Has storage and server encryption kept pace with modern IT to adequately reduce risk?
Storage and server vendors seem to be stuck with the historical mindset of traditional data-at-rest encryption. Data from applications is exposed while in-use, but sits blissfully protected at-rest, only to be again exposed to a potential breach when applications need to access it once again. This is a recipe for disaster, enabling gaps in protection; but is there a better approach? Yes, there is! It is format-preserving encryption and a game-changer for storage and server security.
An evolution up the stack and beyond: From system-level to data-centric encryption
Format Preserving Encryption (FPE) which persists with the data, is a more trustworthy and comprehensive data-centric approach to address the risk of data exposure. FPE is able to protect data across platforms that had previously relied on a “system-centric” approach which can’t scale outside of the storage or server environment. FPE affords all the benefits of traditional AES encryption, while going further to maintain the same general “look and feel” of the original data. The approach is familiar to tokenization methods by substituting original data with a safer replacement, and in the case of FPE, doesn’t break applications or schema. Data looks the same and can be managed similar to the original data. FPE enables enough context into the original content for operating on the information, but making it useless outside of the business application environment. So, why does this approach matter?
Case in point, many attacks happen during data-in-use or transit. Consider malware in the application tier, e.g., a Point of Sale app—well ahead of where the data may be stored or eventually archived. With more and more analytic processes using sensitive data from IoT and mobile applications, data-in-use risks are increasingly more problematic as the focal point of today’s critical attack vector. If you consider the increasing practice of creating and using data lakes to achieve rapid insight from the various enterprise data sources, data-at-rest encryption is simply not enough and not where the real risk has migrated. New times require new approaches.
Comprehensive: Data-centric at-rest, in motion and in use!
Modern data security must protect data persistently in-use, in-motion and at-rest—not as three separate states that allow for gaps to be exploited. Many large enterprises compelled to reduce sensitive live data exposure from breach risks or to comply with privacy regulations can now use NIST-recommended standard FPE today in a platform-agnostic approach. Everything from mainframes such as IBM z-series; across major big data and mission-critical platforms such as Teradata, HPE NonStop; via open systems, such as Windows, Linux, Unix etc. and across applications and data stores.
FPE can avoid the need to unnecessarily decrypt for the vast majority of the data’s lifecycle after capture and protection at source. Sensitive data classes can then remain protected, reducing risk across all platforms—that is, not just one specific IT ecosystem, but across all wherever data may flow. So, we might encrypt on capture on z/OS apps (e.g., a CICS transaction engine) and process locally as needed in protected form, pass secured data on to downstream systems for analysis without decryption over ETL (e.g., into Teradata, or Vertica, into AWS, to Azure, into Hadoop, and so on). Exposure can be limited to a small number of processes or people that need the actual cleartext data, which can be controlled to very specific qualified use cases.
Keeping data with format, meaning, context and value retained without the ongoing performance impact of decrypt/encrypt operational cycles offers a more reliable approach, applying across all platforms where improper exposure is a possibility. For data and line of business owners, this reduces liability and streamlines compliance approaches to data security, pseudonymization and data de-identification required by complex regulations like GDPR, PCI, HIPAA, NYDFS. The technique can be used for sophisticated data workflows in contemporary agile enterprises, building on micro-service based apps and serverless computing methods that reflect today’s advanced business environments of hybrid IT.
The best of all worlds
Data consumers can now run more applications and analytics processes on FPE-encrypted data, without the traditional burden of limited data-at-rest controls and with minimal application impact on performance. FPE provides a game-changer with its data-centric and IT platform-agnostic approach, allowing protection to persist as data in managed across modern IT. Businesses can now do more with their ever-increasing data volumes vs locking down data-at-rest that restricts data to a few trusted data scientists.
What do you think?