1 Introduction
With an ever-growing number of cyberattacks and ever-increasing regulations, businesses are under constant pressure to properly protect their sensitive data sets. Such protection is needed at various levels and includes several elements, from endpoint protection and network firewalls to IAM (Identity and Access Management), CASBs (Cloud Access Security Brokers), and others.
Last, but not least, amongst these technologies is encryption. Encryption can be implemented (and regularly is implemented) at various levels. Network encryption, e.g. based on the SSL/TLS standard, is ubiquitous when using the Internet. Disk encryption is widely supported on both clients and servers. File systems can be encrypted as well. Finally, data encryption enables the encryption of specific sets of data for specific applications or at the database level.
Data encryption provides, for example, enhanced protection of sensitive data such as credit card numbers, patient data in healthcare, passports or other types of PII (Personally Identifiable Information). Thus, it also helps in compliance with regulations that require specific, in-depth protection of sensitive data such as
- PCI DSS, which requires specific protection of credit card information
- HIPAA/HITECH, which requires specific protection of healthcare information
- GDPR, which raises the bar for protecting PII
In addition, there are many other use cases, well beyond PII protection. Many businesses also want and need to specifically protect financial information or intellectual property. Depending on where that information resides, different approaches to protecting, and specifically encrypting, that information are required.
Common approaches for encryption focus either on data at rest, i.e. held on some sort of storage, or data in motion, i.e. during the transfer of data. For the latter, we can distinguish between end-to-end solutions that encrypt information all the way between endpoints, such as S/MIME for email encryption, and solutions that only protect certain parts of the transfer, such as SSL/TLS. Furthermore, there are some emerging, but as yet still rather scientific approaches that enable data to be encrypted during use, such as homomorphic encryption. The practical approach to protecting data in use at the application level builds on Format Preserving Encryption (FPE), data masking and on tokenization. While data masking can just replace some parts of the data such as certain fields or characters, tokenization uses one-way techniques to create a token for certain information that enables this to be used securely, without unveiling the original data. Tokenization typically delivers the advantage of dynamic data masking, which is display security, controlling what data or portion of data a user views as clear text, depending on their role in an organization. FPE uses standards-based encryption techniques, but delivers the encrypted result like a token, at predictable length, so that it can replace database entries without breaking the database schema.
Businesses face several challenges when looking for information protection based on encryption. Aside from the inherent complexity of encryption and the related technologies such as key management, tokenization, and data masking, there is no such thing as a single approach for all types of encryption. Frequently, business end up with a variety of point solutions, building distinct infrastructures per use case, providing individual user interfaces such as management consoles, and requiring very specific expertise and training. This is complex, it is inefficient, and it is expensive.
Thales eSecurity is one of the few players in the market that provides an integrated approach, the Vormetric Data Security Platform, that covers a broad range of encryption use cases. The Vormetric Application Crypto Suite, which provides an integrated set of capabilities for protecting information at the application and database-field level is part of that platform. This integrated approach reduces cost and complexity of implementing encryption at scale in organizations.