Three critical foundations for a data encryption strategy
Encryption has come a long way in the last 10 years. Traditional encryption has limitations that are long understood, yet present huge problems for its use – the need to decrypt to access data elements exposes it to risk, and of course key management can become extremely complex at scale if based on the 1990’s PKI or store-and-retrieve symmetric key technology. Not all encryption is the same. For example, infrastructure-centric encryption of data at rest on servers doesn’t defend against persistent malware: data-centric security does as the protection stays with the data wherever it goes. Fortunately, innovation in cryptography and encryption technology continues to make leaps and bounds, enabling data-centric protection with ease. This is underpinned through the research and development of several technologies by leading academics and cryptography visionaries which enable encryption to be pervasive at tremendous scale, and above all, simple to use even for consumers. These technologies are:
1. Identity Based Encryption (IBE) – Developed at Stanford and Incorporated in standards such as IETF 5091, 5408, 5409 and IEEE 1363.3, IBE technology overcomes the key distribution problem, allowing any arbitrary string to be used as a public key and private keys to be generated in real time when needed. This allows email and file encryption at any scale without the overhead and key management complexity imposed by older key-pair management approaches that pre-dated the mobile and cloud driven internet of today, and struggle with the well documented “John can’t Encrypt” usability issues.
2. Format-Preserving Encryption (FPE) – In draft NIST standard SP800-38G. Traditional modes of AES or 3DES render data protected but destroy the format and structure of the data elements, imposing cost and change to applications and databases. FPE retains AES strength while retaining format and structure. This allows encryption to be retrofitted into existing applications, enabling cloud applications to be secured efficiently, and for de-identifying data in big data systems very quickly. Tokenization is a similar technique, but requires a database to map live data to the “fake” tokens, which introduces its own challenges. Modern tokenization methods like Secure Stateless Tokenization (SST) overcomes this while preserving tokenization’s PCI compliance cost reduction properties without the burden. SST and NIST Standard FPE are an ideal “data-centric” security technology combination for a variety of uses.
3. Stateless Key Management – traditional key management is a bottleneck to pervasive encryption. The need to store keys at endpoints or retrieve keys from databases gets operationally cumbersome very quickly and is another complex risk to manage. Stateless Key Management, using standards based KDF’s solves this by generating keys when needed, securely on demand in real-time in tandem with identity and access management policies already in place. Keys don’t have to be stored unnecessarily, and key distribution is much more straightforward.
The result is that we have seen leading organizations stay ahead of the advanced threats that are pervasive today, while reducing risk and data privacy compliance costs.
Research continues in the areas of Order-Preserving and Homomorphic encryption, but effort is still needed to avoid the security, information leakage or performance trade-offs these approaches still have issues with today. In the meantime, IBE, FPE and SST, and Stateless Key Management provide new, low cost and highly effective methods for data protection for today’s data-rich ecosystems – and are already proven and accepted.
Of course, here at Voltage we make these technologies available as easy to use and deploy solutions for PCI DSS compliance and scope reduction, Personally Identifiable Information data protection and de-identification, and to enable collaboration and sharing for emails, files and data without friction, complexity and risk.
If you would like to learn more or try these out, drop us a line – we’re always here to help with your data breach concerns and risk mitigation strategies – click here.