Data encryption is a vital part of data security and many organizations have adopted it. However, data breaches are still a common occurrence. Why is this still happening? Are the methods we’ve relied on still dependable against today’s modern adversaries?
The two most commonly used types of data encryption are at-rest encryption and in-transit encryption. At-rest encryption (such as full disk encryption) encrypts data while it is being stored and is not in use, making it possible to protect stored data against physical threats, but provide full access to data to applications or users as needed. In-transit encryption (like that used in HTTPS) creates an encrypted channel between a network or two computers for them to communicate over; however, it only protects data in transit, not data on the computers or networks themselves.
While these encryption methods are effective at protecting against physical threats (e.g., someone stealing your laptop) and eavesdropping, they do not protect against compromised accounts or privilege misuse. In many cases, malicious attackers simply gain system access and turn them off. What encryption method should we adopt instead?
What is Application-Layer Encryption?
Like at-rest encryption, application-layer encryption is designed to protect data at rest. However, unlike at-rest encryption, it encrypts data based upon the application that owns it rather than for the storage medium or disk where the data is stored.
With application-layer encryption, data encryption and decryption is performed at the end application. When data is stored or transferred over the network, it remains encrypted until it reaches the destination application that holds the encryption keys. Since keys are only issued to applications on a need-to-know basis, someone with legitimate access to a particular user account does not have full access to all the data stored in that account, only the data relevant to that particular application.
Why Use Application-Layer Encryption?
At-rest encryption and in-transit encryption are effective at the very basic task of encryption, but they leave gaps in an organization’s data protection. More specifically, at-rest encryption is in many situations ineffective against modern, network-based attacks. Application-layer encryption enables more comprehensive and robust data protection and can defend a wide range of threats to data security. These include the following:
1. Account Misuse
With at-rest encryption, any account with permissions to access the storage medium will have the data automatically decrypted for them. This creates numerous opportunities for misuse of the permissions associated with an account. Additionally, if an account is compromised by an attacker, that attacker gains access to all data accessible to the account.
With application-layer encryption, having access to the underlying operating system or storage does not provide a malicious actor the ability to decrypt and access the data. Data can only be accessed through the appropriate application, making it possible to enforce appropriate access controls and monitor data use.
2. Data-Aware Encryption
High-level encryption solutions, like disk-level encryption, treat all data the same. Sensitive customer information is protected at the same level as a shopping list on a computer. This can mean that most data is over-protected and some may be under-protected.
With application-layer encryption, the application that owns the data is the one that encrypts it. This allows it to tune the protections to the sensitivity of the data or even to specific users and groups. This reduces wasted resources while ensuring that sensitive data is properly protected.
3. Regulatory Compliance
Data protection regulations are becoming more numerous and stringent. A common requirement of these laws is that an organization be able to prove that they restrict access to the data protected under the regulation.
With at-rest level encryption solutions, it can be difficult to determine and prove if a compromised account was used to gain access to data that it has access to.
With application-layer encryption, the granularity of encryption is at the application level. This makes it easy to maintain and demonstrate regulatory compliance because it reduces the ways in which an attacker could gain access to the protected information.
4. Secure Key Management
With most at-rest encryption solutions, encryption key management is performed by the encryption software. Often, this means that the encryption key is stored encrypted on the drive while protected by a key derived from the user’s password. While in use, the decryption key is stored in memory, where it may be inappropriately accessed.
With application-layer encryption, the application has control over its own key management. This enables it to use solutions that appropriately protect decryption keys and are compliant with applicable regulations.
5. Zero-Trust Security
Historically, many organizations have used a very permissive and perimeter-based security model. Anyone with legitimate access to a network or system is considered “trusted”, and the security is designed and deployed to protect against external threats.
This security model has its limitations, and the zero-trust security model was designed to address these. Under this model, access to resources is granted on a case-by-case basis determined by access controls. This provides a much higher level of protection, control, and granularity of access controls, which helps to reduce the vulnerability and impact of data breaches. For example, the Capital One breach could not have occurred under a zero-trust security strategy.
Application-layer encryption is necessary for implementing zero-trust security. Alternative encryption methods control access at the storage or disk level, rather than to an individual applications’ data, which makes it difficult to enforce the access controls required in a zero-trust security model.
Implementing Application-Layer Encryption
Application-layer encryption has a number of benefits for the security and performance of an application, and it is not difficult to implement. Ubiq offers libraries for many different programming languages that help developers to integrate encryption into their code and securely and easily provision and manage their encryption keys.