Psst… Don’t Look Now, but Your Sensitive Data is Showing.
I always find it interesting when our perceptions of how things work do not match up with reality. We were in a meeting not long ago with a large customer, discussing their encryption deployment, and a simple exchange highlighted a common misunderstanding of data protection:
Us: “You may want to consider application level data protection so that your data is not in the clear when it leaves the database.”
Customer (CEO): “What do you mean our encrypted data is in the clear?”
Us: “Transparent database encryption doesn’t really address protecting your data when it’s being used. It decrypts the sensitive data and passes it to your applications in the clear.”
Customer (CEO to the CIO): “Is this true?!”
Customer (CIO to the CEO): “Yeah. That’s how database encryption works…”
We live in a digital era where more electronic data is generated each year by more applications than at any point in human history. Data is not only more plentiful than ever before; it’s also more valuable than ever. While it may seem obvious that things of value must be protected, it has taken some time for the global business world to come to the place where we believe universally (almost) that sensitive data should be protected. Whether to comply with regulations, give customers peace of mind or simply to avoid the financial, reputational, and distractive repercussions of losing sensitive data through some form of breach, the WHY of data protection appears to have become more collectively understood. But what about the HOW?
Data protection has come a long way from the days when we decided to lock the filing cabinets before we left the office. As sensitive information became digitized, various encryption techniques started to emerge to protect data. Discs, tape drives and other storage devices were encrypted. Transparent encryption was applied to databases. We even began dropping agents in at the operating system level to encrypt information as it was being stored in file structures. Wherever sensitive data was stored, encryption was applied. Great! So, we are safe now, right?!? Well, it’s not quite that simple.
Now, I am not suggesting that protecting sensitive data when it is stored is a bad thing – it’s a good thing, a smart thing. But securing data only when it is at rest hardly accounts for the whole story. The whole point of having data – the very reason it has and retains value – lies in our ability to use and then reuse the data. And when we are actively using data, we are almost universally doing so in one or more applications. One could reasonably say that applications are the beginning and end of data’s value – we capture, analyze, generate, process, transmit, transform, and otherwise use the data, all within various applications.
However, the vast majority of data encryption solutions, which focus on protecting data at rest, offer little or no protection for data in use at the application layer. For example, with transparent database encryption (TDE), when an application with the right credentials asks for encrypted data, the data is decrypted and passed to the application in the clear, unprotected. After the data is used, of course, it could be returned to the database to be re-secured and stored, however, in today’s open and collaborative environments, it’s not uncommon for applications to hand data off to secondary or even tertiary applications for some business use before it is returned to storage. All the while, the data remains unsecured. This becomes particularly alarming when we consider that the vast majority of breaches occur at the application layer, where data is more exposed and susceptible to breach. So how can we protect data better?
The highest level of data protection, and by most security standards, the best place to secure data, is at the application layer. Protecting data within its originating application means that data is secured BEFORE it is stored in a database, file or back-up disk and BEFORE its moved or used by other applications. For example, encrypting data before it gets to the database means that the data is already encrypted on the way to the database, while at rest in the database, and on the way back to any application that requests it. Once back in an application, data can be unsecured on an application-by-application (or even user-by-user) basis to assure that the secure data is only exposed to the level required for a purpose which has been authorized in advance for the application, as opposed to a database encryption that treats every authorized application as having the same fundamental need – fully decrypted data in the clear. Immediately after the purpose for using the data is accomplished, the data can be re-secured by the application before it is moved back to a storage location or handed off to another application.
Because of the ability to both secure and unsecure data before it is moved, used, or stored, as well as the ability to limit the exposure of data on a use-case basis, application level data protection is a far superior method for securing sensitive information and enforcing data privacy than data-at-rest solutions. So why isn’t everyone doing it? The answer is that the traditional approach to application level data protection is complex.
Managing cryptographic keys, encryption algorithms, tokenization schemes, defining users, applying data masks based upon user roles, and delivering security audit reports and alerts within an application is no trivial task. Doing so across several or even hundreds of applications running across any number of servers is even harder. Doing both of these while also managing changes to the security posture over time…? Let’s just say, application level data protection has had a reputation for getting messy – quickly.
But what if it didn’t have to be so messy? What if it could be made simple – if data protection could be completely abstracted from enterprise applications, while still applying the protection directly to data in applications? What if protecting valuable sensitive data where it was most exposed and susceptible was…easy. This has long been one of the great unanswered challenges of the digital revolution. Until now.
Learn how EncryptRIGHT® simplifies application level data protection – delivering application native data security in as little as 3 lines of code.