Every year, more organizations adopt encryption to protect their sensitive data. According to the 2021 Ponemon Institute Global Encryption Trends Study, the percentage of companies with enterprise-wide encryption strategies has increased to a full 50 percent reporting having an overall encryption strategy that is consistently applied. This is a milestone, to be sure, but certainly not a finish line. With regulations like GDPR and the California Consumer Privacy Act (CCPA) providing incentives for companies to encrypt customer data, that percentage should be much higher. In fact, the same study found that only 42 percent of those surveyed were using encryption on their customer data, leaving much of it still at risk.
Organizations that still need to add encryption have many options to choose from, ranging from solutions that protect single hard drives to those that facilitate company-wide protection. One of the most important distinctions to consider is between transparent encryption and persistent encryption.
When is Your Data in the Clear?
Encryption can be implemented many different ways, some of which leave data vulnerable as it moves from user to user and device to device. Organizations should understand when their encryption software leaves data in the clear (meaning the data is not encrypted) in order to understand their exposure to internal and external cyber threats.
- Network encryption provides protection for data as it travels across a network. Data is encrypted while in motion from its origin to its destination, but remains in the clear on either side of the transmission, unless another form of encryption is used.
- Transparent encryption provides protection for data at rest. When transparent encryption is applied, the protection is removed before data is accessed. For example, when an authorized user copies a file from a file server, this makes the encryption process “transparent” to end users, but also means data exists in the clear any time it is moved or copied from the protected location. The two most common forms of transparent encryption are full disk encryption and file system encryption.
- Full disk encryption protects data at rest by encrypting all data on a hard drive or other storage device. However, this type of encryption only provides protection in the event that the storage device is physically stolen, because data on a drive is decrypted as soon as the device is powered on and accessed by an authorized user.
- File system encryption protects data at rest in specific locations, usually file or application servers. This method of encryption provides protection against access by outsiders and by unauthorized insiders, because only authorized users or applications can decrypt and access data in the protected locations.
- Persistent encryption is encryption that travels with data as it is shared, copied, and moved from one system or user to another. Depending on whether the encryption is applied to structured data (fields in a database) or unstructured data (files on servers, laptops, desktops, and mobile devices), persistent data encryption can be categorized as either field-level encryption or persistent file encryption.
- Field-level encryption is applied to specific columns or tables within a database. If encrypted data is exported for use in another location, the encryption travels with it, protecting it from inappropriate use. To preserve referential integrity, the length and/or format of protected data can be preserved during encryption.
- Persistent file encryption is applied to files on servers, user devices, and other locations, as well as email messages and other forms of unstructured data. Encryption can be applied on a file-by-file basis, or applied to all files within a protected folder. Persistent file encryption remains with files no matter how many times they are copied, shared, or moved, ensuring that only authorized users can access them.
Encryption and Compliance
While many data protection regulations—including GDPR, the CCPA, and New York’s cybersecurity law for financial services companies—recommend the use of encryption, few laws explicitly require it, or prescribe a specific way of using it.
For example, the GDPR requirement for security of personal data (Article 32) is to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” one of which may be encryption. Most other recent data protection laws contain similar language.
While they may not mandate its use, GDPR, the CCPA, and other laws do provide exemptions for companies that use it. The GDPR contains detailed instructions for how and when a company must notify EU citizens after a security breach involving personal data, but companies are exempt from the notification requirements if the stolen data was encrypted, because encrypted data cannot be used by anyone without the right key.
When evaluating their compliance strategies and risks, organizations should consider the distinction between transparent encryption and persistent encryption. If hackers gain access to data protected by transparent encryption and copy it to another location, the encryption will disappear, leaving the data vulnerable to misuse, and leaving the company exposed to fines and other sanctions. Data protected by persistent encryption, however, remains protected even when moved or copied, and is more likely to satisfy regulators and auditors.
Learn more about encrypting with PK Encryption. Get a free demo now.