SBN

Has storage and server encryption kept pace with modern IT to adequately reduce risk?

Storage and server vendors seem to be stuck with the historical mindset of traditional data-at-rest encryption. Data from applications is exposed while in-use, but sits blissfully protected at-rest, only to be again exposed to a potential breach when applications need to access it once again. This is a recipe for disaster, enabling gaps in protection; but is there a better approach? Yes, there is! It is format-preserving encryption and a game-changer for storage and server security.

An evolution up the stack and beyond: From system-level to data-centric encryption

Server and StorageFormat Preserving Encryption (FPE) which persists with the data, is a more trustworthy and comprehensive data-centric approach to address the risk of data exposure. FPE is able to protect data across platforms that had previously relied on a “system-centric” approach which can’t scale outside of the storage or server environment. FPE affords all the benefits of traditional AES encryption, while going further to maintain the same general “look and feel” of the original data. The approach is familiar to tokenization methods by substituting original data with a safer replacement, and in the case of FPE, doesn’t break applications or schema. Data looks the same and can be managed similar to the original data. FPE enables enough context into the original content for operating on the information, but making it useless outside of the business application environment. So, why does this approach matter?

Case in point, many attacks happen during data-in-use or transit. Consider malware in the application tier, e.g., a Point of Sale app—well ahead of where the data may be stored or eventually archived. With more and more analytic processes using sensitive data from IoT and mobile applications, data-in-use risks are increasingly more problematic as the focal point of today’s critical attack vector. If you consider the increasing practice of creating and using data lakes to achieve rapid insight from the various enterprise data sources, data-at-rest encryption is simply not enough and not where the real risk has migrated. New times require new approaches.

Comprehensive: Data-centric at-rest, in motion and in use!

Modern data security must protect data persistently in-use, in-motion and at-rest—not as three separate states that allow for gaps to be exploited. Many large enterprises compelled to reduce sensitive live data exposure from breach risks or to comply with privacy regulations can now use NIST-recommended standard FPE today in a platform-agnostic approach. Everything from mainframes such as IBM z-series; across major big data and mission-critical platforms such as Teradata, HPE NonStop; via open systems, such as Windows, Linux, Unix etc. and across applications and data stores.

FPE can avoid the need to unnecessarily decrypt for the vast majority of the data’s lifecycle after capture and protection at source. Sensitive data classes can then remain protected, reducing risk across all platforms—that is, not just one specific IT ecosystem, but across all wherever data may flow. So, we might encrypt on capture on z/OS apps (e.g., a CICS transaction engine) and process locally as needed in protected form, pass secured data on to downstream systems for analysis without decryption over ETL (e.g., into Teradata, or Vertica, into AWS, to Azure, into Hadoop, and so on). Exposure can be limited to a small number of processes or people that need the actual cleartext data, which can be controlled to very specific qualified use cases.

Keeping data with format, meaning, context and value retained without the ongoing performance impact of decrypt/encrypt operational cycles offers a more reliable approach, applying across all platforms where improper exposure is a possibility. For data and line of business owners, this reduces liability and streamlines compliance approaches to data security, pseudonymization and data de-identification required by complex regulations like GDPR, PCI, HIPAA, NYDFS. The technique can be used for sophisticated data workflows in contemporary agile enterprises, building on micro-service based apps and serverless computing methods that reflect today’s advanced business environments of hybrid IT.

The best of all worlds

Data consumers can now run more applications and analytics processes on FPE-encrypted data, without the traditional burden of limited data-at-rest controls and with minimal application impact on performance. FPE provides a game-changer with its data-centric and IT platform-agnostic approach, allowing protection to persist as data in managed across modern IT. Businesses can now do more with their ever-increasing data volumes vs locking down data-at-rest that restricts data to a few trusted data scientists.

What do you think?

Want to learn more about format-preserving encryption and how it can be a game-changer for your storage and server infrastructure? Talk to HPE to find out more!

The post Has storage and server encryption kept pace with modern IT to adequately reduce risk? appeared first on HPE Security – Data Security.

Avatar photo

Mark Bower

When people across the world pay for goods electronically, drive a connected car, share private information between businesses, or interact online based on sensitive data analytics, there’s a very good chance that data security products that Mark curated provides data security to avoid data risk and external attack. From his two decades of expertise in the US, Australia and the UK, Mark is a noted expert in data protection and information risk reduction. At Egress, Mark is the General Manager for North America. Prior to Egress, Mark led product and business strategy for Voltage Security, acquired by Hewlett Packard in 2015 and a pioneer in breakthrough security methods that are now new NIST standards in modern data-centric security for cloud, mobility and IoT applications.

mark-bower has 10 posts and counting.See all posts by mark-bower