Thales Blog

Superior OS-Level Data Protection

October 28, 2020

Rajesh Gupta Rajesh Gupta | Director of Engineering More About This Author >

Data is everywhere and it is everything to an organization. In this digital age, data is not just limited to collecting personal information, medical history or financial background on individuals. Organizations are collecting all sorts of data. In addition, the introduction of the Internet of Things (IoT), artificial intelligence and machine learning (AI/ML), cloud storage, SaaS and big data has caused an explosion of data.

According to research published by Splunk, leaders see this data as extremely or very valuable to their organization in terms of overall success (81%), innovation (75%) and cybersecurity (78%). Two-thirds (67%) of those surveyed expect the sheer quantity of data to grow nearly five times by 2025.

With the collection of all this highly-valuable data, it is now imperative for an organization to understand who, what, when and how this data is being accessed and consumed. Protecting data with enhanced and transparent encryption, auditing each activity and ensuring proper access control is not an option but a must for any organization.

Data anxiety is real

Unfortunately, the collection of this valuable data brings various threats and risks to the overall success of the business. Organizations are constantly vulnerable to the following threats and risks:


  • Credential theft
  • Weak encryption
  • Infection by malware and ransomware
  • Privilege escalation


  • Data breaches
  • Data exposures
  • Data exfiltration

The frequency of these attacks has grown year over year. And organizations have spent millions of dollars to recover their data and repair their reputation after these data breaches.

Top storage security challenges

Securing large amounts of data poses various challenges. Organizations not only have to protect their data from external threats but also from internal ones. According to ZDNet, a Russian national was recently arrested for trying to recruit a Tesla employee and hack the company. Luckily, the employee reported the incident, but oftentimes protecting data from a disgruntled employee is as critical as securing it from external threats. The example above is just one area of concern. Below are some additional common security challenges organizations face as they look to secure data from threats both inside and outside company walls:

Not all encryption solutions are the same

Bruce Schneier of Schneier on Security put it nicely when he said, “There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.” Let’s admit it, encryption is now a commodity. Encryption is available at the operating system, file system, disk layer, for databases and applications. Does this encryption really protect the data from various Cipher attacks? Organizations without key rotation policies, strong/unique initialization vectors, strong encryption algorithms and key management policies are just checking the boxes--they are not really protecting the data.

Insufficient separation of duties

Companies spend millions of dollars on perimeter security to protect their data. But they often miss the weakest link in the security chain: the people who manage, administer and operate their computer systems. Inadequate and improper access controls to protect data from storage and system admins is the biggest security gap.

Inadequate and improper privileged access controls

Security and system administrators have been struggling with downtime associated with encryption. Without the correct solution, this downtime could be weeks if not months. Security leaders understand that rotating a master key is not enough. Re-encrypting the data with new key material is necessary to protect the data. Periodic key rotation on a large size data adds a challenge to providing 24/7 data availability.

Encryption negates compression and deduplication

The explosion of collected data has significantly increased the storage need and cost. Leaders across industries are looking into various advanced storage features like compression and deduplication to save on storage costs. Encryption simply negates compression and deduplication.

Managing a large number of encryption keys

With encryption of data across many different storage systems, management of encryption keys becomes problematic. As Bruce Schneier said in his book Applied Cryptography, “Key management is the hardest part of cryptography and often the Achilles’ heel of an otherwise secure system.”

Protecting at the OS level

Security always comes with huge baggage. Security is hard to implement in large organizations; not transparent enough to run on various application servers and it slows down these servers. In many ways, these concerns can be alleviated by using OS-level transparent encryption. As mentioned earlier, there are various levels to employ encryption, but protecting at the OS layer has many more benefits. Perimeter security is not enough to prevent ransomware and malware attacks. New age malware are smart enough to penetrate through firewalls, steal user credentials and infect themselves on corporate networks. Preventing these unauthorized applications or malwares to run and allow them to open disk devices directly can be prevented at the OS level.

I recently spoke at the SDC 2020 on “OS Level Encryption and Access Control for Superior Data Protection”. Below are specific advantages of protecting data at the OS level that I covered:

Transparent File Level Encryption

  • Applications do not need any code changes as encryption, key rotation and access control is transparent to all applications.
  • Unique encryption keys or an initialization vector (IV) per folder or file for enhanced encryption.
  • Transparently rotating the keys regularly and re-encrypting the data to prevent cryptographic attacks without any downtime.

Privileged user access control

  • Fine-grained access control to protect data. What, when, how and who can access the data?
  • Allows administrators to perform the backups and maintain systems without reading the data.

Data access audit logging

  • Adding full audit trails for various compliance requirements.
  • Security administrators can review logs and adjust access control rules.
  • Identify who is accessing the data and whether they really need access.

Device protection and application whitelisting

  • Allows only trusted applications to access the disk device directly.
  • Signs these applications to prevent any code injection.


With the significant growth of data and the introduction of new, stringent compliance regulations such as GDPR and CCPA (California Consumer Privacy Act) that can impose hefty fines for non-compliance, it is now not just critical, but imperative, for organizations to understand how to protect their data from both external and internal attacks.

Encryption provides a strong level of protection but must be implemented in conjunction with enterprise-grade key management, device protection and access controls to ensure that only users who are granted access to data will be allowed access.

Establish sensitive data strong controls with maximum efficiency and CipherTrust Transparent Encryption