Data Encryption: The Ultimate Guide

Data Protection

What Is Data Encryption?

Data encryption is a security method that translates data into a code, or ciphertext, that can only be read by people with access to a secret key or password. The unencrypted data is called plaintext. The science of encrypting and decrypting information is known as cryptography.

Data encryption protects data from being stolen, changed, or compromised. However, to ensure data remains protected, the decryption key must be kept secret and protected against unauthorized access. All data can be encrypted, including data at rest (stored in a fixed location such as a hard drive) or data in transit (for example, being transferred over a network).

There are two types of encryption in widespread use today:

  • Symmetric encryption uses the same key for encryption and decryption
  • Asymmetric encryption has a private key held by the owner of the data, and a public key granted to the recipient of the data.

Asymmetric encryption is considered more secure, because it does not require sharing the private key. This is part of our series of articles about data storage.

In this article:

Note: This article is part of a series on Data Protection.

Why Is Data Encryption Important? Key Benefits

Data is more accessible and desirable to attackers than ever, increasing the need for protection. Additionally, many businesses face data protection regulation requirements, many of which explicitly require the use of encryption.

Promotes Data Integrity and Prevents Data Theft

Data encryption protects data from being stolen, changed, or compromised. One of the key benefits of data encryption is that it helps ensure the authenticity of the data. By encrypting data, you can be confident that the information you are accessing has not been tampered with or altered by unauthorized parties. Data encryption also helps prevent data corruption, which can occur when data is stored or transmitted through various systems. By encrypting data, you are adding an additional layer of protection that prevents unintentional or malicious data corruption.

Supports Compliance

Many industries are subject to strict regulations regarding the protection of sensitive data. For example, the healthcare industry must adhere to the Health Insurance Portability and Accountability Act (HIPAA) while financial institutions must comply with the Payment Card Industry Data Security Standard (PCI DSS). By implementing data encryption, businesses can ensure that they are meeting these regulatory requirements and avoiding potential fines or penalties for non-compliance.

Protects Data at Rest

When data is stored on a fixed location, such as a device, server, or database, it’s referred to as “data at rest.” Unauthorized individuals could physically or remotely gain access and retrieve the stored data. By encrypting data at rest, even if malicious actors obtain the storage medium, they won’t be able to interpret the data without the correct decryption key. Encryption at rest helps ensure that personal data, confidential corporate information, and other sensitive records remain inaccessible and useless to those without authorization.

Protects Data in Transit

When data is transferred between systems or devices, for example, over a network, it is particularly vulnerable to unauthorized access and tampering. Data encryption helps protect data in transit by ensuring that only authorized parties with the correct decryption keys can access the information. As more employees use mobile devices to access company data, the risk of data breaches increases. Data encryption can help protect the sensitive information stored on these devices, as well as the data transmitted between mobile devices and company networks.

Protects Data in Cloud Storage

While cloud storage offers numerous benefits, such as increased accessibility and reduced infrastructure costs, it also presents unique security challenges. One of the primary concerns for businesses using cloud storage is the security of their data at rest, or the data stored on cloud servers. Data encryption provides an additional layer of protection for this data, ensuring that even if unauthorized parties gain access to the cloud servers, they will be unable to access the encrypted data without the proper decryption keys.

Securing Remote Work

Remote work has become increasingly common. With more employees working from home or other remote locations, the risk of data breaches and other security incidents has increased. Data encryption can help protect sensitive information accessed by remote employees, ensuring that even if their devices or connections are compromised, the encrypted data remains secure.

Protects Intellectual Property

Intellectual property, such as trade secrets, proprietary algorithms, and product designs, is often the lifeblood of a business. Protecting this valuable information is essential to maintaining a competitive edge and preventing corporate espionage. Data encryption can help safeguard intellectual property by ensuring that even if an unauthorized party gains access to the data, they will be unable to decipher the encrypted information.

 

Symmetric vs Asymmetric Encryption

There are two types of encryption in widespread use today:

Symmetric Encryption (Private Encryption Key)

Symmetric encryption uses a single, private key for encryption and decryption. It is a faster method than asymmetric encryption and is best used by individuals or within closed systems, because it is considered less secure. Using symmetric methods with multiple users in open systems, such as over a network, requires the transmission of the key and creates an opportunity for theft. The most commonly used type of symmetric encryption is AES.

Asymmetric Encryption (Public Encryption Key)

Asymmetric encryption uses two different keys for encryption and decryption. It has public and private keys that are mathematically linked and can only be used together. Either key can be used to encrypt data but the paired key must be used to decrypt it. Asymmetric encryption is used by multiple users and across open networks, like the Internet, because the public key can be freely shared without risking data theft. The most commonly used types of asymmetric encryption are RSA, DSA, and ECC.

 

Data Encryption Types

Examples of Symmetric Data Encryption Algorithms

  • Triple DES (3DES or TDES)—runs DES algorithm, an outdated standard, three times, encrypting, decrypting, and encrypting again to create a longer key length. It can be run with a single key, two keys, or three different keys with increasing security. 3DES uses a block cipher method, making it vulnerable to attacks such as block collision.
  • Twofish—one of the fastest algorithms, it is available in 128, 196, and 256bit sizes with a complex key structure for increased security. It is free for use and appears in some of the best free software: VeraCrypt, PeaZip, and KeePass, and OpenPGP standard.
  • The Advanced Encryption Standard (AES)—established as the US government standard for encryption. AES is a symmetric-key algorithm that uses block cipher methods. It is available in 128, 192, and 256bit sizes, using an increasing number of rounds of encryption according to size. It was built for easy implementation in both hardware and software.
  • Blowfish—a symmetric cipher that has a variable key length from 32 to 448 bits. Performance of this algorithm depends on the key length selected. Blowfish is a block cipher, so it divides data into fixed blocks of 64 bits each when encrypting data.
  • Format Preserving Encryption (FPE)—this encryption algorithm also performs anonymization for content. It encrypts the data while retaining its existing format. For example, if a customer ID includes two letters and ten digits, the resulting encrypted form will have the same number and type of characters, but will switch them to other characters to protect the original data.

Examples of Asymmetric Data Encryption Algorithms

  • Diffie-Helman Key Exchange—a method that allows two parties, each having public and private keys, to establish a shared secret key over an insecure channel. Its security relies on the difficulty of the discrete logarithm problem. This was one of the first public key cryptography algorithms.
  • Digital Signature Algorithm (DSA)—an asymmetric encryption method used primarily for verifying digital signatures rather than encrypting data. With DSA, the owner of the private key can generate a signature for a message. This signature can then be verified by anyone with access to the public key, ensuring the message’s authenticity and that it hasn’t been tampered with.
  • RSA—one of the first public-key algorithms, it uses one-way asymmetric encryption. RSA is popular due to its long key length and is used widely throughout the Internet. It is part of many security protocols, like SSH, OpenPGP, S/MIME, and SSL/TLS, and is used by browsers to create secure connections over insecure networks.
  • Elliptic Curve Cryptography (ECC)—developed as an improvement upon RSA, it provides better security with significantly shorter key lengths. ECC is an asymmetric method used in the SSL/TLS protocol.

 

Data Encryption Standards

Apart from data encryption algorithms, there are also industry standards that govern their usage in organizations. Here are two important standards.

NIST Federal Information Processing Standard (FIPS) 140-2

The FIPS standard was developed in accordance with the US Federal Information Security Management Act (FISMA). They are intended for use by the US federal government, and many US government agencies and institutions require FIPS-level encryption. At the same time, FIPS has been voluntarily adopted by many in the private sector as a strong standard for encryption of sensitive data.

Common Criteria (CC) for Information Technology Security Evaluation

CC is not an encryption standard but a set of international guidelines for verifying that product security claims hold up under testing. Originally, encryption was outside the scope of CC but is increasingly being included in the security standards defined for the project.

CC guidelines were created to provide vendor-neutral, third-party oversight of security products. Products under review are submitted on a voluntary basis by vendors and whole or individual functionalities are examined. When a product is evaluated, its features and capabilities are tested according to up to seven levels of rigor and compared to a defined set of standards according to product type.

 

Encryption of Data In Transit vs. Data At Rest

Data is valuable regardless of whether it is being transferred between users or sitting on a server and must be protected at all times. How that protection is accomplished depends on the state of the data.

Data Encryption in Transit

Data is considered in-transit when it is moving between devices, such as within private networks, through the Internet, or from laptop to thumb drive. Data is at greater risk during transfer due to the need for decryption prior to transfer and the vulnerabilities of the transfer method itself. Encrypting data during transfer, referred to as end-to-end encryption, ensures that even if the data is intercepted, its privacy is protected.

Data Encryption at Rest

Data is considered at rest when it resides on a storage device and is not actively being used or transferred. Data at rest is often less vulnerable than when in-transit, due to device security features restricting access, but it is not immune. Additionally, it often contains more valuable information so is a more appealing target for thieves. Encrypting data at rest reduces opportunities for data theft created by lost or stolen devices, inadvertent password sharing, or accidental permission granting by increasing the time it takes to access information and granting time needed to discover data loss, ransomware attacks, remotely erased data, or changed credentials.

 

Can Encrypted Data be Hacked?

In short, yes – encrypted data can be hacked. There are multiple ways attackers can compromise data encryption systems:

  • Accidental exposure – the decryption key is secret and must be protected against unauthorized access. If users accidentally expose the key, or fail to protect it properly, attackers can gain access to protected data.
  • Malware on endpoint devices – many endpoint devices have encryption mechanisms such as full disk encryption. Attackers can compromise an endpoint device using malware, and leverage keys on the device to decrypt the data.
  • Brute force attacks – attackers commonly try to break encryption by randomly trying different keys. The chances of success are directly related to the size of the key. This is why most encryption standards specify the use of 256-bit encryption keys. However, some encryption systems use weak ciphers which are vulnerable to brute force attacks.
  • Cryptanalysis – this is a technique in which attackers find a weakness in the cipher itself and use it to gain access to data.
  • Side-channel attacks – this involves looking for errors or weaknesses in system design, which allow users to decrypt data or prevent it from being encrypted, without breaking the cipher itself.
  • Social engineering attacks – possibly the easiest way to hack encrypted data is to use phishing or other social engineering methods to trick a privileged user into providing the key.
  • Insider threats – a severe threat to encrypted data is the possibility that a privileged individual will turn against the organization and abuse their privileges to steal data. Insider threats also include negligent users who fail to follow security policies.

Despite all these risks, encryption is a strong and effective security measure. But in light of the chances that encryption will be compromised, it must be treated as another layer of protection, and not the only defense organizations use to protect their data.

 

What is Cloud Based Encryption?

When an organization stores data in the cloud, it can leverage the cloud provider’s ability to encrypt the data. Most cloud service providers offer encryption as a service, either built into cloud services or as a separate offering.

Before using cloud-based encryption, it is critical to determine exactly what the cloud provider offers:

  • What is the strength of the encryption and whether it meets the organization’s requirements.
  • Who manages keys – there are several models including fully managed encryption keys and client-managed encryption keys.
  • How to set up end-to-end encryption to ensure that data remains encrypted as it travels from the cloud to end-users and back.

Cloud encryption is a central component of any cloud security strategy. However, organizations should be aware of these important concerns:

  • Cloud encryption can be considered as complex by end-users, especially when there is full end-to-end encryption.
  • It can be difficult to integrate cloud encryption with systems running on-premises or on endpoint devices.
  • There is a need to monitor usage of cloud encryption because it is a compute-intensive process. Depending on the price model, it can also result in high cloud costs.
  • Key management must be handled carefully, because if encryption keys are lost the data is useless, and if keys are not properly secured, encryption offers no security benefit.

 

Key Features of Data Encryption Solutions

Data encryption solutions are solutions that enable an organization to implement encryption at large scale. They include advanced encryption algorithms, together with management tools that help deploy encryption, manage keys and passwords, set access policies, and monitor how encryption is performed across the organization.

To be useful, data encryption solutions must be easy to use, or even better – completely transparent so they encrypt sensitive data with no human intervention. They must also be highly scalable, to accommodate growing data volumes, and fast, to ensure they have minimal impact on employee productivity.

Here are key features you should look for in a data encryption solution:

  • Strong encryption standards – the industry standard for encryption today is Advanced Encryption Standard (AES) with a 256-bit key.
  • Encryption of data at rest – data at rest can be saved on file servers, databases, employee workstations, and in the cloud. The solution should be able to reach all these data storage locations to encrypt sensitive data.
  • Encryption of data in transit – the solution should be able to encrypt data transmissions using transport layer security (TLS), an encrypted protocol that ensures message authenticity and prevents eavesdropping.
  • Granular controls – the solution should enable selective encryption of the organization’s sensitive data, without forcing encryption of all data stores. For example, it can allow encryption of specific folders, applications, storage devices, or file types.
  • Key management – this is a critical part of encryption management. The solution should make it convenient to generate encryption keys, deliver them to data owners, back them up, and destroy them when access is revoked.
  • Enforcement of policies – solutions must allow the organization to define encryption policies and automatically enforce them. For example, operations like saving a file to removable storage or sending it by email can be blocked until the employee encrypts the file.
  • Always-on encryption – many solutions enable encryption for sensitive files which remains in place wherever they go – whether they are copied, emailed, or modified.

 

Data Encryption Trends

Here are a few trends likely to drive the development of data encryption in the future:

Bring Your Own Encryption (BYOE)

BYOE is a cloud computing security model that allows cloud services customers to manage their own encryption keys using their own encryption software. It is also known as Bring Your Own Key (BYOK). BYOE works by allowing customers to deploy virtualized instances of their own encryption software alongside cloud-hosted business applications.

Encryption as a Service (EaaS)

EaaS is a subscription model in which cloud providers offer encryption on a pay-per-use basis. This approach addresses compliance concerns and provides customers with some capabilities to manage their own encryption, to secure data in multi-tenant environments. These services typically offer full disk encryption (FDE), database encryption, or file encryption.

Cloud Storage Encryption

A service in which cloud storage providers use encryption algorithms to protect all data saved to cloud storage. This is similar to encryption performed on-premises but with important differences. Cloud customers should take the time to understand the provider policies and procedures regarding encryption and key management to match the level of confidentiality of their self-managed encrypted data.

End-to-End encryption (E2EE)

E2EE ensures that an attacker who intercepts a communication channel cannot see the data transmitted between them. The use of Transport Layer Security (TLS) to create an encrypted channel between web clients and web servers does not always guarantee E2EE, because attackers can access the content before it is encrypted by the client and just after it is decrypted by the server.

Field-level encryption

Field-level encryption is the ability to encrypt data in specific fields on a web page, such as credit card numbers, social security numbers, bank account numbers and health information.

Sequential Link Encryption

This is a method that encrypts data as it leaves a host, decrypts it on the next network link (which can be a host or a relay point), and re-encrypts it before sending it to the next link. Each link can use a different key or different algorithm to encrypt the data, and the process repeats until the data reaches the receiver.

Network-Level Encryption

This method applies cryptographic services at the network forwarding layer (level 3 in the OSI model). This is above the data link layer, but below the application layer. Level 3 encryption is achieved through Internet Protocol security (IPsec). When used in combination with a set of IETF standards, it creates a framework for private communications in IP networks.

Learn more or core data protection principles and best practices in our Data Protection Principles and Data Protection Policy articles.

 

Cloudian HyperStore: Secure Mega-Scale Storage with Built-In Encryption

It takes a lot of work to ensure that your data is encrypted and your security keys are properly managed. Cloudian HyperStore is an on-premise object storage solution that can help you simplify these processes in your cloud, whether it’s private, public or a hybrid.

HyperStore is fully S3 API compliant and includes automatic data verification and encryption. It uses two server-side encryption methods, SSE/SSE-C and Keysecure, and supports the use of third-party key management systems to keep your data safe at rest. HTTPS is used for upload and download requests to keep data protected in transit as well. Encryption can be managed at bucket level down to that of individual objects, allowing you full control.

Cloudian HyperStore can help you store your data securely and efficiently, keeping it accessible to your broader storage systems and secure from breaches.

Get Started With Cloudian Today