systems

Relevant Thales eSecurity solutions:

• Vormetric Enterprise Key Management acts as a KMIP Server to centralize the management of encryption keys for on-premises FDE storage
• CipherTrust Cloud Key Manager brings operational efficiency to multicloud BYOK Life Cycle Management and streamlines compliance through centralized reporting

File-Level encryption approaches offer security controls by employing software agents that are installed within the operating system. The agents intercept all read and write calls to disks and then apply policies to determine if the data should be encrypted or decrypted. The more mature file-level encryption products also offer strong policy-based access controls for users and privileged users and file access logging with easy SIEM integration.

File-Level Encryption Advantages:

• File-level encryption is transparent to users and applications, meaning organizations don’t have to customize applications or change associated business processes
• File-level encryption supports both structured and unstructured data.
• File-level encryption establishes strong controls that guard against abuse by privileged users
• File-level encryption offers granular file access monitoring logs and SIEM integration that can be used for security intelligence to accelerate breach detection and compliance reporting

File-Level Encryption Limitations:

• Encryption agents are specific to operating systems, so it is important to ensure the solution selected offers coverage of a broad set of Windows, Linux, and Unix platforms

Key takeaways:

• For many organizations file-level encryption represents the optimal approach. Its broad protections support the vast majority of use cases, and it is easy to deploy and operate.

Relevant Thales eSecurity solutions and capabilities:

• Vormetric Transparent Encryption offers encryption of structured and unstructured files along with strong privileged user access controls.
• Vormetric Security Intelligence logs delivers granular file access monitoring and easy integration with leading SIEMs.

Transparent Data Encryption (TDE) is encryption that is native to common database vendors such as Microsoft and Oracle.

Advantages:

• Safeguards sensitive data in databases
• Establishes safeguards against a range of threats, including malicious insiders

Limitations:

• Offerings from one database vendor can’t be applied to databases from other vendors increasing training and operational costs
• Doesn’t support central administration across multiple vendor databases
• Older database versions may not support TDE, creating exposure
• Only encrypts columns or tables of a database, leaving configuration files, system logs, and reports vulnerable

The takeaway:

• While database encryption technologies can meet specific, tactical requirements, they don’t enable organizations to address security across heterogeneous environments or protect data residing outside of the databases. As a result, they can leave organizations with significant security gaps.

Relevant Thales eSecurity solutions:

• Vormetric Data Security Platform offers several database security solutions.
• Vormetric Enterprise Key Management can be used to centralize the management of TDE cryptographic keys.

Application-layer Encryption is a suite of products that expose APIs to streamline adding strong encryption, tokenization, masking and other cryptographic capabilities to existing applications.

Advantages:

• Developers don’t need to develop cryptography skills. They use published APIs for crypto functions and FIPS 140-2 key management
• Secures targeted subsets of data, such as sensitive fields in a database
• Encryption and decryption occur at the application-layer, which means data is encrypted before it is transmitted and stored
• Offers highest level of security, providing protections against malicious DBAs and SQL-injection attacks
• Tokenization can also significantly reduce PCI DSS compliance costs and administrative overhead

Limitations:

• These approaches need to be integrated with the application, and therefore require development effort and resources

The takeaway:

• These approaches may be optimal in cases in which security policies or compliance mandates require specific sets of data to be secured.
• Application-layer encryption, including tokenization and format-preserving encryption maintain data formats avoiding database schema changes
• Look for solutions with well-documented, standards-based APIs and sample code to simplify application development
• Expect FIPS 140-2 key management to ensure compliance and strong security

Relevant Thales eSecurity solutions:

• Vormetric Application Encryption simplifies the process of adding encryption and format preserving encryption, as well as other cryptographic functions, to existing applications
• Vormetric Tokenization simplifies the process of adding tokenization and dynamic data masking, as well as other cryptographic functions, to existing applications.
• Vormetric Batch Data Transformation is a tool that quickly encrypts or tokenizes large data sets quickly to accelerate data security deployments and for static data masking.