In-Use Encryption – What It Is and How Companies Benefit
Though encryption is the most effective way to reduce the probability of a security breach, traditional encryption carries a major hurdle – it protects data only when data is at rest (disk encryption) or in transit via secure communication methods such as SSL and TLS. These limitations leave companies with significant vulnerabilities when the data is in use by on-premise or cloud applications.
The good news for companies is the emergence of In-Use Encryption. In this post we outline some of the limitations of traditional encryption, followed by how in-use encryption addresses these limitations. For a deeper dive, we invite you to download Sotero’s new white paper on in-use encryption.
The Limitation Of Traditional Encryption
- Encryption doesn’t protect data in use.
Companies that encrypt their sensitive data often conclude that their data is completely protected, but that is not the case. Traditional encryption does not cover one of the major vulnerabilities that companies face today: an attacker obtaining unauthorized, direct access to the database. Access can be gained by several methods, including phishing attacks, misconfigured databases, or custom software programs that impersonate valid applications requesting data.
- Cloud infrastructure and applications often put data at risk.
As companies shift sensitive data to the cloud, they introduce more potential cracks in their security program. SaaS applications and IaaS that reside in a public cloud introduce several vulnerabilities:
- Cloud providers require customers to provide their own cybersecurity and do not enforce it.
- Data in the cloud is accessible to the database administrators of the cloud applications or infrastructure via direct access to the database.
- The provider holds the encryption keys and can access the data in the database.
- Endpoints may not be secure.
Attacks often start at endpoints, such as workstations or printers, which are often left unsecured, and then proceed to back-end servers that hold sensitive data. Lack of control at endpoints enables attackers to access sensitive data, even if it is encrypted.
- Anomaly detection systems come with limitations.
Anomaly detection systems are usually deployed at the firewall or network level, rather than at the data access level. This prevents them from detecting data requests that are benign at the access level but still malicious at the data level. Second, log file and user behavior analysis tools do not prevent unauthorized access in real-time.
In-Use Encryption Eliminates These Vulnerabilities
In-Use encryption takes a new approach that ensures that sensitive data is never left unsecured, regardless of or lifecycle stage (at rest, in transit, or in use) source, or location (on premise, cloud, or hybrid). These capabilities set in motion new opportunities for using, sharing, and monetizing data, securely and with confidence.
In-Use Encryption has the following unique advantages over traditional security approaches:
- All sensitive data is encrypted, including all data fields in all applications, adhering to the AES-256 standard. This includes heterogeneous applications, such as ODBC, RDBMS, and JDBC databases, and applications deployed on premise, in a private cloud, or in a public cloud.
- Data is encrypted throughout the entire data life cycle (at rest, in transit, and in use). Because data in use remains encrypted, even when a system breach occurs, data loss is prevented.
- Access to unencrypted data is controlled. Role-based access controls allow you to control which users can see which data and specify data access at a granular (field) level. This protects data from unauthorized access even from database administrators at your company or at your cloud provider who have direct access to the system, but do not need to view the underlying data.
- Governance is provided through a centralized, simple platform. The system allows you to manage data security for all your data stores from a single platform and uses a single method.
- Anomalies are detected and responded to in real time. In-Use Encryption not only encrypts the underlying data, but analyzes data requests in real time and blocks suspicious requests.
In-Use Encryption benefits any company that collects, uses, and shares sensitive data, including PII data:
- Companies that house data in the cloud for broader use and analysis.
- Service and software providers that wish to secure their data more effectively, as well as use that superior security as a selling point for customers.
- Companies that must comply with international data regulations while keeping data storage more streamlined.
- Companies that share data or collaborate with suppliers and other business partners.