What is Data Encryption
Data encryption is a method of converting data from a readable format (plaintext) into an unreadable, encoded format (ciphertext). Encrypted data can only be read or processed after it has been decrypted, using a decryption key or password. Only the sender and the recipient of the data should have access to the decryption key.
As you deploy an encryption solution, you should be aware that encryption is vulnerable to attack from several directions:
- It is possible to use computer programs to break some encryption algorithms and gain access to encrypted content, although stronger encryptions require a massive amount of computing resources to break.
- Encrypted data in transit can be vulnerable. Authorized devices can be infected by malware that ‘sniffs’ data or ‘eavesdrops’ as data travels across networks.
- Encrypted data at rest can be compromised, either by malware on a storage device, or by unauthorized users who gain access to user passwords or keys.
Nevertheless, data encryption can deter hackers from accessing sensitive information, and is essential to most security strategies. Your security strategy should not, however, solely rely on encryption.
DES & Other Popular Encryption Algorithms
Data Encryption Standard (DES) is a now-outdated symmetric encryption algorithm—you use the same key to encrypt and decrypt a message. DES uses a 56-bit encryption key (8 parity bits are stripped off from the full 64-bit key) and encrypts data in blocks of 64 bits. These sizes are typically not large enough for today’s uses. Therefore, other encryption algorithms have succeeded DES:
- Triple DES—was once the standard symmetric algorithm. Triple DES employs three individual keys with 56 bits each. The total key length adds up to 168 bits, but according to most experts, its effective key strength is only 112 bits.
- RSA—a popular public-key (asymmetric) encryption algorithm. It uses a pair of keys: the public key, used to encrypt the message, and the private key, used to decrypt the message.
- Blowfish—a symmetric cipher that splits messages into blocks of 64 bits and encrypts them one at a time. Blowfish is a legacy algorithm, which is still effective, but has been succeeded by Twofish.
- Twofish—a symmetric cipher leveraging keys up to 256 bits in length. Twofish is used in many software and hardware environments. It is fast, freely available and unpatented.
- The Advanced Encryption Standard (AES)—this algorithm is the standard currently accepted by the U.S. Government and other organizations. It works well in 128-bit form, however, AES can use keys of 192 and 256 bits. AES is considered resistant to all attacks, except brute force.
- Elliptic Curve Cryptography (ECC)—the algorithm used as part of the SSL/TLS protocol which encrypts communication between websites and their visitors. It provides better security with shorter key lengths; a 256 bit ECC key provides the same level of security as a 3,072 bit RSA key.
Data At Rest and Database Encryption
Data at rest is data that does not travel between networks or devices. It includes data on a laptop, hard drive, flash drive, or database. Data at rest is attractive to attackers as it often has meaningful file names and logical structures, which can point to personal information, credit cards, intellectual property, healthcare information, etc.
If your company does not properly dispose of its data assets, it can create security risks for itself and its customers. Always assume that attackers can access data at rest. Minimizing the amount of data at rest, keeping an inventory of all remaining data, and securing it, is key to preventing data breaches.
In most modern applications, data is input by users, processed by applications, and then stored to a database. At a lower level, the database consists of files managed by an operating system, stored on physical storage such as a flash hard drive.
Encryption can be performed at four levels:
- Application level encryption—data is encrypted by the application that modifies or generates the data, before it is written to the database. This makes it possible to customize the encryption process for each user, based on user roles and permissions.
- Database encryption—the entire database, or parts of it, can be encrypted to secure the data. Encryption keys are stored and managed by the database system.
- File system level encryption—allows computer users to encrypt directories and individual files. File-level encryption uses software agents, which interrupt read and write calls to disks and use policies to see if the data needs to be decrypted or encrypted. Like full disk encryption, it can encrypt databases along with any other data stored in folders.
- Full disk encryption—automatically converts data on a hard drive into a form that cannot be deciphered without the key. Databases stored on the hard drive are encrypted along with any other data.
Encryption Techniques and Technologies
- Column level encryption—individual columns of data within a database are encrypted. A separate and unique encryption key for each column increases flexibility and security.
- Transparent data encryption—encrypts an entire database, effectively protecting data at rest. The encryption is transparent to the applications that use the database. Backups of the database are also encrypted, preventing data loss if backup media is stolen or breached.
- Field-level encryption—encrypting data in specific data fields. Creators can mark sensitive fields so that data entered by users in those fields are encrypted. These can include social security numbers, credit card numbers, and bank account numbers.
- Hashing—changing a string of characters into a shorter fixed-length key or value that resembles the original string. Hashing is commonly used in passwords systems. When a user initially defines a password, it is stored as a hash. When the user logs back into the site, the password they use is compared to the unique hash, to determine if it correct.
- Symmetric key encryption—a private key is applied to data, changing it so it is cannot be read without being decrypted. Data is encrypted when saved, and decrypted when retrieved, provided the user or application supplies the key. Symmetric encryption is considered inferior to asymmetric encryption because there is a need to transfer the key from sender to recipient.
- Asymmetric encryption—incorporates two encryption keys: private and public. A public key can be retrieved by anyone and is unique to one user. A private key is a concealed key that is only known by one user. In most cases, the public key is the encryption key and the private key is the decryption key.
The Downside of Database Encryption
Database encryption can result in performance degradation, in particular when column-level encryption is used. Thus, organizations may be reluctant to use data encryption or apply it to all data at rest.
Many RDBMS systems provide built-in encryption and key-management facilities. Database encryption is thus easier to carry out if a data center uses databases from only one vendor. If you manage databases from multiple vendors, key management can become an issue, and lapses in key management can lead to security breaches.
An additional risk is accidental data loss. When data is encrypted using strong ciphers, and a key is lost, the data cannot be retrieved. Accidental loss or mismanagement of keys can have disastrous consequences.
How Imperva Helps Protect Your Data
Imperva data security solution adds several layers of protection to your data, including strong encryption. Imperva protects your data wherever it lives—on premises, in the cloud, and in hybrid environments. It also provides security and IT teams with full visibility into how the data is being accessed, used, and moved around the organization.
Our comprehensive approach relies on multiple layers of data protection, including:
- Database firewall—blocks SQL injection and other threats, while evaluating for known vulnerabilities.
- User rights management—monitors data access and activities of privileged users to identify excessive, inappropriate, and unused privileges.
- Data masking and encryption—obfuscate sensitive data so it would be useless to the bad actor, even if somehow extracted.
- Data loss prevention (DLP)—inspects data in motion, at rest on servers, in cloud storage, or on endpoint devices.
- User behavior analytics—establishes baselines of data access behavior, uses machine learning to detect and alert on abnormal and potentially risky activity.
- Data discovery and classification—reveals the location, volume, and context of data on-premises and in the cloud.
- Database activity monitoring—monitors relational databases, data warehouses, big data and mainframes to generate real-time alerts on policy violations.
- Alert prioritization—Imperva uses AI and machine learning technology to look across the stream of security events and prioritize the ones that matter most.