Additionally, increased regulation and consumer awareness of privacy issues have motivated many businesses to investigate methods to encrypt confidential information and minimize the aftermath of losing data.
A primary concern is that database and application security has been time-consuming and costly. According to security specialist and software provider Voltage, many methods still only protect data while it is being transferred from one point to another, rather than as it’s first captured, processed, stored and used in any given location. Without end-to-end protection, data remains vulnerable.
But awareness of this potential threat to security is spreading. “We are seeing customers now that are not thinking, ‘How do I secure this application,’ but instead are thinking ‘How do I secure this data type everywhere,” says Terence Spies, CTO, Voltage Security.
Encrypting PII or personally identifiable information in large databases has historically been difficult, because encrypting information implies making the data more verbose and changing its format. Previous attempts to encrypt PII data like credit card numbers and Social Security numbers without changing their format have used what Spies calls “questionable” cryptographic constructions.
“Encryption is a general term. To really protect your data, you need to know when it's encrypted, and when it's in a vulnerable, plaintext form,” explains Spies. Many older solutions, he says, encrypt data at a low level (at the disk or database layer), which leaves the upper application layers of the system vulnerable.
Low-level encryption techniques (like whole disk encryption) are useful, he says, but they don't control sensitive data to the point that it lives, automatically, in cipher text form until explicitly decrypted in a trusted application. Keeping data encrypted used to mean expensive redesigns of applications and databases.
More modern techniques encrypt the data at the application layer, so no matter where that data moves, it is encrypted unless decrypted for a specific purpose. It’s a holistic way to help security staff and auditors pinpoint risk.
Two modern innovations in data security are format-preserving encryption and tokenization and data masking. The latter approach allows encrypted data to retain its original format (e.g., a nine digit Social Security number will have the same size and format when it’s encrypted), strengthening protection while simplifying and eliminating the need for re-architecting, changing or upgrading systems.
Format-preserving encryption or FPE is a way of encrypting data while keeping application changes to a bare minimum – semi-trusted process can run in a way that they never see plain text data, and only trusted applications are allowed to see "real" data.
The biggest impact of FPE technology is that enterprises can build effective projects to encrypt data without forcing a complete system redesign, even in legacy environments, says Spies. Encryption can be offered as a centralized service, without requiring expertise about key management and ciphers.
“The strategy of putting the data type – and not the application – first in an encryption strategy is a dramatic shift,” says Spies. This codifies the practice of managing data that is living in an encrypted state and only being selectively decrypted.
More enterprises are thinking this way because regulations and risk calculations are requiring it, and there are technologies such as Voltage claim they can make it possible without having to redesign core business processes.
Valerie Valentine is senior editor for Information Management. You can follow her on Twitter at @va1va1entine or via email at valerie.valentine@sourcemedia.com.
Be the first to comment on this post using the section below.