The Optimal Solution will Vary According to Use Case, Threats Addressed, and Acceptable Deployment Complexity
At the board-room level, data encryption may easily be viewed as a binary matter: data encryption is employed and the company’s assets are secure, or they’re not encrypted and it’s time to panic. However, for the security teams chartered with securing sensitive assets, the realities are not so simple.
When determining which data encryption solution type will best meet your requirements, there are several considerations. At a high level, data encryption types can be broken out by where they’re employed in the technology stack. There are four levels in the technology stack in which data encryption is typically employed: full-disk or media, file system, database, and application.
In general, the lower in the stack that encryption is employed, the simpler and less intrusive the implementation will be. However, the number and types of threats these data encryption approaches can address are also reduced. On the other hand, by employing encryption higher in the stack, organizations can typically realize higher levels of security and mitigate more threats.
Security and deployment complexity increases when implemented higher in the stack
Full-disk encryption (FDE) and self-encrypting drives (SED) encrypt data as it is written to the disk and decrypt data as it is read off the disk.
Encrypting data at the file or volume (typically used for databases) level offers security controls with software agents installed in the operating system. Agents intercept disk reads and writes and apply policies to determine if the data should be encrypted or decrypted. Mature file-system encryption products offer strong policy-based access controls, including for privileged users and processes, and granular logging capabilities.
File-Level Encryption Advantages:
File-Level Encryption Limitations:
Relevant Thales solutions and capabilities:
This approach enables security teams to encrypt a specific subset of data within the database or the entire database file. This category includes solutions from multiple database vendors that are known as transparent data encryption (TDE).
When employing this approach, application logic is added to govern the encryption or tokenization, of data from within the application.