What is Data Encryption?
What is Data Encryption?
Data encryption scrambles a piece of data, making it unreadable to any person, service, or device without the key to unlock its content. Encryption makes files, disks, objects, streams, and other types of data private between an encryptor and a key holder. Even if a third party has access to encrypted data, they cannot access the data without the key. Data encryption is a fundamental part of enterprise cybersecurity.
How does data encryption work?
Modern encryption systems typically use either symmetric or asymmetric encryption, both forms of cryptography.
Symmetric encryption
Symmetric key encryption utilizes a single private key for both encrypting and decrypting data. The way symmetric keys work means that the sender and receiver must both possess the encryption key in advance.
Generally, symmetric encryption is faster and more efficient than asymmetric encryption, which makes it well-suited for encrypting large amounts of data.
Asymmetric encryption
Symmetric encryption uses a pair of public and private keys:
- A public key is a key used to encrypt data that other people send to you. You share this encryption key publicly with your contacts. It does not need to be secret.
- A private key is a key that you keep secret and use to decrypt confidential data that people send to you with the public key.
This system eliminates the need to securely exchange a shared key, which is one of the most significant limitations of symmetric encryption.
Organizations often use asymmetric encryption in the following ways:
- Using digital signatures
- Securing web browsing (HTTPS) sessions
- Encrypting sensitive messages between parties who haven’t previously exchanged keys
Asymmetric encryption is also sometimes called public-key cryptography.
What is data encryption used for?
Individuals and organizations use encryption methods to protect data and comply with regulatory standards. It is possible to encrypt data at rest, in transit, and end-to-end, between devices across a network.
At-rest encryption
Data at rest is data that you have in storage. Data in storage may be data stored on a hard drive, in the cloud, or in a database. For example, organizations often maintain a synchronized backup of critical data, encrypted at rest, in the cloud.
In-transit encryption
Data in transit refers to data being transferred from one system to another over a network. An example is the interaction between a web browser and a server. When you visit a secure website, such as a bank, the browser and the server use a form of in-transit encryption. This in-transit communications encryption is called Transport Layer Security (TLS). Someone could intercept this banking data over the network, but it would be unreadable.
End-to-end encryption (E2EE)
End-to-end data encryption encrypts data on the sending system before transfer. The receiving system uses a decryption key locally after receiving it. For example, a secure messaging app performs end-to-end encryption on message content on your device. The data is only decrypted once your approved contact receives it in their app.
What types of data should be encrypted?
Organizations commonly use encryption to secure sensitive or regulated data.
Financial data
Encryption during storage and in transit is a best practice for securing sensitive financial data, including transactions, account details, and credit histories. In the financial sector, numerous compliance regulations, such as the Payment Card Industry Data Security Standard (PCI-DSS), require strict data encryption rules and processes. Encryption here helps prevent fraud and unauthorized access.
Commercial data
Many organizations will also want to encrypt sensitive business data, such as proposals, customer contracts, service level agreements (SLAs), and supplier contracts. Specific industries and countries require compliance with regulations and laws, such as the General Data Protection Regulation (GDPR), that cover encryption standards. Companies encrypt data to avoid financial or reputational harm in the case of a data breach.
Human resources data
A mix of federal and local laws typically regulates how organizations must secure human resources (HR) data, especially personally identifiable information (PII) of employees. HR data is also commonly shared with third-party platforms, which can create opportunities for it to be revealed or intercepted.
Personally Identifiable Information (PII)
Personally identifiable information (PII) includes data that, if disclosed, could be used to identify an individual. Names, addresses, and Social Security numbers are all examples of PII. Encrypting PII helps organizations prevent identity theft and ensures compliance with global privacy laws.
For example, regulations such as GDPR in the European Union and the California Consumer Privacy Act (CCPA) require organizations to protect PII in their custody. Encryption is a commonly used tool to meet these standards.
Protected Health Information (PHI)
Healthcare providers, insurers, and HR departments handle protected health information (PHI), which includes medical or health-related information that is associated with an individual. Examples of PHI include electronic medical records, treatment histories, and pharmacy prescription data.
Laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the US mandate the implementation of data security measures. These measures protect the confidentiality, integrity, and availability of electronic PHI (ePHI). As with PII, encryption is a common tool used to meet HIPAA and other PHI standards.
What is the difference between hashing and data encryption?
A hashing algorithm takes data, such as a file or message, and computes a string of characters unique to the data, called a hash. If someone or something alters the original data, even slightly, the hash value also changes. Therefore, hashes are frequently used to help verify data integrity and authenticity.
In contrast to encryption, hashing algorithms are one-way mathematical functions. They do not have cryptographic keys and cannot be reversed. Organizations often use hashing and encryption together to verify that data is authentic and unaltered.
What is the difference between digital signatures and data encryption?
Digital signatures are a tool to verify the authenticity of a sender. Digital signatures utilize both public-key data encryption and hashing.
Digital signatures work through the following process:
- A sender creates a hash of their data to prove it is authentic and unaltered.
- The sender then encrypts that hash to create a digital signature.
- The recipient receives the data along with the associated signature. They run the decryption key on the signature and generate a new hash of the data to compare against the decrypted original.
If both hashes match, the recipient can be confident that the identified sender sent the data and that no alteration occurred in transmission.
What are common data encryption standards?
The most widely used symmetric encryption standard today is Advanced Encryption Standard (AES), with much of the world's internet traffic encrypted using AES. The most common asymmetric standard is Rivest-Shamir-Adleman (RSA). RSA is more computationally intensive than AES and is more commonly used to encrypt small volumes of data, such as digital signatures.
You can use AES and RSA in combination. Since RSA is most efficient at encrypting small volumes of data, it can encrypt AES keys sent with high-volume, symmetric-key encrypted transfers.
Advanced Encryption Standard (AES)
AES is a specification for symmetric encryption established in 2001 by the U.S. National Institute of Standards and Technology (NIST). AES uses an encryption algorithm developed by cryptographers Joan Daemen and Vincent Rijmen and supports encryption key sizes of 128 or 256 bits (known as AES-128 and AES-256).
RSA
The name of RSA originates from the MIT scientists who developed it in 1977, Rivest, Shamir, and Adleman. It uses pairs of secretly generated, large prime numbers to create private and public keys. RSA uses the “factoring problem” in mathematics for its encryption model. No computationally efficient method exists to reverse-engineer the prime factors of exceptionally large numbers, like those used to generate RSA keys.
Data Encryption Standard (DES)
Data Encryption Standard (DES) is an older encryption standard retired by NIST in 2002 in favor of AES. It uses a 56-bit key to encrypt data in 64-bit blocks, which researchers have found to be prone to brute-force attacks. Although vulnerable to modern entry techniques and data breaches, DES is still used in legacy systems today.
What are some considerations in choosing a data encryption technique?
The data encryption techniques you choose should do more than just secure data. These techniques should align with business goals and comply with regulatory requirements.
Consider these four factors when selecting encryption techniques for your organization.
Evaluate asset sensitivity
Not all data requires the same security. Sensitive data may require full end-to-end encryption. Less sensitive data may need less or no encryption.
Understand the security environment
Some organizations as a whole might be targets, such as financial institutions or government agencies. Others, such as app companies, may have minimal data at rest on their own infrastructure, which could pose a security risk. Select techniques that are appropriate to the risk profile of each set of digital assets within your organization.
Use modern standards
Not all encryption algorithms offer the same level of protection. DES, its derivative 3DES, and other older standards typically cannot protect against modern attacks. Look for encryption services that utilize current standards, such as AES-256 encryption and RSA with 2048-bit keys.
Meet compliance requirements
Many industries and jurisdictions have specific regulations that require encryption for protecting sensitive data. For example, PCI-DSS mandates that organizations securely process and transmit consumer credit card information.
How can AWS help with your data encryption requirements?
AWS has a range of services to support cloud-based encryption and key management.
AWS CloudHSM allows you to generate and use cryptographic keys on dedicated Federal Information Processing Standards (FIPS) 140-2 Level 3 single-tenant hardware security module (HSM) instances. AWS CloudHSM promotes compliance using customer-owned, single-tenant HSM instances that run in your own Virtual Private Cloud (VPC).
AWS Key Management Service (AWS KMS) is a service that allows you to create and control keys used to encrypt data within your applications. AWS KMS uses the AWS Encryption SDK (software development kit) data encryption library.
AWS Payment Cryptography simplifies cryptography operations in your cloud-hosted payment applications.
AWS Secrets Manager encrypts secrets at rest using encryption keys that you own and store in AWS KMS.
Get started with data encryption on AWS by creating a free account today.