What is Data Encryption
Data encryption is a method of converting data from a readable format (plaintext) into an unreadable, encoded format (ciphertext). Encrypted data can only be read or processed after it has been decrypted, using a decryption key or password. Only the sender and the recipient of the data should have access to the decryption key.
As you deploy an encryption solution, you should be aware that encryption is vulnerable to attack from several directions:
- It is possible to use computer programs to break some encryption algorithms and gain access to encrypted content, although stronger encryptions require a massive amount of computing resources to break.
- Encrypted data in transit can be vulnerable. Authorized devices can be infected by malware that ‘sniffs’ data or ‘eavesdrops’ as data travels across networks.
- Encrypted data at rest can be compromised, either by malware on a storage device, or by unauthorized users who gain access to user passwords or keys.
Nevertheless, data encryption can deter hackers from accessing sensitive information, and is essential to most security strategies. Your security strategy should not, however, solely rely on encryption.
DES & Other Popular Encryption Algorithms
Data Encryption Standard (DES) is a now-outdated symmetric encryption algorithm—you use the same key to encrypt and decrypt a message. DES uses a 56-bit encryption key (8 parity bits are stripped off from the full 64-bit key) and encrypts data in blocks of 64 bits. These sizes are typically not large enough for today’s uses. Therefore, other encryption algorithms have succeeded DES:
- Triple DES—was once the standard symmetric algorithm. Triple DES employs three individual keys with 56 bits each. The total key length adds up to 168 bits, but according to most experts, its effective key strength is only 112 bits.
- RSA—a popular public-key (asymmetric) encryption algorithm. It uses a pair of keys: the public key, used to encrypt the message, and the private key, used to decrypt the message.
- Blowfish—a symmetric cipher that splits messages into blocks of 64 bits and encrypts them one at a time. Blowfish is a legacy algorithm, which is still effective, but has been succeeded by Twofish.
- Twofish—a symmetric cipher leveraging keys up to 256 bits in length. Twofish is used in many software and hardware environments. It is fast, freely available and unpatented.
- The Advanced Encryption Standard (AES)—this algorithm is the standard currently accepted by the U.S. Government and other organizations. It works well in 128-bit form, however, AES can use keys of 192 and 256 bits. AES is considered resistant to all attacks, except brute force.
- Elliptic Curve Cryptography (ECC)—the algorithm used as part of the SSL/TLS protocol which encrypts communication between websites and their visitors. It provides better security with shorter key lengths; a 256 bit ECC key provides the same level of security as a 3,072 bit RSA key.
Data At Rest and Database Encryption
Data at rest is data that does not travel between networks or devices. It includes data on a laptop, hard drive, flash drive, or database. Data at rest is attractive to attackers as it often has meaningful file names and logical structures, which can point to personal information, credit cards, intellectual property, healthcare information, etc.
If your company does not properly dispose of its data assets, it can create security risks for itself and its customers. Always assume that attackers can access data at rest. Minimizing the amount of data at rest, keeping an inventory of all remaining data, and securing it, is key to preventing data breaches.
In most modern applications, data is input by users, processed by applications, and then stored to a database. At a lower level, the database consists of files managed by an operating system, stored on physical storage such as a flash hard drive.
Encryption can be performed at four levels:
- Application level encryption—data is encrypted by the application that modifies or generates the data, before it is written to the database. This makes it possible to customize the encryption process for each user, based on user roles and permissions.
- Database encryption—the entire database, or parts of it, can be encrypted to secure the data. Encryption keys are stored and managed by the database system.
- File system level encryption—allows computer users to encrypt directories and individual files. File-level encryption uses software agents, which interrupt read and write calls to disks and use policies to see if the data needs to be decrypted or encrypted. Like full disk encryption, it can encrypt databases along with any other data stored in folders.
- Full disk encryption—automatically converts data on a hard drive into a form that cannot be deciphered without the key. Databases stored on the hard drive are encrypted along with any other data.
Encryption Techniques and Technologies
- Column level encryption—individual columns of data within a database are encrypted. A separate and unique encryption key for each column increases flexibility and security.
- Transparent data encryption—encrypts an entire database, effectively protecting data at rest. The encryption is transparent to the applications that use the database. Backups of the database are also encrypted, preventing data loss if backup media is stolen or breached.
- Field-level encryption—encrypting data in specific data fields. Creators can mark sensitive fields so that data entered by users in those fields are encrypted. These can include social security numbers, credit card numbers, and bank account numbers.
- Hashing—changing a string of characters into a shorter fixed-length key or value that resembles the original string. Hashing is commonly used in passwords systems. When a user initially defines a password, it is stored as a hash. When the user logs back into the site, the password they use is compared to the unique hash, to determine if it correct.
- Symmetric key encryption—a private key is applied to data, changing it so it is cannot be read without being decrypted. Data is encrypted when saved, and decrypted when retrieved, provided the user or application supplies the key. Symmetric encryption is considered inferior to asymmetric encryption because there is a need to transfer the key from sender to recipient.
- Asymmetric encryption—incorporates two encryption keys: private and public. A public key can be retrieved by anyone and is unique to one user. A private key is a concealed key that is only known by one user. In most cases, the public key is the encryption key and the private key is the decryption key.
The Downside of Database Encryption
Database encryption can result in performance degradation, in particular when column-level encryption is used. Thus, organizations may be reluctant to use data encryption or apply it to all data at rest.
Many RDBMS systems provide built-in encryption and key-management facilities. Database encryption is thus easier to carry out if a data center uses databases from only one vendor. If you manage databases from multiple vendors, key management can become an issue, and lapses in key management can lead to security breaches.
An additional risk is accidental data loss. When data is encrypted using strong ciphers, and a key is lost, the data cannot be retrieved. Accidental loss or mismanagement of keys can have disastrous consequences.
How Imperva Helps Protect Your Data
Imperva’s data security solution adds several layers of protection to your data, complementing data encryption strategies.
Imperva protects data stores to ensure compliance and preserve the agility and cost benefits you get from your cloud investments:
Cloud Data Security – Simplify securing your cloud databases to catch up and keep up with DevOps. Imperva’s solution enables cloud-managed services users to rapidly gain visibility and control of cloud data.
Database Security – Imperva delivers analytics, protection, and response across your data assets, on-premise and in the cloud – giving you the risk visibility to prevent data breaches and avoid compliance incidents. Integrate with any database to gain instant visibility, implement universal policies, and speed time to value.
Data Risk Analysis – Automate the detection of non-compliant, risky, or malicious data access behavior across all of your databases enterprise-wide to accelerate remediation.