What Is Data Encryption?

Databases represent an aggregation of mission-critical business data in one central location (whether that is on-premises or in the cloud) — which makes databases a prime target for cyber criminals.

Many database encryption solutions discount insider threats and sophisticated attacks where privileged users are impersonated. For environments that require higher levels of security, hardware security modules (HSMs) deliver Federal Information Processing Standards (FIPS)-certified protection for your database keys — safeguarding keys in a hardened solution.

Many regulations require or suggest data-at-rest encryption and/or data-in-transit encryption to remain in compliance. For instance, the General Data Protection Regulation (GDPR) does not explicitly require data encryption, but encrypting data is the best way to demonstrate to governing bodies that stored data is secured.

Conversely, the Health Insurance Portability and Accountability Act (HIPAA) calls for the encryption of protected health information (PHI) when the PHI is at rest. Learn more about preventing data breaches in healthcare settings.

Even when encryption is not mandated, it is a security best practice to encrypt all data that includes personally identifiable information (PII) or confidential business intellectual property.

There are two primary types of data encryption: symmetric encryption and asymmetric encryption. Symmetric encryption secures data with a single cryptographic key. This makes encryption faster (because the key is shorter) but also less secure. Asymmetric encryption requires a public key and a private key to work in tandem to decrypt the data. This scheme makes asymmetric encryption more secure. Learn more about the differences between symmetric and asymmetric encryption.

End-to-end encrypted data is a system of communication where only the sender and intended recipient can encrypt or decrypt a message. Both data-at-rest encryption and data-in-transit encryption take place. This prevents third parties from being able to eavesdrop or alter the data being sent.

Simply put, data masking disguises information and data encryption encodes information. Data masking disguises sensitive information such as Social Security numbers, credit card numbers, and other personally identifiable information (PII), allowing the information to be accessible by the organization, but not by hackers. While the two methods share some similarities, data encryption is very different than data masking. Data encryption uses an encryption algorithm to hide the data and requires a decryption key to reveal the information.

Data encryption standards have changed to keep ahead of hackers and bad actors. Modern encryption algorithms have superior integrity, authentication, and non-repudiation features compared to the outdated Data Encryption Standard.

The Data Encryption Standard was developed in the 1970s. Its short key length (56 bits) makes the Data Encryption Standard insufficient for securing applications, but it has had a significant impact on the development of encryption standards. Today, encryption algorithms have advanced to thwart new methods of attacks, including side channel attacks and cryptoanalysis.

• Encrypt all types of sensitive data, not necessarily just data that is most likely to be found. 
• Assess encryption performance to ensure that it is securing your data without consuming too much CPU time and memory. 
• Develop strategies for data at rest and data in motion. 
• Consider industry regulations and requirements. 
• Assess organizational needs for symmetric or asymmetric encryption. 

Poor implementation of encryption solutions in the past has resulted in a poor perception of data encryption. However, if deployed correctly, data encryption can be an enabler in achieving the flexibility, compliance, and data privacy that is required in today’s business environments. These are the top myths about data encryption:

• Encryption degrades system performance
• The terminology is too hard to understand
• Managing all the encryption keys is a nightmare
• Encryption keys are easy to lose
• It is hard to deploy
• It secures only the application
• Rotating encryption keys means application downtime
• Enterprise-grade encryption is expensive
• Encryption in the cloud isn’t secure
• Solutions don’t work across all platforms

The world is increasingly built around virtualization and the cloud. The cloud offers significant advantages in terms of cost and flexibility. Yet some IT managers are still hesitant to store sensitive data in the cloud – preferring to maintain their own data center that they control. Data encryption makes it possible to leverage the cloud and Infrastructure as a Service while maintaining the privacy of data. These are the top benefits for data encryption in the cloud:

• It helps organizations move to the cloud
• The organization owns the keys and can easily decommission/deprovision
• It helps achieve secure multi-tenancy in the cloud
• Separating data from key services can prevent service providers from accessing or accidentally exposing data
• It helps meet regulations
• It gives an organization safe harbor from breach notification
• It can give service providers a competitive edge
• It instills confidence that data is safe in a multi-cloud world
• It allows organizations to secure their remote office

Big data is the term for collecting and analyzing massive amounts of information from various sources to detect trends and associations that can be applied for business forecasting. Since big data comes from heterogeneous sources, it poses a multitude of data security threats compared to smaller data sets. Secure big data encryption needs a FIPS 140-2 Level 3 certified boundary to protect big data encryption keys and offloading of cryptographic processing to deliver low latency, hardware-accelerated encryption.