Companies have long been accustomed to the use of Intrusion Detection Systems (IDS), firewalls, and advanced user authentication controls to keep confidential corporate data secured. However, hackers have found new ways around conventional data security methods which leaves companies with only one method to secure and protect their data effectively – encryption. Encryption has been in little use but now is growing due to regulations governments are setting in place.
Why use encryption?
There are many uses of data encryption. Encryption software programs use an obscure algorithm which makes it less likely for hackers to crack it and gain access to the data. There are two primary ways through which encryption is done: the symmetric method and the asymmetric method. In the symmetric method, data is encrypted and decrypted via the use of a single password. In the asymmetric method on the other hand, a private/public key model is used where a pair of keys is used for encryption and decryption.
“Hackers are always going to get in. The data has to be encrypted when it is stolen, so when removed the data will be useless. Or we can continue to treat real cyber security as an afterthought. The choice is ours – I will go with the encryption”
— Richard Blech, CEO, Secure Channels
There are many encryption methods that are available now. One that is fast gaining popularity in the business climate for keeping data secure for cloud applications is ‘data at rest’ encryption.
What is Data at Rest?
As mentioned previously, use of perimeter security alone is not sufficient for protecting an organization from internal and external data security threats. Instead, companies are now required to implement data at rest encryption.
This involves encrypting data while it is at rest, as the name implies, that is, inactive data which is stored physically in any digital form – compared with data in use or in motion, data at rest is not being moved or transmitted to another network or channel. Data at rest can be archival or reference files that are changed rarely or never; it can also be data that is subject to regular but not constant change.
Considering these aspects, companies need to identify where the data is being stored – whether it is in storage networks, file servers, databases, end point services, or in the cloud itself.
Companies that are seeking to implement data at rest encryption need to look out for the following four things:
- Security – the encryption data must have advanced and secure symmetric encryption standards.
- Performance – the encryption should be up-to-date and should prevent data from being easily cracked by hackers.
- Ease of use – the solution must be flexible enough to suit your requirements and preferences.
- Scalable for larger data volume – the solution must be scalable to adapt to larger data volume usage without compromising on performance.
Step-by-step guide to encrypting data at rest
When encrypting data at rest residing in the cloud, it is first important to consider the type of data you wish to protect. To determine this, you need to ask the following questions:
- What information requires protection?
- What kind of threats does the information require protection against?
- What kind of infrastructural changes are we willing to change?
- What are our expectations from the encryption?
Data at rest encryption is best done via the use of the Advanced Encryption Standard or the Data Encryption Standard (DES) as these are algorithms which provide advanced encryption and data security. However, there are various approaches on how you can approach data encryption. These are as follows:
In this encryption approach, data within the application is encrypted before it is moved or transmitted to another location. This allows data to be sent and received fully encrypted and leaves little room for data to be misused from insider and outsider access as it can deceive even the Database Administrator (DA).
However, this approach can be a very costly one to implement by companies. It is very computationally intensive and so can take a lot of time to implement, particularly when multiple applications are involved. It further does not cover unstructured data and requires a development team to monitor and maintain its encryption,
In tokenization, the sensitive application data is substituted with unique identification symbols, serving as a proxy for the original data that is kept in an encrypted master file. For a hacker to gain access, he would need to match the unique identification symbols with the original data information, which makes it far difficult for hacking. This approach has applications for protecting credit card and social security numbers.
Cloud Data Encryption
How companies intend to encrypt data in the cloud network will depend on the type of cloud model used. In the case of using Infrastructure-as-a-Service (IaaS), data encryption can take place when stored in the storage volume layer. In other models, the encryption approach will vary according to where the encryption key management infrastructure is located.