Most organizations that rely on computing systems understand the need to protect data against cyber-attacks and data breaches by using encryption. Unfortunately, even the most well-informed and well-intentioned organizations fail to encrypt their data when and where it's most vulnerable. They often aren’t getting the protection they think they’re getting when implementing encryption, particularly when choosing full disk encryption, or when being told by email hosts, cloud storage providers, and messaging/communication service providers that their data is encrypted.
An effective selection and implementation of an encryption tool has one purpose: to protect the data when it's most vulnerable, such as when it has value to a company ( i.e. when data is accessible, in motion, or in use). That’s precisely when those volume-level encryption tools stop being effective or fail altogether.
Data-at-Rest vs. Data-In-Motion vs. Data-In-Use
In order to understand the limitations of encryption product types, it’s helpful to remember that data exists in essentially three states: at-rest, in-motion, and in-use:
- Data-at-rest is information that’s stored in a digital form on a physical device, like a hard disk or USB thumb drive
- Data-in-motion is digitized information that’s traversing a network. For example, when users send an email, access data from a remote server, upload to or download files from the cloud, or communicate via SMS or chat functionality.
- Data-in-use is digital information that’s actively being accessed, processed, or loaded into RAM, such as active databases, or a file being read, edited, or discarded.
While there are various crossover points among the states, data must be protected in all three, as well as during their transitions from one state to another. When a vendor or cloud service provider claims that data is encrypted, that doesn't mean that it's protected at-rest, in-motion, and in-use. It’s far more nuanced than that.
Consider one of the most well known encryption tools: full disk encryption. The name alone makes it sound as if every file and every activity that takes place on that disk is encrypted and secure. Hardly. Full disk is effectively physical hardware security that only protects your data when the computer in which it's installed is either not logged in or not turned on. That is precisely when data is least vulnerable.
The Problem with Password-Based Encryption
When people think of encryption, they also think of keys, and to access those keys, a password always seems to be involved somewhere. In several instances, that's true. Full disk encryption requires a password that unlocks the key that decrypts files on the disk as they are accessed. But for many other forms of encryption, that's not the case. User-defined passwords play no role in mobile calls or online purchases using HTTPS, both of which rely heavily on encrypted data streams.
Passwords and the fear of someone forgetting them or making weak ones stop many organizations and individuals from using encryption for all states of data. Or even worse: it compels them to use encryption only on a limited subset of the most sensitive data, leaving everything deemed innocuous entirely plain and vulnerable.
Beyond the weaknesses of a password itself, the need to share it with another party when sharing the encrypted data and symmetric key presents a challenge. Password-based or symmetric key encryption doesn’t allow for seamless and secure file sharing or transport. As such, it's not a good fit for securing data-in-motion.
While it may protect data at rest, it offers nothing for data-in-use. This is where asymmetric key pairs make more sense. If you can’t count on full-disk encryption or password-based encryption to protect data-in-motion, what can you count on?
Public key encryption is a solid contender. Where symmetric key encryption used a single secret key to encrypt and decrypt, public key or asymmetric key encryption employs a key pair consisting of a secret private key and a public key, lending to its name. Most often, the public key encrypts data while the private key decrypts it.
Since the public key is just that - public - it can be freely distributed by any means to anyone, allowing for seamless sharing. Lacking the private key, data encrypted with the public cannot be decrypted; thus making it safe for transport or storage, i.e. data-in-motion and data-at-rest.
So, When is Encryption Truly Effective?
It doesn’t do any good to only protect data when it is least vulnerable, such as full disk encryption, or to add security measures that are themselves insecure or inconvenient, like complex passwords and required password changes. Data that has any value is data that is active, in motion, or accessible, making it highly vulnerable to user error or malicious attacks.
Valuable data is vulnerable data, and that's when encryption must work. File level encryption based on public key infrastructure and sent over secured connections is one transparent encryption solution that begins at data creation and ensures that data is protected at-rest, in-use, and in-motion.
Encryption tools of various shapes and sizes can effectively prevent data loss or breaches, regardless of the state of the data. It's not enough to point to the existence of some form of encryption and claim that data and systems are secured by it.
Wherever the data resides, is processed, or travels, the appropriate encryption solution must be along for the ride.