Cryptography was originally developed to secure communications, i.e., data in transit (alternatively, data in motion). A central objective of any cryptographic system was – and still is – to ensure that messages exchanged between senders and receivers were safe from unwanted interception. However, the use cases and requirements for encryption have greatly expanded over the last few decades, in large because of the growth of IP networking in general, and of sectors such as e-commerce in particular.
For everyone from retailers to health care organizations, it is often no longer sufficient to simply protect data in transit. Data at rest must also be secured to meet the requirements of rules such as the Payment Card Industry Data Security Standard, or to simplify compliance with country-specific legislation like the Health Insurance Portability and Accountability Act in the U.S. Plus, organizations must do so even as the variety and volume of data exchange continues to increase sharply.
Encrypting data in motion and at rest are two distinct tasks, each with its own set of best practices and tools, although there is some overlap. Solutions such as public key infrastructure (PKI) and trusted identity ecosystems are crucial when it comes to data security, and ultimately ensuring that your information is as secure as possible no matter where it is.
Data in Transit: Encrypting Assets as They Traverse Networks
Securing data in transit is essentially securing data as it passes over a network. The challenge here is that the IP suite is full of protocols – HTTP, FTP and Telnet, to name a few of the most commonly used ones – that transmit data in plaintext, which means that there is the possibility of someone monitoring or intercepting messages and being able to read their contents. This in turn could lead to unauthorized access to sensitive resources, as well as costly data breaches.
Encryption is a vital mechanism for closing these liabilities. For starters, the protocols mentioned above all have encrypted equivalents, namely HTTPS, FTPS and SSH, respectively. The growth of HTTPS traffic has been especially pronounced in recent years: Google alone reported that 77 percent of requests sent to its servers worldwide were encrypted as of February 2016, up from 52 percent at the end of 2013.
Both symmetric and asymmetric encryption may be used to protect data in transit. Symmetric has the advantage of being relatively fast and not too intensive in terms of the computational resources it requires. Asymmetric requires greater performance since it often involves exponential operations. Widely used encryption mechanisms such as SSL/TLS utilize both symmetric (for bulk data) and asymmetric (for key exchanges) types.
Beyond SSL/TLS, other forms of encryption are utilized to further protect in-transit data such as email. S/MIME and OpenPGP are just two examples; the exact combination of standards will correspond to the interoperability requirements and specific email services in play. End-to-end email encryption through a PKI-based solution, with digital signatures and authentication, is also an appealing option for organizations with stringent rules for email integrity. How data in transit is protected will depend on the type of communication – internal, business-to-business, etc. – and the specifics of the data being exchanged (e.g., is it privileged?).
Data at Rest: Protecting Payment Card Data and Other Stored Assets
Probably the most relatable example of data at rest is information sitting on a hard disk drive somewhere. Encryption for this data provides an extra form of protection in the event that the physical device housing it is lost or stolen.
Going after data at rest has often been the path of least resistance for attackers since much of it has traditionally been unencrypted and of high-value. Common at-rest items may include payment card numbers for e-commerce transactions, along with other financial information sitting in your company databases.
Encrypting data at rest presents several significant challenges:
- At-rest data such as credit card databases is queried literally millions of times a day in some cases. Its performance can be degraded by the presence of cryptography.
- Implementing full PKI to protect files, folders and entire disks containing data at rest is often perceived as a costly and complex undertaking.
- Rules such as PCI DSS stipulate what types of data may and may not be stored, and what protections should be extended to them. Storing this data puts a system in scope.
Full-disk encryption solutions for platforms and various public cloud services have emerged in recent years as encryption of data at rest has become a bigger concern for organizations. Still, many firms forego this necessary measure. The ideal way forward is to pursue a security strategy that utilizes proven tenets such as encryption, authentication, digital signatures and trusted identities.
“[S]trong user authentication, authorization and full disk encryption [can] automatically protect the entire contents of a hard disk from unauthorized access without impacting user productivity,” explained the authors of the Entrust Datacard white paper “Protecting Your Most Important Asset: Information, How Data Security Mitigates Risk and Enables Compliance.”
In transit or at rest, data must be shielded from prying eyes and kept exclusive for its intended recipients and properly authorized individuals. By securing digital identities and information with proven security solutions, your organization can ensure it complies with applicable rules and regulations and avoids the damage of a data breach.