Encryption Complexity

Most encryption implementations are protecting against the wrong threat.  These methods do nothing to
counter modern day data breach risk and attacks.

Common Misconceptions With Encryption

Across the industry from security professionals to auditors, there are some common misconceptions about encryption methods that a lot people get confused about in terms of the threat model and risks that are actually being mitigated.

Without understanding the methods and what you are protecting against, it’s difficult to ensure the appropriate data protection model. Further, actually implementing encryption can be quite complex with several interdependencies.

Read our article on the threat model and how these gaps do not stop attackers in “Why you can’t stop data breaches – Part I”

Read the article by our CTO, PD Kolte, on “Why data tokenization is insecure”

Icon Encryption Simplified
Download the white paper on “Simplifying Application Level Encryption”

Below is an overview of some of the different methods that are commonly available.

Disk Level Encryption

Transparent Data Encryption (TDE)

Field Level Encryption

Record Level Encryption

Encrypts data at the physical disk layer and protects against physical data theft of a hard drive or laptop.  Operating system access provides full access to the data in the clear.

Provides encryption of a database as a container on the file system.  This protects against  physical data theft and against access from a non-DBA who may have access to a system where the database resides.  Access to the database provides full access to the data in the clear.

Encrypts columns or fields of data in a structured data environment.  This protects against privileged users and DBAs with access to a database, insider threat, 3rd party developers, and attackers moving laterally (east-west) in an environment from seeing sensitive data in the clear. This method is sometimes referred to as Application Level Encryption (ALE)

Encrypts data on a per row or record basis in a structured data environment using different keys for different rows.  This helps prevent oversharing of data in co-mingled data stores or multi-tenant SaaS environments and can also be applied to segment data based on classification. This method is sometimes referred to as Record Level Encryption (RLE)

All of these methods are commonly referred to as Encryption At-Rest. Perhaps part of the issue is with the term “Encryption At-Rest”, because technically, all of these methods are at-rest encryption options.  But, clearly the risk mitigation provided is different based on the data protection method.

On the right is an example of Transparent Data Encryption (TDE).

As you can see, anyone with access to the database sees the data in the clear.

  • It does nothing to protect against a modern day hack or breach. (most recent breaches had TDE in place and data was still stolen)
  • Data in the logs are in the clear, which violates compliance regulations such as PCI
  • Data in memory is in the clear
  • Attackers moving laterally in the network gain access to data in the clear
Simplify Encryption
Field Level Encryption 768x464

To the left is an example of Application Level Encryption or Field Level Encryption.

  • Privileged users and insiders with access to the system see the data encrypted
  • Attackers accessing the system laterally through the network see encrypted data
  • Data in logs are encrypted
  • Data in memory are encrypted

Our Solution

Baffle delivers a transparent data protection service layer that secures data at the field or file level via a "no code" model.  The solution supports tokenization, format preserving encryption (FPE), database and file AES-256 encryption, privacy preserving analytics and access control. As a transparent solution, cloud native services are easily supported with almost no performance impact.

Icon Simplified

Simple

No application code modification
required

Icon Fast

Fast

Virtually no performance
impact

Icon Seamless

Seamless

Integrates easily into your
infrastructure

Icon Secure

Secure

AES encryption in memory, in use,
and at-rest

Recent Posts

Tokenize and de-identify data in AWS RDS in less than 10 minutes

By Harold Byun, VP Products | January 7, 2021

Follow this link to read the Amazon Partner Network (APN) Blog. When it comes to security implementations, the amount of friction or overhead generated by an initiative or solution can determine the success or failure of a project. Particularly in the DevOps world we operate in, the speed with which one can deploy and operationalize…

Adaptive Data Security

Adaptive data security controls to reduce the risk of data breaches

By Harold Byun, VP Products | December 18, 2020

2020 is the year that just keeps on giving.  We’ve written a fair amount about how to assess the threat model for your data and reduce the risk of data breaches using various data protection strategies. In the wake of one the largest cyberattacks in the U.S. and against the U.S., it’s worth further revisiting.…

An Unprotected Data Analytics Pipeline Undermines The Value Of Data

By Ameesh Divatia, CEO and co-founder | November 10, 2020

Some estimate that 90% of the world’s data has been produced in the past two years alone. This proverbial tidal wave of information positions businesses to inform decisions that optimize operations, attract and retain customers, and create significant market differentiation. The challenge is how to make sense of data in multiple formats that emanate from…

See How Baffle Can Protect Your Data

Schedule a live demo with one of our solutions experts to get answers to your questions