member sign-in
Forgot password? Create new account Close

Data Encryption

Definition

Data Encryption is a technology that uses encryption in order to prevent unauthorized access to data. Encryptionis the process of transforming information into a form that cannot be read without the possession of special knowledge, referred to as a key. The purpose of encryption is to ensure that the information remains private from anyone not authorized to read it, even from those who may have access to the encrypted data.

File and Folder Encryption is used to protect data on a shared system - including protecting sensitive data from administrators. Groups of users are granted access rights to particular files and folders, and securely share files across the network.

User Benefits

Many, if not all, desktops and portable devices contain some form of proprietary or confidential information. Employees now carry significant amounts of high-value business, customer, employee, partner, and confidential corporate intellectual property on such hardware. Data encryption technology gives organizations tools to protect of their confidential information and permits avoiding:

  • Significant client notification costs
  • Irreparable damage to the company’s reputation
  • Damage to the company’s brand
  • Diminished brand equity
  • Loss of customers
  • Loss of revenue and reduced profits
  • Regulatory fines
  • Costly litigation
  • Increased customer service and help desk activity
  • Reduced shareholder value
  • Difficult new customer acquisition
  • Loss of investor confidence

In addition to dealing with the preceding issues, the technology assures the companies of achieving compliance with regulations.

Business Impact

Many encryption methods and products are available today. Generally, most are standalone applications that operate on a single data and/or information type at a time while using separate encryption applications. For instance, a user may encrypt data in files, file server documents, or email. A major drawback of these point encryption solutions is that they require a significant amount of additional work by IT and rely on individuals making critical and independent policy decisions and actions such as:

  • Maintaining and securing the encryption key(s)
  • Deciding what needs to be encrypted
  • Deciding if an intended recipient can decrypt a file or an email
  • Recovering the information/data when keys are lost or forgotten
  • Decrypting and re-encrypting files for editing purposes

Companies must seriously take into account the overall impact on their businesses and users when considering or evaluating the use of point encryption solutions.


Products supporting this technology

Gemalto McAfee

In the world of information security are two major types of threats: easy to be seen threats directly interfering with the ability of doing business and hard to discover threats which cause huge damage, but don’t necessarily prevent people from doing their jobs.

Threats such as viruses, worms, and spam are visible; attack both networks and systems, and clearly disrupt productivity and business operations. So facing annoying attacks, it’s easy to justify investments to lowering their impact. When hundreds of spam messages can be seen the in the inbox, it is very likely to invest in an anti-spam solution.

Hard to discover threats, such as data theft can go undetected for years. When (and if) they are discovered, it is possible not be able to calculate the material damage the breach has caused in years. It’s hard to have founds approved when it can’t be directly demonstrate a corresponding drop in profit or an asset loss. In many cases, such as the theft of a credit card, it’s someone else who suffers the loss. That’s why security investments for this type of threats are often forced by regulation or contractual obligation, rather than being voluntary. The lack of perceived threat undermines the recognition of data security issues, and the ability to address it.

Data breach became a well known term - confidential information, usually personally identifying information, which is lost. Companies aware of the need of protecting data protection are developing programs starting with protection of the sensitive data from external malicious attacks, relying on technical controls that include perimeter security, network/wireless surveillance and monitoring, application and point security management. A very important factor is the education and user awareness.

For real protection of the critical data, organizations have to plan a more data-centric approach to their security programs. This approach will give the enterprises the possibility to protect against losses that occurs everywhere sensitive data lives. It is important to implement the same controls around data being cut/copy/pasted and e-mailed or sent out of the organization by other means, when so many places data are can easily leak out of an organization and it would be difficult to note them.  A data loss point includes data transferred through any e-mail / web channel, improper or missing access controls to systems containing sensitive data, lost or stolen unencrypted mobile devices, insecure transmission, improper destruction of information on electronic media and lack of separation of duties and access controls on databases and other shared systems

Mechanisms for protection can be included into five major categories: classic anti-malware and protections to prevent system infections, enforceable access controls, encryption, filtering for sensitive data types being sent out of the organization, and education.

As supplementary layers of protection to traditional malware defenses, encryption and access controls are very important in protecting sensitive data from insiders no matter where are data – in rest, in use or in motion. With the same importance count the ability to filter, log, and take action on outbound traffic and downloads. The last but not the least, education have to be implement by the actions of the control systems themselves. An example can be automatic encryption policies on some types of program actions (e-mailing, FTP).

In an information-centric approach to protecting sensitive data, all organizations need to:

  • identify and classify their information assets;
  • establish consistent policies;
  • implement an appropriate portfolio of enabling technologies for encryption and key management;
  • establish controls to ensure compliance with both internal policies and external regulations.

Encryption has been used historically to hide or obscure secret messages. However, the encryption methods employed then, although effective, seem trivial by today’s standards. Until very recently, encryption was used primarily to protect communications via voice, email, electronic file transfer, or remote access. As personal computers, laptops, the Internet, and wireless communications are now an integral part of our society, it became more obvious they need to be protected. So companies need to keep privacy and security for the vast amounts of personal data and information maintained and processed by these systems.

Not too long ago, governments were seeking ways to limit the use of encryption on the basis of national security. Now, the situation is different and legislators are developing legislation for encourages and forces companies and businesses to use strong encryption for preventing theft or disclosure of personal data and information.

So now, companies are seeking for data encryption products under the pressure of the business and legislation too. 

 An optimally effective file and folder encryption system must have:

  • Centralized management
  • Option for rapid deployment
  • Policy driven
  • An extensible key and policy management system
  • Encryption tools integrate with third-party applications
  • Ability to be complete transparent to the user
  • An easy process of help desk

Technical controls alone are not enough – companies must also educate all relevant stakeholders through formal awareness and end-user training programs around encryption and key management. Clear ownership and accountability for the creation and revision of encryption and key management policies and practices by a senior executive or team is also a critical factor for successful implementation.

  • manufacturer