Data Encryption: The Ultimate Guide

Data Protection

Data Encryption: The Ultimate Guide

Modern businesses have a wealth of data, from financial information to customer demographics, most of which they wish to keep private. Data encryption allows them, and you, to protect data privacy while keeping it accessible to legitimate users. However, encryption is not infallible. Knowing how data encryption works and what your options are can help you minimize your risks and protect your most valuable assets.

In this article:

What Is Data Encryption?

Data encryption is a method of protecting data confidentiality by converting it to encoded information, called ciphertext, that can only be decoded with a unique decryption key, generated either at the time of encryption or beforehand. Data encryption can be used during data storage or transmission and is typically used in conjunction with authentication services to ensure that keys are only provided to or used by authorized users.

Why is it important?

Data is more accessible and desirable to attackers than ever, increasing the need for protection. Additionally, many businesses face data protection regulation requirements, many of which explicitly require the use of encryption.

Outside the clear benefit of enhanced security, privacy protection, and prevention of unauthorized access, encryption helps ensure data integrity. Encryption protects content from unwanted modification, and can be used to verify data’s origin and authenticity.

Symmetric vs Asymmetric Encryption

The type of encryption used depends on how data is intended to be accessed and by whom.

Symmetric Encryption (Private Encryption Key)

Symmetric encryption uses a single, private key for encryption and decryption. It is a faster method than asymmetric encryption and is best used by individuals or within closed systems. Using symmetric methods with multiple users in open systems, such as over a network, requires the transmission of the key and creates an opportunity for theft. The most commonly used type of symmetric encryption is AES.

Asymmetric Encryption (Public Encryption Key)

Asymmetric encryption uses paired public and private keys that are mathematically linked and can only be used together. Either key can be used to encrypt data but the paired key must be used to decrypt it. Asymmetric encryption is used by multiple users and across open networks, like the Internet, because the public key can be freely shared without risking data theft. The most commonly used types of asymmetric encryption are ElGamal, RSA, DSA, and PKCS.

Data Encryption Types – PARTIAL

Examples of Data Encryption Algorithms

There are numerous data encryption algorithms to choose from, depending on the use case, but the ones most frequently used are:

  • Triple DES (3DES or TDES)—runs DES algorithm, an outdated standard, three times, encrypting, decrypting, and encrypting again to create a longer key length. It can be run with a single key, two keys, or three different keys with increasing security. 3DES uses a block cipher method, making it vulnerable to attacks such as block collision.
  • RSA—one of the first public-key algorithms, it uses one-way asymmetric encryption. RSA is popular due to its long key length and is used widely throughout the Internet. It is part of many security protocols, like SSH, OpenPGP, S/MIME, and SSL/TLS, and is used by browsers to create secure connections over insecure networks.
  • Twofish—one of the fastest algorithms, it is available in 128, 196, and 256bit sizes with a complex key structure for increased security. It is free for use and appears in some of the best free software: VeraCrypt, PeaZip, and KeePass, and OpenPGP standard.
  • Elliptic Curve Cryptography (ECC)—developed as an improvement upon RSA, it provides better security with significantly shorter key lengths. ECC is an asymmetric method used in the SSL/TLS protocol.
  • The Advanced Encryption Standard (AES)—established as the US government standard for encryption. AES is a symmetric-key algorithm that uses block cipher methods. It is available in 128, 192, and 256bit sizes, using an increasing number of rounds of encryption according to size. It was built for easy implementation in both hardware and software.
  • Blowfish—a symmetric cipher that has a variable key length from 32 to 448 bits. Performance of this algorithm depends on the key length selected. Blowfish is a block cipher, so it divides data into fixed blocks of 64 bits each when encrypting data.
  • Format Preserving Encryption (FPE)—this encryption algorithm also performs anonymization for content. It encrypts the data while retaining its existing format. For example, if a customer ID includes two letters and ten digits, the resulting encrypted form will have the same number and type of characters, but will switch them to other characters to protect the original data.

Data Encryption Standards

Apart from data encryption algorithms, there are also industry standards that govern their usage in organizations. Here are two important standards.

NIST Federal Information Processing Standard (FIPS) 140-2

The FIPS standard was developed in accordance with the US Federal Information Security Management Act (FISMA). They are intended for use by the US federal government, and many US government agencies and institutions require FIPS-level encryption. At the same time, FIPS has been voluntarily adopted by many in the private sector as a strong standard for encryption of sensitive data.

Common Criteria (CC) for Information Technology Security Evaluation

CC is not an encryption standard but a set of international guidelines for verifying that product security claims hold up under testing. Originally, encryption was outside the scope of CC but is increasingly being included in the security standards defined for the project.

CC guidelines were created to provide vendor-neutral, third-party oversight of security products. Products under review are submitted on a voluntary basis by vendors and whole or individual functionalities are examined. When a product is evaluated, its features and capabilities are tested according to up to seven levels of rigor and compared to a defined set of standards according to product type.


Encryption of Data In Transit vs. Data At Rest

Data is valuable regardless of whether it is being transferred between users or sitting on a server and must be protected at all times. How that protection is accomplished depends on the state of the data.

Data Encryption in Transit

Data is considered in-transit when it is moving between devices, such as within private networks, through the Internet, or from laptop to thumb drive. Data is at greater risk during transfer due to the need for decryption prior to transfer and the vulnerabilities of the transfer method itself. Encrypting data during transfer, referred to as end-to-end encryption, ensures that even if the data is intercepted, its privacy is protected.

Data Encryption at Rest

Data is considered at rest when it resides on a storage device and is not actively being used or transferred. Data at rest is often less vulnerable than when in-transit, due to device security features restricting access, but it is not immune. Additionally, it often contains more valuable information so is a more appealing target for thieves.

Encrypting data at rest reduces opportunities for data theft created by lost or stolen devices, inadvertent password sharing, or accidental permission granting by increasing the time it takes to access information and granting time needed to discover data loss, ransomware attacks, remotely erased data, or changed credentials.


Can Encrypted Data be Hacked?

In short, yes – encrypted data can be hacked. There are multiple ways attackers can compromise data encryption systems:

  • Malware on endpoint devices – many endpoint devices have encryption mechanisms such as full disk encryption. Attackers can compromise an endpoint device using malware, and leverage keys on the device to decrypt the data.
  • Brute force attacks – attackers commonly try to break encryption by randomly trying different keys. The chances of success are directly related to the size of the key. This is why most encryption standards specify the use of 256-bit encryption keys. However, some encryption systems use weak ciphers which are vulnerable to brute force attacks.
  • Cryptanalysis – this is a technique in which attackers find a weakness in the cipher itself and use it to gain access to data.
  • Side-channel attacks – this involves looking for errors or weaknesses in system design, which allow users to decrypt data or prevent it from being encrypted, without breaking the cipher itself.
  • Social engineering attacks – possibly the easiest way to hack encrypted data is to use phishing or other social engineering methods to trick a privileged user into providing the key.
  • Insider threats – a severe threat to encrypted data is the possibility that a privileged individual will turn against the organization and abuse their privileges to steal data. Insider threats also include negligent users who fail to follow security policies.

Despite all these risks, encryption is a strong and effective security measure. But in light of the chances that encryption will be compromised, it must be treated as another layer of protection, and not the only defense organizations use to protect their data.

What is Cloud Based Encryption?

When an organization stores data in the cloud, it can leverage the cloud provider’s ability to encrypt the data. Most cloud service providers offer encryption as a service, either built into cloud services or as a separate offering. Cloud-based encryption is convenient and allows many organizations to meet their compliance obligations in the cloud.

Before using cloud-based encryption, it is critical to determine exactly what the cloud provider offers:

  • What is the strength of the encryption and whether it meets the organization’s requirements.
  • Who manages keys – there are several models including fully managed encryption keys and client-managed encryption keys.
  • How to set up end-to-end encryption to ensure that data remains encrypted as it travels from the cloud to end-users and back.

Cloud encryption is a central component of any cloud security strategy. However, organizations should be aware of these important concerns:

  • Cloud encryption can be considered as complex by end-users, especially when there is full end-to-end encryption.
  • It can be difficult to integrate cloud encryption with systems running on-premises or on endpoint devices.
  • There is a need to monitor usage of cloud encryption because it is a compute-intensive process. Depending on the price model, it can also result in high cloud costs.
  • Key management must be handled carefully, because if encryption keys are lost the data is useless, and if keys are not properly secured, encryption offers no security benefit.

Key Features of Data Encryption Solutions

Data encryption solutions are solutions that enable an organization to implement encryption at large scale. They include advanced encryption algorithms, together with management tools that help deploy encryption, manage keys and passwords, set access policies, and monitor how encryption is performed across the organization.

To be useful, data encryption solutions must be easy to use, or even better – completely transparent so they encrypt sensitive data with no human intervention. They must also be highly scalable, to accommodate growing data volumes, and fast, to ensure they have minimal impact on employee productivity.

Here are key features you should look for in a data encryption solution:

  • Strong encryption standards – the industry standard for encryption today is Advanced Encryption Standard (AES) with a 256-bit key.
  • Encryption of data at rest – data at rest can be saved on file servers, databases, employee workstations, and in the cloud. The solution should be able to reach all these data storage locations to encrypt sensitive data.
  • Encryption of data in transit – the solution should be able to encrypt data transmissions using transport layer security (TLS), an encrypted protocol that ensures message authenticity and prevents eavesdropping.
  • Granular controls – the solution should enable selective encryption of the organization’s sensitive data, without forcing encryption of all data stores. For example, it can allow encryption of specific folders, applications, storage devices, or file types.
  • Key management – this is a critical part of encryption management. The solution should make it convenient to generate encryption keys, deliver them to data owners, back them up, and destroy them when access is revoked.
  • Enforcement of policies – solutions must allow the organization to define encryption policies and automatically enforce them. For example, operations like saving a file to removable storage or sending it by email can be blocked until the employee encrypts the file.
  • Always-on encryption – many solutions enable encryption for sensitive files which remains in place wherever they go – whether they are copied, emailed, or modified.

Here are a few trends likely to drive the development of data encryption in the future:

Bring Your Own Encryption (BYOE)

BYOE is a cloud computing security model that allows cloud services customers to manage their own encryption keys using their own encryption software. It is also known as Bring Your Own Key (BYOK). BYOE works by allowing customers to deploy virtualized instances of their own encryption software alongside cloud-hosted business applications.

Encryption as a Service (EaaS)

EaaS is a subscription model in which cloud providers offer encryption on a pay-per-use basis. This approach addresses compliance concerns and provides customers with some capabilities to manage their own encryption, to secure data in multi-tenant environments. These services typically offer full disk encryption (FDE), database encryption, or file encryption.

Cloud Storage Encryption

A service in which cloud storage providers use encryption algorithms to protect all data saved to cloud storage. This is similar to encryption performed on-premises but with important differences. Cloud customers should take the time to understand the provider policies and procedures regarding encryption and key management to match the level of confidentiality of their self-managed encrypted data.

End-to-End encryption (E2EE)

E2EE ensures that an attacker who intercepts a communication channel cannot see the data transmitted between them. The use of Transport Layer Security (TLS) to create an encrypted channel between web clients and web servers does not always guarantee E2EE, because attackers can access the content before it is encrypted by the client and just after it is decrypted by the server.

Field-level encryption

Field-level encryption is the ability to encrypt data in specific fields on a web page, such as credit card numbers, social security numbers, bank account numbers and health information.

This is a method that encrypts data as it leaves a host, decrypts it on the next network link (which can be a host or a relay point), and re-encrypts it before sending it to the next link. Each link can use a different key or different algorithm to encrypt the data, and the process repeats until the data reaches the receiver.

Network-Level Encryption

This method applies cryptographic services at the network forwarding layer (level 3 in the OSI model). This is above the data link layer, but below the application layer. Level 3 encryption is achieved through Internet Protocol security (IPsec). When used in combination with a set of IETF standards, it creates a framework for private communications in IP networks.

6 Benefits of Data Encryption

To summarize our discussion, here are the main business benefits of data encryption:

  1. Promotes data integrity – encryption can prevent accidental or malicious modification of sensitive data.
  2. Supports compliance – encryption is explicitly required by many regulations and industry standards. Having strong encryption in place can help demonstrate to auditors that sensitive data is well protected by the organization.
  3. Protects data in transit – whenever data is transferred between two systems, there are many risks to the integrity and confidentiality of the data, including man in the middle (MitM) attacks. Encryption of data in transit, most commonly implemented by the Transport Layer Security (TLS) protocol, guards against many of these risks.
  4. Protects data in cloud storage – when data is stored in the public cloud, it can be exposed to a much wider range of threats, including accidental exposure to the Internet, access by other cloud tenants, and by malicious insiders at the cloud provider. Encrypting data in cloud storage by default provides a layer of protection against all these threats.
  5. Secures remote work – with the massive growth in remote work, many employees store data outside physical offices, and it is becoming common for workers to access corporate systems from personal devices. Ensuring data is encrypted wherever it is stored can dramatically improve security in these scenarios.
  6. Protects intellectual property – for many organizations, intellectual property is a strategic asset that can be worth millions. By encrypting this data and securely managing encryption keys, an organization can render it useless to an attacker.

Cloudian HyperStore: Secure Mega-Scale Storage with Built-In Encryption

It takes a lot of work to ensure that your data is encrypted and your security keys are properly managed. Cloudian HyperStore is an on-premise object storage solution that can help you simplify these processes in your cloud, whether it’s private, public or a hybrid.

HyperStore is fully S3 API compliant and includes automatic data verification and encryption. It uses two server-side encryption methods, SSE/SSE-C and Keysecure, and supports the use of third-party key management systems to keep your data safe at rest. HTTPS is used for upload and download requests to keep data protected in transit as well. Encryption can be managed at bucket level down to that of individual objects, allowing you full control.

Cloudian HyperStore can help you store your data securely and efficiently, keeping it accessible to your broader storage systems and secure from breaches.

Get Started With Cloudian Today