Information categories for encryption
Information that encryption is used to protect generally falls into three categories.
- Traditional secrets: Government or personal information that could cause harm if revealed. Most governments have whole agencies devoted to this. On the personal side, think of your bank or financial account information.
- Critical Intellectual Property (or Critical IP): information Formulas, methods, source code, designs, outcomes from analysis, clinical trial data, and so on.
- Personally Identifiable Information (PII): Personal information protected by government regulation or industry compliance requirements. Examples include Social Security Numbers (in the US … and their equivalents worldwide), credit card numbers, logins, passwords, medical account information, personal interests, search history, and details of what we like, where we go, and what we do.
Encryption basics in technology
Encryption use in today’s technology environments is all about the encryption keys (or just “keys”). Encryption keys are used to encrypt data (making it unreadable) and decrypt it (making it readable again). Encrypted data is called “cyphertext,” and unencrypted data is “plaintext.” Encrypted data combined with policies that allow only specific users, roles, or groups to use encryption keys to decrypt data results in a strong security control enforcing access to the plaintext/sensitive data (the access portion is sometimes called “Role Based Access Control,” or RBAC).
Underlying encryption layers and methods are diverse and too extensive for a short discussion (University degrees in Cryptography exist for people who really love the topic). So let’s take a look next at how encryption is used in technology environments; this breaks down into encryption for data “in-transit,” “at-rest,” and “in-use.”
Encryption of data “in-transit”
Almost all of us use encryption for data “in-transit” every day. When the “lock” symbol shows in your browser address bar, it indicates that a securely encrypted “tunnel” has been created between your browser and the application on the other end. Transport Layer Security (TLS) is the current standard for this, and Secure Socket Layer (SSL) the older and less secure version of the same technology for creating and using this encrypted tunnel. Another type of encryption of data “in-transit” is the exchange of encrypted files. An example – Some programs for PCs will also allow you to individually encrypt files (it’s an option for the professional version of Acrobat, for instance). If you then attach an encrypted file to an email and send it, data is encrypted “in-transit.”
Encryption of data “at-rest”
Information stored on a file system or in a repository is data that is “at-rest.” Encryption of data-at-rest varies widely and offers varying levels of protection against access to data where it is stored (hence “at-rest”)
Disk encryption: The weakest level of protection. Protects against physical device loss, theft, or improper disposal only. Bitlocker on a Windows PC or the encryption of the storage in an iPhone are good examples.
File & folder encryption: The next level of protection. Includes encryption within cloud storage environments – Protects against threats at the physical layer (disk encryption) and system/cloud environment level.
Database encryption: Adds protection against improper access to data within the database.
Application encryption: Uses encryption/tokenization libraries to encrypt data before storage and decrypt when retrieved (files, databases, Hadoop environments, etc.) – Stronger protection, but relies on the application programmer to enable access controls.
Encryption of data “in-use”
The next generation of encryption solution – a single solution that protects data while being viewed or analyzed and data-at-rest and data sets in-transit. In-use encryption offers the highest level of data security:
- Data in use: Only decrypts data for authorized users when used for display or analysis. User Role Based Access Control (RBAC) is provided through standardized interfaces linked to directory services and sign-on environments.
- Data in transit: Data is protected against all the threats inherent in securely exchanging data.
- Data at rest: Data within databases, big data environments, and file systems is securely encrypted or tokenized and used for display or analysis by user access role and policy through standardized interfaces linked to Role Based Access Control (RBAC) environments.
Sotero’s Data Security Platform for Data-In-Use
With Sotero’s Data Security platform, organizations can quickly and easily take advantage of the highest level of data security available with in-use encryption that protects data-at-rest, in-transit, and where it is used. Sotero’s platform adds additional security to existing data security use cases across on-premises and cloud environments for protecting sensitive data within databases, big data environments, and file systems. Unique on-platform Machine Learning (ML) threat pattern recognition linked to users, roles, and groups quickly alerts when data usage patterns that may represent a threat are identified. Implementation is effortless and rapid – using standard interfaces already in use by existing applications – no recoding required. Scalability, on-premises and cloud deployment models, and integration with auditing and governance applications enable cost-effective operation and regulatory and industry-standard compliance.