Virtually every data-security compliance directive mandates data encryption. But compliance is no longer enough. As organizations are forced to announce their data has been breached, public trust plummets, profit and share prices fall, and once promising executive careers in both the public and private sectors crumble.
What organizations need today goes beyond compliance to true security. Unfortunately, with today’s advanced threats, network-based security tools and controls, such as IDS, IPS, firewalls, malware and SIEM solutions, are not enough. Encryption technologies must be added to overall enterprise security programs. But all encryption is not the same. To achieve the greatest security possible, executives need to understand the different kinds of encryption, how they work, and which will make their data safest from breach.
Self-encrypting drives (SEDs) and full disk encryption (FDE) technologies are frequently recommended for desktops and laptops, but these technologies are not particularly appropriate for enterprise-wide data security. In enterprises, data is frequently stored in multiple forms on multiple operating systems and in multiple places including the cloud. SED and FDE encrypt the data on the drive, but only when the drives are not booted. When the drives are booted, which in today’s work environment is most, if not all, of the time, the data is vulnerable. What this means is the data is protected if someone physically steals the drive. It is not if the drive is booted. Then, anyone with network or system access (for example, an internal resource with malicious intent or an external cybercriminal) has clear-text data access.
A better enterprise-wide solution is file-based encryption with integrated key management, which, as the name suggests, encrypts data at the file level independent of hardware and operating system. This approach can encrypt all data at rest and only decrypts it when it is needed for use. This, in itself, significantly reduces the risk of a breach.
Moreover, in the best systems, this file-based encryption:
Vormetric Transparent Encryption enables data-at-rest file encryption, privileged user access control and the collection of security intelligence logs without re-engineering applications, databases or infrastructure. The deployment of Vormetric’s encryption software is simple, scalable and fast. Vormetric Transparent Encryption Agents are installed above the file system on servers or virtual machines to enforce security and compliance policies. As with all Vormetric products, on-going policy and encryption key management operations are centralized and efficient with the Vormetric Data Security Manager.
No application changes are required for Vormetric Transparent Encryption software to deliver data
encryption, privileged user access control and security intelligence
Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers and Applications by Securosis
The Right Tools for the Job: Encryption for Data-at-Rest in Back-End Systems