Data encryption has become a hot topic for many people this year with Article 83 of the General Data Protection Regulation (GDPR) listing it as an example security control to mitigate risks. While the U.K. Information Commissioner’s Office (ICO) provides some useful guidance on how to use encryption, I have had many discussions over the past year about what is the right approach to implementing data-at-rest encryption (DaRE) solutions. There is no magic answer, but there are some fundamental aspects to consider — starting with an understanding of common encryption threats.

Identify the Threats Facing Your Organization

Clients often ask for DaRE, but are unclear why they need it (other than a policy that says they need to implement encryption). There are many threats related to encryption, but I suggest starting with four generic threats in the context of your system/application.

1. Loss of Physical Storage Media

There is a risk of losing storage media, such as disks or tapes. In a cloud environment, storage media is not something under your direct control. To protect from a loss of storage media, encryption can be provided in the underlying storage or media subsystem. This provides a mechanism, transparent to the application, that is fast and has low latency — but does not manage every threat.

2. Disclosure or Modification of Stored Data

Some threat actors, such as an external attacker or internal privileged administrator, can gain access to personal or highly confidential data while systems are running. Encryption at the storage level won’t provide adequate protection in this case, since a privileged or even standard user has access to the unencrypted data. It also will not provide protection from a threat actor attempting to gain privileged access or extracting data using a classic attack such as SQL injection.

Therefore, highly confidential and personal data often needs to be encrypted at the level of structured or unstructured data objects to prevent a privileged user from accessing it. With the General Data Protection Regulation (GDPR) in effect, this is especially crucial.

3. Destruction of Stored Data

Even if stored data cannot be accessed, it can be destroyed by deleting the encryption keys — a cryptographic erasure — or by destroying the actual encrypted data. Systems are normally designed with redundancies, such as a backup of the data and a separate backup of the encryption keys. If segregation of duties is not maintained, it may be possible for a malicious employee to destroy the primary data, backups and encryption keys all at once.

4. Disclosure of Data in Transit

Data needs to be transported between applications, and it is possible to tap into a network to enable confidential data to be read. With cloud storage, the network and server infrastructure is not under your control and there is a risk of data interception.

While many applications use Transport Layer Security (TLS) to encrypt traffic, there are many other communications that cannot use TLS. In a virtual world, physical systems are clustered together with virtualized storage where the underlying transport mechanism may obscure the data but not support encryption.

Balance Risk With Performance, Resilience, Compatibility and Operations

Like all security mechanisms, data encryption has a set of impacts that need to be considered. The primary driver is normally the cost of the encryption, but assuming an unlimited budget, there are potentially some more fundamental impacts on the operation of applications and infrastructure.

One such impact is on performance. Encryption is a highly compute-intensive mechanism that is normally assisted by hardware. With self-encrypting drives, it often cannot be disabled and has zero performance impact. When encryption is applied at a more granular level, the impact is much greater. Encrypting files has a much greater performance impact than encrypting a logical disk, which has a greater impact than encryption within physical storage. Increasing latency with reduced speed of encryption may have a detrimental impact on an application that makes your business uncompetitive.

The next impact to consider is on resilience. Encryption adds complexity and, depending on how it is implemented, may introduce additional dependencies that increase the complexity of change processes and the risk of infrastructure failure. Think about possible failure scenarios and the dependencies, then test component failure and recovery. Finer-grain encryption may provide improved protection, but it reduces the resilience of an application. For example, even if all keys are lost in a key management system, a storage subsystem may still be recovered with offline recovery keys, whereas data in volume-based encryption may be irretrievably lost without additional controls.

Data encryption also impacts compatibility. An encryption app may have a dependency on a specific application feature that cannot be changed, for example, or it may not support specific file systems or database types. This introduces a constraint that prevents encryption from being used, and may require accepting a risk. The finer the encryption — that is, the higher in the application stack — the more constraints will be revealed.

Lastly, consider the impact on operations. While encryption protects your data, it also makes it difficult to access data when you do need it. If a backup service creates a backup of an encrypted server, how can you restore an individual file without shutting down the production service? Sure, there may be workarounds, but does it still impact service levels?

Encryption solutions are still maturing as they move from being add-on packages to being embedded within applications. Constraints will no doubt reduce over time, but it’s good to be aware of them while deploying encryption.

Tailor Data Encryption to Fit Your Needs

There is no single answer to the question of how to properly use data encryption. It comes down to the risk appetite of a business balancing the security risk against performance, resilience, compatibility and operations.

One possible combination is storage-level encryption for performance together with structured data encryption on a limited number of high-risk applications. Depending on their application and data types, organizations will likely need to apply different architectural patterns and accept some residual risk.

To learn more, download the white paper, “Guard Your Organization’s Data With Intelligent IBM Encryption.”

Read the white paper

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today