There’s a familiar proverb, “everything old is new again,” which seems to be especially true as we look at data protection trends over the last few decades. As someone who’s been involved with cryptography for over 20 years, it’s always good to see a renewed interest in data encryption.
Many of the key drivers for data encryption over the last two decades have been compliance related. The creation and evolution of PCI data protection standards, GDPR, and widespread data breaches have all driven the use of encryption. For many enterprises, the use of encryption was treated as a compliance checkbox. If an organization could achieve compliance by encrypting entire storage volumes, then that was the path forward. Once column level encryption became a standard offering in major relational databases, that was another method to achieve compliance, and a bit more security. The data protection method that usually took the most effort, but provided the greatest protection, was application level encryption. This was the classic trade-off – ease of implementation vs. security.
Application level encryption was difficult, but provided the greatest level of security. The major advantage of application level encryption is that the protection is inherent in the data element itself. It doesn’t matter if an encrypted credit card number is in a flat file, relational database, data lake, or whether it is transmitted over a secure link — The protection travels with the data. This approach has become more appealing as organizations look at the data protection problem through a Zero Trust lens. Because the protection is now inherent in the data, access to that unencrypted data becomes more of a policy and identity problem. If I need to prove who I am, and why I need the data in order to access it, this greatly reduces the risk to the data and provides a compliance/audit trail.
The downside of application encryption was that it required business application developers to have some understanding of cryptography, and more importantly, key management. It was simple enough to use cryptographic functions that were included in the major development toolkits/platforms, but the management of the associated keys was always “an exercise for the reader.” Keys were stored in files, database tables, or language/OS specific software keystores – without context.
We’ve seen several trends emerging which reduce the burden on the application developer, and provide centralized key management. A number of large organizations we’ve worked with over the past few years have been developing cryptography as a service (“CaaS”) – utilizing a restful API to enable application developers to encrypt, decrypt, or tokenize data based on the data type. For example, rather than requiring a developer to understand which algorithm, mode, initialization vector and key length to use to encrypt a National ID number, they would call a restful API which simply required a data type – encrypt_svc(“National ID number”, id), which would return a protected blob of data. The methods used to protect a National ID number would be centrally defined by the CaaS infrastructure, based on a data protection policy – with the keys centrally managed. This is true for both the tokenization of sensitive data, as well as encryption.
For those applications that are not so easily modified, or that require a more standard-based interface, centralized key management can still be utilized. Many platforms and applications control their own cryptography, but do so utilizing keys managed outside of that platform. An example of this is Microsoft SQL Server. Database administrators can define columns to be encrypted, using keys that are protected from a centralized key management system.
Use of a centralized key management system also helps provide greater crypto agility, the ability to rapidly change the cryptographic methods used to protect data. This is particularly important as we prepare for the era of post-quantum cryptography.
As organizations look to improve the maturity of their data protection and cryptographic capabilities to keep pace with business requirements, our Cryptographic Centre of Excellence can be a great partner on this journey. We offer a variety of consulting services to help you plan and execute a more robust data protection strategy – including enterprise key management and cryptography as a service.