Data security has traditionally been seen as a matter of locking down data in a physical location, such as a data center. But as data migrates across networks, borders, mobile devices, and into the cloud and Internet of Things (IoT), focusing solely on the physical location of data is no longer relevant.
To prevent disclosure of sensitive corporate data to unauthorized people in this new corporate environment, data needs to be secured. Encryption and data masking are two primary ways for securing sensitive data, either at rest or in motion, in the enterprise. They are important parts of endpoint security and any enterprise's optimal security posture.
Encryption is the process of encoding data in such a way that only authorized parties can access it. Using homomorphic encryption, sensitive data in plaintext is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted.
In data masking, “fake” data replaces real data for users who should not have access to the real data, whether because of their role in the company or because they are attackers. Masking ensures sensitive data is obscured or otherwise de-identified.
Dynamic data masking can transform the data based on the user roles and privileges. It is used to secure real-time transactional systems and improve data privacy, compliance implementation, and maintenance.
With data masking, data is retained in its native form, and no decryption key is necessary. The resulting data set does not contain any references to the original information, making it useless for attackers.
How does encryption work?
Encryption scrambles data using nonreadable mathematical calculations and algorithms. An encryption system employs an encryption key generated by an algorithm. While it is possible to decrypt the data without possessing the key, significant computational resources and skills would be required if the encryption system is designed properly. An authorized recipient can easily decrypt the message with the key provided by the originator.
If the encryption key is lost or damaged, it may not be possible to recover the encrypted data from the computer. Therefore, enterprises need to set up rigorous key management processes, procedures, and technologies before implementing data encryption technologies.
Organizations should consider how key management practices can support the recovery of encrypted data if a key is lost or destroyed. Those planning on encrypting removable media need to consider how changing keys will impact access to encrypted storage on removable media, such as USB drives, and develop solutions, such as retaining the previous keys in case they are needed.
Encryption can be applied to endpoint drives, servers, email, databases, and files. The appropriate encryption depends upon the type of storage, the amount of data that needs to be protected, environments where the storage will be located, and the threats that need to be stopped.
Public key encryption is one use of public key cryptography, also known as asymmetric cryptography. Digital signature, in which a message is signed with the sender’s private key and can be verified by anyone who has access to the sender’s public key, is another well-known use of public key cryptography.
Selecting encryption solutions
There are three primary types of encryption solutions: full disk encryption, volume/virtual disk encryption, and file/folder encryption. When selecting encryption types, enterprises should consider the range of solutions that meet their security requirements, not just the type that is most commonly used.
The top features that enterprises should consider when choosing an encryption system include centralized policy management, application and database transparency, low latency, key management interoperability, support for hardware-based cryptographic acceleration, support for compliance regulations, and monitoring capabilities.
There are many factors to consider when selecting storage encryption solutions, such as the platforms they support, the data they protect, and the threats they block. Some involve installing servers and software on the devices to be protected, while others can use existing servers, as well as software built into devices’ operating systems.
Unfortunately, encryption can result in loss of functionality or other issues, depending on how extensive the changes are to the infrastructure and devices. When evaluating solutions, enterprises should compare the loss of functionality with the gain in security capabilities and decide if the tradeoff is worth it. Solutions that require extensive changes to the infrastructure and end user devices should generally be used only when other options cannot meet the enterprise’s security needs.
An encryption protocol is a series of steps and message exchanges designed to achieve a specific security objective.
To ensure compatibility and functionality, enterprises should use standard-conforming encryption protocols such as Internet Protocol Security (IPSec), Secure Socket Layer (SSL), Transport Layer Security (TLS), Secure Shell (SSH), Secure/Multipurpose Internet Mail Extensions (S/MIME), and Kerberos. Each has advantages and disadvantages. Some overlap in functionality, but each tends to be used in different areas.
- IPSec provides encryption at the IP packet level and requires low-level support from the operating system and a configured server. Since IPSec can be used as a tunnel to secure packets belonging to multiple users and hosts, it is useful for building virtual private networks and connecting remote machines. The next-generation Internet Protocol, IPv6, comes with IPSec built in, but IPSec also works with IPv4.
- SSL and TLS work over the Transmission Control Protocol (TCP) and link up with other protocols using TCP, adding encryption, server authentication, and authentication of the client. TLS is an upgrade to SSL that strengthens security and improves flexibility. SSL and TLS are the primary method for securing Web transactions, such as the use of “https” instead of “http” in URLs. A widely used open-source implementation of SSL is OpenSSL.
- S/MIME is a standard for public key encryption and signing MIME data. With S/MIME, administrators have an e-mail option that is more secure than the previously used Simple Mail Transfer Protocol (SMTP). S/MIME brings SMTP to the next level, allowing widespread e-mail connectivity without compromising security.
- SSH is the primary method of securing remote terminals over the internet and for tunneling Windows sessions. SSH has been extended to support single sign-on and general secure tunneling for TCP streams, so it is often used for securing other data streams. The most popular implementation of SSH is the open-source OpenSSH. Typical uses of SSH allows the client to authenticate the server, and then the user enters a password to authenticate the user. The password is encrypted and sent to the other system for verification. To prevent man-in-the-middle attacks, in which communication between two users is monitored and modified by an unauthorized third party, SSH records keying information about servers with which it communicates.
- Kerberos is a protocol for single sign-on and user authentication against a central authentication and key distribution server. Kerberos works by giving authenticated users tickets, granting them access to various services on the network. When clients then contact servers, the servers can verify the tickets. Kerberos is a primary method for securing and supporting authentication on a local area network. To use Kerberos, both the client and server have to include code since not everyone has a Kerberos setup, complicating the use of Kerberos in some programs.
Data encryption software and solutions
Most of the major security firms provide data encryption software for the enterprise. Here is a sampling of available enterprise data encryption software, which includes full disk encryption (for more in-depth discussions of vendors who provide full disk encryption, see eSecurity Planet’s articles Top 10 Enterprise Encryption Products, 7 Full Disk Encryption Solutions to Check out and Full Disk Encryption Buyer’s Guide):
Check Point Full Disk Encryption Software Blade provides automatic security for data on endpoint hard drives, including user data, operating system files, and temporary and erased files. Multifactor pre-boot authentication ensures user identity, while encryption prevents data loss from theft.
Dell Data Protection Encryption Enterprise enables IT to enforce encryption policies, whether the data resides on the system drive or external media. Designed for mixed vendor environments, it also will not interfere with existing IT processes for patch management and authentication.
HPE SecureData Enterprise uses both encryption and data masking to secure corporate data. HPE SecureData de-identifies data, rendering it useless to attackers, while maintaining usability and referential integrity for data processes, applications, and services. It uses Hyper Format-Preserving Encryption, a high-performance format-preserving encryption.
IBM Guardium Data Encryption provides encryption capabilities to help enterprises safeguard on-premises structured and unstructured data and comply with industry and regulatory requirements. This software performs encryption and decryption operations with minimal performance impact and requires no changes to databases, applications, or networks.
McAfee (Intel Security) Complete Data Protection provides its own encryption tools and supports Apple OS X and Microsoft Windows-native encryption, system encryption drives, removable media, file shares, and cloud data. It also integrates with McAfee’s other enterprise security tools, such as data loss prevention.
Microsoft BitLocker Drive Encryption provides encryption for Windows operating systems only and is intended to increase the security surrounding computer drives. Having BitLocker integrated with the operating system addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
Sophos SafeGuard Encryption is always on, allowing for secure collaboration. Synchronized encryption protects data by continuously validating the user, application, and security integrity of a device before allowing access to encrypted data.
Symantec Endpoint Encryption provides endpoint encryption and removable media encryption with centralized management, as well as email, file share, and command-line tools. It also integrates with the company’s data loss prevention technology.
Trend Micro Endpoint Encryption provides full disk encryption, folder and file encryption, and removable media encryption. It can also manage Microsoft BitLocker and Apple FileVault.
WinMagic SecureDoc Enterprise Server (SES) offers enterprises control over their data security environment, ensuring security and transparency in regular workflow. With full disk encryption and PBConnex technology, SES enables customers to streamline their IT processes.
In addition to these data encryption software solutions, enterprises could benefit from employing other encryption tools. An eSecurity Planet slideshow advises IT pros to build a portfolio of encryption tools to leverage each one’s strengths. And for the DIY crowd, VeraCrypt offers an open source encryption option.
eSecurity Planet offers six tips for stronger encryption:
- Do not use old encryption ciphers
- Use longer encryption keys
- Encrypt in layers
- Store encryption keys securely
- Ensure that encryption implementation is done properly
- Consider external factors, such as digital signature compromise.
Cloud and IoT drive encryption adoption
Increasingly, enterprises are adopting cloud computing and deploying Internet of Things (IoT) devices to improve efficiencies and reduce costs. However, these technologies can pose additional risks to corporate data.
Encryption could help secure the data, but not many enterprises are opting for that solution. For example, only one-third of sensitive corporate data stored in cloud apps is encrypted, according to a survey of more than 3,400 IT and IT security pros by the Ponemon Institute and Gemalto.
At the same time, close to three-quarters of respondents believe that cloud-based apps and services are important to their company’s operations, and an overwhelming 81 percent expect the cloud to become more important in the near future.
Data encryption can be more challenging in the cloud because data may be spread over different geographic locations, and data is not on storage devices dedicated solely to an individual enterprise. One option is to require the cloud service provider to offer data encryption as part of a service level agreement.
Also, enterprises are increasingly using IoT devices, but few of them have security built in. One option to improve security is to encrypt the data that is transferred by IoT devices, particularly those that connect wirelessly to the network.
In sum, data encryption can be used to secure data at rest and in motion in the traditional enterprise environment, as well as the emerging environments of cloud computing and IoT deployments.