What role does encryption play in data security?
In part one of this series, we established the importance of encryption as part of your security strategy and discussed the different types of encryption, the challenges associated with each type of implementation, and provided recommendations to secure your data in transit. Now, let’s explore your options to protect data at rest.
Encryption Key Management
In the majority of cases, recoverable encryption at rest relies on symmetric encryption algorithms, with keys that need to be readily available to the system to perform the data encryption and decryption activities. Any person with access to the full key can see the data subject to protection. Therefore, ensuring the security of the encryption key is a critical part of data protection as a whole. Key under dual control (two-man rule) and split encryption key while in clear both address the issue of encryption key security by mitigating the risks associated with a single user performing key management. These two controls require a specific key ceremony to ensure the availability of the key to the components that use it. In the case of a key under dual control, each custodian provides his portion during system startup and system runtime or prior to the execution of a specific function. In the case of a split-key management, individual portions of the key are entered into a key management system and stored in an encrypted format under a key label. The business system that needs to encrypt or decrypt data provides the target data to the key management system and requests the operation with the specific key label.
Models for Encrypting Data at Rest
In a computing system today, we use following main elements: storage, compute element, operating system (OS), and applications that run on top of the OS. Virtualization adds an extra layer between the compute element and the OS, providing segmentation of the compute, storage, and network resources. Each of these components provides capabilities to encrypt data, and it is important to understand how such capabilities work in different use cases.
Figure 1: Virtualization Layer Between Compute and Operating System
- Encryption at the Storage-Level
Data actually resides within the disk storage. Regardless of whether you implement a traditional or virtualized environment, the storage volumes are exposed to the OS or through the virtualization layer. Encryption applied at the disk storage level is the simplest implementation (assuming your storage vendor offers this option) and provides protection against data disclosure if the hard drive is removed from the array—if a failure occurs, for example. The storage-level encryption is transparent to any system element above. Therefore, this method is suitable for enterprises protecting their data from external risks, but it does not provide protection from internal parties.
- Encryption at the Virtualization Layer
The virtualization layer offers another option to apply data encryption. With this method, data files are stored within the virtual machine (VM) containers, and the data is encrypted before it’s stored on the storage drives. You’re protected against unprivileged virtualization administrators as well as a storage drive failure. Additionally, you’re able to protect an individual or multiple virtual containers processing sensitive data. However, anyone with access to the OS and/or apps deployed on those virtual containers has access to stored sensitive data in the clear.
- Encryption at the OS Level
Encryption at operating system level provides enhanced possibilities to protect the confidentiality of data; you can encrypt files or entire partitions/volumes. This method ensures that only privileged OS users/ administrators—or anyone with access to the applications using those files—can see the data in the clear. Compared to the previous options, encryption at the OS level provides better protection, but may not be sufficient—especially if the user population with access to the data in the clear is too large. For instance, access to database files, or Bitlocker encryption, which is part of Microsoft Windows OS.
- Encryption at the Application Level
Encryption at the application level provides the best protection as it limits access to data in the clear to the fewest users possible, based on the specific application implementation. System level users, such as hardware engineers, cannot access data in clear at the OS or virtualization level, and therefore, this method is best suited for security compliance requirements. Data ciphering is required during processing and before storage. Transparent data encryption takes place before the system stores the data in the database with encryption key loaded at application startup.
The diagrams below demonstrate the various types of encryption:
Figure 2: Encryption from Storage Level to Application Level [Click picture to enlarge]
Figure 3: Encryption at Hypervisor [Click picture to enlarge]
Figure 4: Encryption at the Individual Virtual Machine Level [Click picture to enlarge]
How to Secure Data at Rest – Final Recommendation
When considering which option to implement, take into account the sensitivity of data based on its classification, the compliance requirements derived from specific security frameworks, and ultimately, the risks associated with information system processing and storing the data. Different use cases drive different solutions, so apply risk analysis, business justification, risk mitigation and common sense when choosing the appropriate level of encryption.
If you have any questions about how to protect your sensitive data, the OnRamp team is available to discuss your options. As mentioned before, data encryption is an important part of data security, but it is only one piece of the puzzle.