Encryption is a powerful tool, but it's not a one-size-fits-all solution. As security expert Bruce Schneier emphasizes, “Cryptography is not a magic pixie dust that can be sprinkled on a system to instantly make it secure”. Similarly, the late Roger Needham reminds us that “if you believe cryptography alone can solve your security woes, you might not fully grasp the complexities of the problem at hand”.
Depending on the use case, there are different ways to think about encrypting “structured data” (information stored in rows and columns) vs. “unstructured data” (information that is constantly flowing in and out of a business via a wide variety of collaboration workflows). For example, an organization embracing zero-trust security practices might seek to encrypt:
- All structured information stored at rest in a database
- Specific structured information stored at rest in certain rows and columns
- All unstructured information stored at rest in products like Box, Drive, and OneDrive
- All unstructured information in motion from point A to point B
- Specific unstructured information shared externally with others
In all of these cases mentioned above, encryption can be an incredibly useful tool for protecting sensitive data, but its implementation requires careful thought based on the type of data being protected and the specific use case.
Structured Data Encryption
Structured data refers to information that is “tabular” in nature. Such data is generally tagged, classified, and well organized making it easy to put into a database via columns and rows or flat files. Think transactional information, sensor data, customer lists, financials, and employee records — which can be labeled, filtered, and sorted.
In today's world, most organizations have developed fairly mature strategies for leveraging encryption as a tool to help protect sensitive structured data that they possess and store in databases within the internal IT infrastructure.
When encrypting structured data, the primary challenges revolve around usability and flexibility. Since database contents are accessed and filtered programmatically based on specific fields and values, the data needs to remain queryable even in its encrypted state. This limits the encryption methods that can be used, and is one reason why there is growing interest in homomorphic technologies which allows encrypted data to be programmatically analyzed as if it were still in its original form.
Historically, only certain database fields or columns contain highly sensitive information requiring encryption. Encrypting an entire database, while easy to do, is often impractical as it would render the whole database unusable. Instead, selective encryption of only certain columns has often been preferred. This allows less sensitive fields to remain in the open where they can be programmatically analyzed, and yet still encrypt a limited set of data that is considered highly sensitive.
The encryption keys themselves must also be carefully managed to prevent unauthorized access. This adds complexity, especially when encryption needs to be implemented in a way that allows querying across multiple databases.
Unstructured Data Encryption
In contrast, unstructured data includes all of the files your teams work with on a daily basis, and it comes in many forms of content — documents, PDFs, videos, images, audio clips, and more. Massive amounts of brand new unstructured data is created every single day. According to research from IDC, organizations globally will generate over 73,000 exabytes of unstructured data in 2023 alone, and unstructured information represents 80% to 90% of every organization's data estate.
Different from structured data, the contents of unstructured data do not need to remain queryable or analyzed programmatically after encryption. Thus, almost any symmetric encryption algorithm can be applied to encrypt that information. In today's world, there are three basic scenarios in which organizations typically leverage encryption to protect unstructured data:
- encrypt information at rest inside of your organization
- encrypt information in transit via the TLS standard as it flows over the web
- encrypt information via the TDF standard in a manner that allows you to enforce access control and policy even after it's left your possession
In all three of the above scenarios, it is critical that you have a reliable and scalable (and hopefully simple) way to manage encryption keys.
In scenario #3 above, Virtru offers a unique and remarkably simple data centric security service, powered by the TDF standard, which enables your employees to share sensitive unstructured data with external third-parties via email, file and SaaS workflows -- without sacrificing security, privacy, and compliance.
In summary, while encryption is just one tool for securing sensitive data, it plays a critically important role on the zero trust data control plane. When applying encryption, it is essential to consider the nature of the data, usability requirements, and key management capabilities. With careful and thoughtful implementation, encryption itself plays an important role in every zero trust security transformation journey.
