Transparent Encryption vs Persistent Encryption
Every year, more organizations adopt encryption to protect their sensitive data. According to the 2019 Ponemon Institute Global Encryption Trends Study, the percentage of companies with enterprise-wide encryption strategies has tripled in the last 15 years. With regulations like GDPR and the California Consumer Privacy Act providing incentives for companies to encrypt customer data, that trend will likely accelerate in 2020 and beyond.
Organizations considering encryption have many options to choose from, ranging from solutions that protect single hard drives to those that facilitate company-wide protection. One of the most important distinctions to consider is between transparent encryption and persistent encryption.
When is your data in the clear?
Encryption can be implemented many different ways, some of which leave data vulnerable as it moves from user to user and device to device. Organizations should understand when their encryption software leaves data in the clear (meaning the data is not encrypted) in order to understand their exposure to internal and external cyber threats.
- Network encryption provides protection for data as it travels across a network. Data is encrypted while in motion from its origin to its destination, but remains in the clear on either side of the transmission, unless another form of encryption is used.
- Transparent encryption provides protection for data at rest. When transparent encryption is applied, the protection is removed before data is accessed, for example when an authorized user copies a file from a file server. This makes the encryption process "transparent" to end users, but also means data exists in the clear any time it is moved or copied from the protected location.
The two most common forms of transparent encryption are full disk encryption and file system encryption.
- Full disk encryption protects data at rest by encrypting all data on a hard drive or other storage device. However, this type of encryption only provides protection in the event that the storage device is physically stolen, because data on a drive is decrypted as soon as the device is powered on and accessed by an authorized user.
- File system encryption protects data at rest in specific locations, usually file or application servers. This method of encryption provides protection against access by outsiders and by unauthorized insiders, because only authorized users or applications can decrypt and access data in the protected locations.
- Persistent encryption is encryption that travels with data as it is shared, copied, and moved from one system or user to another. Depending on whether the encryption is applied to structured data (fields in a database) or unstructured data (files on servers, laptops, desktops, and mobile devices), persistent data encryption can be categorized as either field level encryption or persistent file encryption.
- Field-level encryption is applied to specific columns or tables within a database. If encrypted data is exported for use in another location, the encryption travels with it, protecting it from inappropriate use. To preserve referential integrity, the length and/or format of protected data can be preserved during encryption.
- Persistent file encryption is applied to files on servers, user devices, and other locations, as well as email messages and other forms of unstructured data. Encryption can be applied on a file-by-file basis, or applied to all files within a protected folder. Persistent file encryption remains with files no matter how many times they are copied, shared, or moved, ensuring that only authorized users can access them.
Encryption and compliance
While many data protection regulations—including GDPR, the California Consumer Privacy Act, and New York's cybersecurity law for financial services companies—recommend the use of encryption, few laws explicitly require it, or prescribe a specific way of using it.
For example, the GDPR requirement for security of personal data (Article 32) is to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk," one of which may be encryption. Most other recent data protection laws contain similar language.
While they may not mandate its use, GDPR, the CCPA, and other laws do provide exemptions for companies that use it. The GDPR contains detailed instructions for how and when a company must notify EU citizens after a security breach involving personal data, but companies are exempt from the notification requirements if the stolen data was encrypted, because encrypted data cannot be used by anyone without the right key.
When evaluating their compliance strategies and risks, organizations should consider the distinction between transparent encryption and persistent encryption. If hackers gain access to data protected by transparent encryption and copy it to another location, the encryption will disappear, leaving the data vulnerable to misuse, and leaving the company exposed to fines and other sanctions. Data protected by persistent encryption, however, remains protected even when moved or copied, and is more likely to satisfy regulators and auditors.