In-Use Encryption, Tokenization & Masking

Use Data While It’s Encrypted? No way!

rectangle Written by: Purandar Das rectangle 2 5 min read

That’s what a recent data security executive said to one of our solution specialists as he was exploring our data encryption solution – Sotero Protect. They just didn’t believe it.

We’re always delighted when people reach out to us to explore our data security solutions. And, as with any new technology, we expect the tough questions. Actually, we look forward to them because it gives us the opportunity to discuss data in use encryption.

As we explained data in use encryption to our new data security friend, we realized we were dealing with a skeptic when he uttered the words in the headline of this blog post . . . “Use data while it’s encrypted? No way!”

Yes way!

Unfortunately, we were cut off by our skeptical friend before we could explain how data in use encryption works. He didn’t want to hear it because it couldn’t be real. Well, not only is real, but it’s helping numerous companies today to protect sensitive data.

It’s my hope that our friend comes back and reads this post. Well, actually, it’s a quick letter – outlining what we were about to explain during our insightful exchange.

Dear Skeptical Friend,

As we discussed during our conversation, though encryption is an effective at reducing the probability of a security breach, traditional encryption still carries a major hurdle – it protects data only when data is at rest (disk encryption) or in motion via secure communication methods such as SSL and TLS. These shortfalls leave companies with significant vulnerabilities when the data is in use.

Data in use encryption takes a new approach – one that keeps data encrypted regardless of lifecycle stage – in use, in motion and at rest. Here’s a little more detail – and we’d be delighted to dive deeper should you visit us again.

Data in use encryption technology ensures that data is encrypted even when in use by applications. It provides decrypted data for authorized queries from application users employing three levels of encryption: deterministic, random, and format-preserving. It processes a query by fetching encrypted data from the database. It then evaluates the user’s access rights and sends unencrypted results back to privileged users. Users without the proper privileges simply receive encrypted data in response to a query.

The technology detects and protects data from unauthorized use by evaluating each incoming query in real-time against historical patterns of use – to immediately stop a suspicious query before the data is released to the user.  It also employs a secure key management service that uses TLS access control and multiple layers of AES-256 keys to encrypt the data. It is essentially a vault that holds the data encryption keys (DEKs) used to encrypt the data as well as a master key (or key encryption key, KEK), which is used to encrypt the DEKs themselves. The DEKs are symmetric keys, meaning the same key is used to encrypt and decrypt the data.

This is the short answer, and we’d love to dive deeper should we have the opportunity to speak again. We hope you reach out to us again so we may continue the conversation.

Yours in data security,

The Sotero Team


data protection,

data regulations,

data security

Subscribe to our Blog

Take a look at a truly encrypted future, with no data left unsecure.

Request a Live Demo.

Schedule a live one-on-one
demo of Sotero.

Book Demo