Modern businesses have a wealth of data, from financial information to customer demographics, most of which they wish to keep private. Data encryption allows them, and you, to secure data privacy while keeping it accessible to legitimate users, but it’s not infallible. Knowing how data encryption works and what your options are can help you minimize your risks and protect one of your most valuable resources.
In this article:
What Is Data Encryption?
Data encryption is a method of protecting data confidentiality by converting it to encoded information, called ciphertext, that can only be decoded with a unique decryption key, generated either at the time of encryption or beforehand. Data encryption can be used during data storage or transmission and is typically used in conjunction with authentication services to ensure that keys are only provided to, or used by, authorized users.
Why is it important?
Outside the clear benefit of enhanced privacy protection, encryption helps ensure data integrity, protecting its contents from undocumented modification, and can be used to verify data’s origin, minimizing the risk of accessing data from untrustworthy sources. The combination of increased Internet use and the value of data to hackers makes data more accessible and desirable than it once was and increases the need for protection. Additionally, many businesses face regulatory requirements for data security, such as the use of encryption, that must be complied with.
Symmetric vs Asymmetric Encryption
The type of encryption used depends on how data is intended to be accessed and by whom.
Private encryption key (symmetric)
Symmetric encryption uses a single, private key for encryption and decryption. It is a faster method than asymmetric encryption and is best used by individuals or within closed systems. Using symmetric methods with multiple users in open systems, such as over a network, requires the transmission of the key and creates an opportunity for theft. The most commonly used type of symmetric encryption is AES.
Public encryption key (asymmetric)
Asymmetric encryption uses paired public and private keys that are mathematically linked and can only be used together. Either key can be used to encrypt data but the paired key must be used to decrypt it. Asymmetric encryption is used by multiple users and across open networks, like the Internet, because the public key can be freely shared without risking data theft. The most commonly used types of asymmetric encryption are ElGamal, RSA, DSA, and PKCS.
Data Encryption Standards
There are numerous data encryption algorithms to choose from, depending on the use case, but the ones most frequently used are:
- Triple DES (3DES or TDES)—runs DES algorithm, an outdated standard, three times, encrypting, decrypting, and encrypting again to create a longer key length. It can be run with a single key, two keys, or three different keys with increasing security. 3DES uses a block cipher method, making it vulnerable to attacks such as block collision.
- RSA—one of the first public-key algorithms, it uses one-way asymmetric encryption. RSA is popular due to its long key length and is used widely throughout the Internet. It is part of many security protocols, like SSH, OpenPGP, S/MIME, and SSL/TLS, and is used by browsers to create secure connections over insecure networks.
- Twofish—one of the fastest algorithms, it is available in 128, 196, and 256bit sizes with a complex key structure for increased security. It is free for use and appears in some of the best free software: VeraCrypt, PeaZip, and KeePass, and OpenPGP standard.
- Elliptic Curve Cryptography (ECC)—developed as an improvement upon RSA, it provides better security with significantly shorter key lengths. ECC is an asymmetric method used in the SSL/TLS protocol.
- The Advanced Encryption Standard (AES)—established as the US government standard for encryption. AES is a symmetric-key algorithm that uses block cipher methods. It is available in 128, 192, and 256bit sizes, using an increasing number of rounds of encryption according to size. It was built for easy implementation in both hardware and software.
Common Criteria (CC)
CC is not an encryption standard but a set of international guidelines for verifying that product security claims hold up under testing. Originally, encryption was outside the scope of CC but is increasingly being included in the security standards defined for the project.
CC guidelines were created to provide vendor-neutral, third-party oversight of security products. Products under review are submitted on a voluntary basis by vendors and whole or individual functionalities are examined. When a product is evaluated, it’s features and capabilities are tested according to up to seven levels of rigor and compared to a defined set of standards according to product type.
In Transit vs At Rest Encryption
Data is valuable regardless of whether it is being transferred between users or sitting on a server and must be protected at all times. How that protection is accomplished depends on the state of the data.
Data encryption in transit
Data is considered in-transit when it is moving between devices, such as within private networks, through the Internet, or from laptop to thumb drive. Data is at greater risk during transfer due to the need for decryption prior to transfer and the vulnerabilities of the transfer method itself. Encrypting data during transfer, referred to as end-to-end encryption, ensures that even if the data is intercepted, its privacy is protected.
Data encryption at rest
Data is considered at rest when it resides on a storage device and is not actively being used or transferred. Data at rest is often less vulnerable than when in-transit, due to device security features restricting access, but it is not immune. Additionally, it often contains more valuable information so is a more appealing target for thieves.
Encrypting data at rest reduces opportunities for data theft created by lost or stolen devices, inadvertent password sharing, or accidental permission granting by increasing the time it takes to access information and providing the time needed to discover loss or attack, remotely erase data, or change credentials.
Encryption with Cloudian HyperStore
It takes a lot of work to ensure that your data is encrypted and your security keys are properly managed. Cloudian HyperStore is an on-premise object storage solution that can help you simplify these processes in your cloud, whether it’s private, public or a hybrid.
HyperStore is fully S3 API compliant and includes automatic data verification and encryption. It uses two server-side encryption methods, SSE/SSE-C and Keysecure, and supports the use of third-party key management systems to keep your data safe at rest. HTTPS is used for upload and download requests to keep data protected in transit as well. Encryption can be managed at bucket level down to that of individual objects, allowing you full control.
Cloudian HyperStore can help you store your data securely and efficiently, keeping it accessible to your broader storage systems and secure from breaches.