In the board-room, data encryption may be viewed as binary: if data encryption is employed, the company’s assets are secure; and if it’s not, the company’s data assets are not secure, and it’s time to panic.
However, for the security teams whose job it is to secure sensitive data, the reality is not so simple. At a high level, data encryption types can be broken out into the four levels in the technology stack at which data encryption typically is employed:
In general, the lower in the stack encryption is employed, the simpler and less intrusive the implementation will be. However, the number and types of threats these data encryption approaches can address are also reduced. By employing encryption higher in the stack, organizations can typically realize higher levels of security and mitigate more threats.
Full-disk encryption (FDE) and self-encrypting drives (SED) encrypt data as it is written to the disk and decrypt data as it is read off the disk.
Encrypting data at the file or volume level (typically used for databases) offers security controls with software agents installed in the operating system. Agents intercept disk reads and writes and apply policies to determine if the data should be encrypted or decrypted. Mature file-system encryption products offer strong policy-based access controls, including for privileged users and processes, and granular logging capabilities.
File-Level Encryption Advantages:
• Transparent to users and applications, so organizations don’t have to customize applications or change associated business processes.
• Supports both structured and unstructured data.
• Establishes strong controls that guard against abuse by privileged users and meet common compliance requirements.
• Offers granular file access logs and speeds up threat detection using SIEM systems that can be used for security intelligence and compliance reporting.
File-Level Encryption Limitations:
• Encryption agents are specific to operating systems, so it is important to ensure the solution selected offers coverage of a broad set of Windows, Linux, and Unix platforms.
• For many organizations and purposes, file encryption represents the optimal approach. Its broad protections support the vast majority of use cases, and it is easy to deploy and operate.
Relevant Thales solutions and capabilities:
• CipherTrust Transparent Encryption offers encryption of structured and unstructured files along with strong privileged user access controls.
• CipherTrust Security Intelligence offers robust capabilities for leveraging granular security logs.
This approach enables security teams to encrypt a specific subset of data within the database or the entire database file. This category includes solutions known as transparent data encryption (TDE) from multiple database vendors. This category also includes column level encryption. This is a type of database encryption method that allows users to select specific information or attributes to be encrypted instead of encrypting the entire database file.
When employing this approach, application logic is added to govern the encryption or tokenization of data from within the application.