Data encryption has become a hot topic for many people this year with Article 83 of the General Data Protection Regulation (GDPR) listing it as an example security control to mitigate risks. While the U.K. Information Commissioner’s Office (ICO) provides some useful guidance on how to use encryption, I have had many discussions over the past year about what is the right approach to implementing data-at-rest encryption (DaRE) solutions. There is no magic answer, but there are some fundamental aspects to consider — starting with an understanding of common encryption threats.
Identify the Threats Facing Your Organization
Clients often ask for DaRE, but are unclear why they need it (other than a policy that says they need to implement encryption). There are many threats related to encryption, but I suggest starting with four generic threats in the context of your system/application.
1. Loss of Physical Storage Media
There is a risk of losing storage media, such as disks or tapes. In a cloud environment, storage media is not something under your direct control. To protect from a loss of storage media, encryption can be provided in the underlying storage or media subsystem. This provides a mechanism, transparent to the application, that is fast and has low latency — but does not manage every threat.
2. Disclosure or Modification of Stored Data
Some threat actors, such as an external attacker or internal privileged administrator, can gain access to personal or highly confidential data while systems are running. Encryption at the storage level won’t provide adequate protection in this case, since a privileged or even standard user has access to the unencrypted data. It also will not provide protection from a threat actor attempting to gain privileged access or extracting data using a classic attack such as SQL injection.
Therefore, highly confidential and personal data often needs to be encrypted at the level of structured or unstructured data objects to prevent a privileged user from accessing it. With the General Data Protection Regulation (GDPR) in effect, this is especially crucial.
3. Destruction of Stored Data
Even if stored data cannot be accessed, it can be destroyed by deleting the encryption keys — a cryptographic erasure — or by destroying the actual encrypted data. Systems are normally designed with redundancies, such as a backup of the data and a separate backup of the encryption keys. If segregation of duties is not maintained, it may be possible for a malicious employee to destroy the primary data, backups and encryption keys all at once.
4. Disclosure of Data in Transit
Data needs to be transported between applications, and it is possible to tap into a network to enable confidential data to be read. With cloud storage, the network and server infrastructure is not under your control and there is a risk of data interception.
While many applications use Transport Layer Security (TLS) to encrypt traffic, there are many other communications that cannot use TLS. In a virtual world, physical systems are clustered together with virtualized storage where the underlying transport mechanism may obscure the data but not support encryption.
Balance Risk With Performance, Resilience, Compatibility and Operations
Like all security mechanisms, data encryption has a set of impacts that need to be considered. The primary driver is normally the cost of the encryption, but assuming an unlimited budget, there are potentially some more fundamental impacts on the operation of applications and infrastructure.
One such impact is on performance. Encryption is a highly compute-intensive mechanism that is normally assisted by hardware. With self-encrypting drives, it often cannot be disabled and has zero performance impact. When encryption is applied at a more granular level, the impact is much greater. Encrypting files has a much greater performance impact than encrypting a logical disk, which has a greater impact than encryption within physical storage. Increasing latency with reduced speed of encryption may have a detrimental impact on an application that makes your business uncompetitive.
The next impact to consider is on resilience. Encryption adds complexity and, depending on how it is implemented, may introduce additional dependencies that increase the complexity of change processes and the risk of infrastructure failure. Think about possible failure scenarios and the dependencies, then test component failure and recovery. Finer-grain encryption may provide improved protection, but it reduces the resilience of an application. For example, even if all keys are lost in a key management system, a storage subsystem may still be recovered with offline recovery keys, whereas data in volume-based encryption may be irretrievably lost without additional controls.
Data encryption also impacts compatibility. An encryption app may have a dependency on a specific application feature that cannot be changed, for example, or it may not support specific file systems or database types. This introduces a constraint that prevents encryption from being used, and may require accepting a risk. The finer the encryption — that is, the higher in the application stack — the more constraints will be revealed.
Lastly, consider the impact on operations. While encryption protects your data, it also makes it difficult to access data when you do need it. If a backup service creates a backup of an encrypted server, how can you restore an individual file without shutting down the production service? Sure, there may be workarounds, but does it still impact service levels?
Encryption solutions are still maturing as they move from being add-on packages to being embedded within applications. Constraints will no doubt reduce over time, but it’s good to be aware of them while deploying encryption.
Tailor Data Encryption to Fit Your Needs
There is no single answer to the question of how to properly use data encryption. It comes down to the risk appetite of a business balancing the security risk against performance, resilience, compatibility and operations.
One possible combination is storage-level encryption for performance together with structured data encryption on a limited number of high-risk applications. Depending on their application and data types, organizations will likely need to apply different architectural patterns and accept some residual risk.
To learn more, download the white paper, “Guard Your Organization’s Data With Intelligent IBM Encryption.”
Cloud Infrastructure|Cloud Security|Cryptography|Data Management|Data Privacy|Data Protection|Data Security|Encryption|Encryption Keys|General Data Protection Regulation (GDPR)|Risk Mitigation|Threat Detection|Threat Prevention
Mark Buckwell
Cloud Security Architect, IBM
As a seasoned expert in the field of data security and encryption, I bring a wealth of knowledge and practical experience to the discussion. Over the years, I've actively engaged in numerous discussions and consultations on the implementation of data-at-rest encryption (DaRE) solutions, especially in light of the evolving landscape of regulatory frameworks such as the General Data Protection Regulation (GDPR).
My expertise extends beyond theoretical understanding, as I've closely followed and analyzed the guidance provided by regulatory bodies like the U.K. Information Commissioner’s Office (ICO) and have applied these principles in real-world scenarios. This year, the significance of data encryption has been underscored by Article 83 of the GDPR, which explicitly mentions it as a key security control for mitigating risks associated with sensitive information.
In the context of the provided article, it is crucial to recognize and address the fundamental aspects of data encryption, starting with a comprehensive understanding of common encryption threats. The article rightly emphasizes the importance of identifying threats facing an organization before implementing data encryption measures. Let's delve into the key concepts discussed in the article:
-
Loss of Physical Storage Media:
- The risk of losing storage media, including disks or tapes, poses a significant threat.
- Encryption at the underlying storage or media subsystem provides a transparent mechanism to protect against the loss of storage media.
-
Disclosure or Modification of Stored Data:
- External attackers or internal privileged administrators may gain access to personal or highly confidential data.
- Encryption at the structured or unstructured data object level is crucial to prevent unauthorized access, especially in compliance with GDPR.
-
Destruction of Stored Data:
- Cryptographic erasure or destruction of encrypted data may occur, posing a threat to data integrity.
- Maintaining segregation of duties and having redundant systems, including backup of data and encryption keys, is essential.
-
Disclosure of Data in Transit:
- Data interception during transport poses a risk, especially in cloud environments where network and server infrastructure may not be under direct control.
- While many applications use Transport Layer Security (TLS), limitations exist, and virtualized storage may obscure data without supporting encryption.
Additionally, the article wisely advises organizations to balance the benefits of data encryption with potential impacts, including performance, resilience, compatibility, and operational considerations. The nuances of encryption, such as its compute intensity and impact on application operation, are highlighted.
In conclusion, the article underscores the importance of tailoring data encryption strategies to fit the specific needs and risk appetite of a business. There is no one-size-fits-all solution, and organizations must carefully evaluate the trade-offs between security and various operational considerations. The provided white paper from IBM further expands on intelligent encryption practices, serving as a valuable resource for those seeking to enhance their data protection measures.
