Randtronics DPM

Encryption and field-level data privacy protection is now an essential requirement. 

Cyber protection is an arms race and sophisticated attackers continue to demonstrate their ability to penetrate the defenses of technically sophisticated organizations.

Relying on good fortune is not an option and business leaders must assume that attackers will at some point penetrate their external perimeter and thus must ensure that sensitive data is not stored in readable format with the ability to read this information tightly controlled. 

Encryption is becoming a legal necessity for all organizations with increasingly stiff penalties for organizations that fail to comply. Personal data protection legislation such as the EU’s GPDR are  imposing new data protection obligations on top of industry specific requirements and best practices such HIPAA for health records and PCI-DSS for payment  

The big questions today are no longer 'should we use encryption' but are instead  ‘how’ to implement encryption and field-level data protection across all systems to tightly control who can see data in readable format, and how to manage this protection layer without impeding the organizations' ability to operate.

Transparent Data Encryption (TDE) is a security technology used to protect sensitive data at rest by encrypting it on storage media, such as hard drives or databases. TDE works by automatically encrypting data as it is written to disk and automatically decrypting data as it is read from disk, without requiring any changes to the applications that access the data.

The encryption and decryption process is transparent to the user and applications, hence the name "transparent" data encryption. This means that data can be stored in an encrypted form, but still be accessible to authorized users without requiring them to enter any additional passwords or perform any manual decryption steps.

TDE typically uses strong encryption algorithms such as Advanced Encryption Standard (AES) to protect data, and the encryption keys are managed by the database management system or operating system to prevent unauthorized access. TDE provides an additional layer of security to protect sensitive data in case of data theft or loss of storage media.

Full Disk Encryption (FDE) is a security technology used to protect the data stored on a computer's hard drive or other storage devices by encrypting the entire disk. When a disk is encrypted with FDE, all data stored on the disk, including the operating system, application files, and user data, is encrypted using a strong encryption algorithm.

FDE ensures that if an unauthorized person gains access to the computer or storage device, they will not be able to access the data without the encryption key. This provides an additional layer of security beyond the typical user authentication methods, such as passwords, which can be bypassed by someone with physical access to the device.

FDE can be implemented at the hardware level, such as through self-encrypting drives (SEDs), or at the software level, such as through operating system-level encryption software like BitLocker (Windows) or FileVault (macOS).

Volume Encryption is a security technology used to protect specific volumes or partitions on a storage device, rather than the entire disk as in Full Disk Encryption (FDE). When a volume is encrypted, all data stored on that volume is encrypted using a strong encryption algorithm.

Volume encryption allows users to encrypt only the data that is most sensitive, while leaving other data on the disk unencrypted. This can be useful in situations where the entire disk does not need to be encrypted, but specific volumes or partitions containing sensitive data need to be protected.

Volume encryption can be implemented at the hardware level, such as through self-encrypting drives (SEDs), or at the software level, such as through operating system-level encryption software like BitLocker (Windows) or FileVault (macOS).

Randtronics DPM easyCipher provides Transparent Data Encryption (TDE) protection of files and folders.

Files and folders protected can be entire databases or the contents of laptops, file servers, web servers or Network Attached Servers (NAS).

Randtronics DPM easyCipher is a two tier solution with a central management platform that defines and manages encryption policy and locally deployed agents that are responsible for encryption operations.

Randtronics TDE is implemented in a two-tier manager-agent architecture that provides three major advantages compared to using the TDE options provided by individual database vendors (native TDE):

1. Protection for native TDE covers only the database. Randtronics TDE can extend protection to cover the entire contents of the database server plus any file server or laptop that holds reports or analytic materials based on database contents
2. Native TDE is controlled by database administrators (DBAs).ﾠ ﾠRantronics TDE is centrally managed and monitored.
3. Randtronics TDE offers the simplicity of a single, standardised method for encrypting any databases is deployed in a Windows, Linux or Kubernetes environment

Randtronics TDE offers fine-grained access control over what users and applications have access to any file or folder.

Full Disk Encryption (FDE) offers a simple open/locked protection for a hard disk.

FDE provides no protection between users or against hackers who typically access computers via network.ﾠ

Privileged users:ﾠ systems administrators (Sys Admins), database administrators (DBA's) and application administrators by definition have the ability to perform far more activities than standard users.

Privileged User credentials are consequently highly prized by hackers wishing to circumvent security measures.

Many traditional data security measures focus on protecting a single platform and by necessity the administrator of that platform has the means of managing and hence circumventing security.ﾠ ﾠﾠ

Randtronics Data Privacy Manager is a policy-based data security platform that separates the management of data protection policies away from the control of Sys Admins, DBA's and Application Administrators.

Enterprise Key Managers (EKMs) are data security platforms that securely manage encryption keys and digital certificates.

EKMs such as Randtronic's DPM easyKey provide a centralized, standardized means of managing keys for multiple applications at scale.

Randtronics DPM easyKey is software-only key management solution that also has the capability to integrate and manage the key protection capabilities of hardware key stores.

Object-level data protection refers to encryption of whole files, folders, databases, file services and/or Network Attached Storage (NAS) devices.

Randtronics DPM easyCipher product provides object-level Transparent Data Encryption protection.ﾠ

Object-level protection has the advantage of being extremely simple to implement and rapid to deploy with minimal impact on users and processing times.

Field-level protection refers to the protection of content within flat files and databases.ﾠ Field-level protection methods include encryption, tokenization and data-masking.

Randtronics DPM easyData is a field-level data protection engine used to provide

i) Column level data protection to Oracle and MS SQL Server databases

ii) Field-level data protection for flat files, andﾠ

iii) Field-level data protections for data strings within applications

Increasingly public cloud platforms offer built-in encryption protection.

Users of Randtronics DPM storing data on public cloud platforms have the option to deepen the layers of protection with additional protections that are independent of the cloud platform provider.

Use cases include:

• Key Sovereignty - exerting control over the physical location and security of encryption keys
• Data-in-use - adding field-level protections such as tokenization, masking or anonymisation to allow data to be shared without compromising data security

Data at rest refers to data in storage.

Randtronics DPM enables organizations to store data in protected form and thus mitigate the risk of a cyber attack resulting in a data breach. 

Data in use refers to data being held in memory and being operated upon by a application.

Randtronics DPM provides organizations to mitigate the risk of data-in-use data breach through the use of tokenization, data-masking and data-anoymization techniques.

Data in transit refers to data being transferred between systems.

Randtronics DPM offers organizations multiple methods of protecting data-in-transit

i) Field-level protections: Tokenization, Data Masking and Anoymization allowing data to be transmitted and shared without risk of breach

ii) DPM easy2Go, a utility for encrypting files for sharing via insecure mediums or media with external users.   

Tokenization refers to the reversible substitution of protected data with a token.

Encryption refers to the reversible disguise of data using an encryption key.

Format preserving Tokenization and format-preserving encryption refers to restricting the choice of token characters or cipher text characters.  This is typically done to maintain alpha-only, numeric or alpha-numeric formats and thus maintain compatibility with systems that use strong data-types. 

The effectiveness of encryption systems in preventing data loss rests on three legs

a) Difficulty of breaking encryption - traditional encryption relies on the use of encryption keys that are mathematically hard to guess.ﾠ The growth in computing power has required keys to become longer.ﾠ ﾠ The introduction of quantum computers introduces the prospects of future computers being able to quickly break traditional keys and the need to replace keys with new generation of quantum-safe keys.ﾠ ﾠ A key advantage of enterprise key management systems such as DPM easyKey is the ability of organizations to centrally manage all encryption keys and digital certificates with the ability to easily upgrade keys with stronger variants over time

b) Difficulty of by-passing encryption - traditional encryption systems operate at the level of a single computer or database and are thus vulnerable to being bypassed by the privileged users responsibility for administering that platform.

c) Inability to find unprotected copies of sensitive dataﾠ - copies of sensitive data can exist in reports,ﾠ analytic systems, test data sets all of which need to be protected.ﾠ Hence a truly effective encryption systems needs to be able to sensitive protect data wherever it resides.

Database encryption is the process of converting plain text information into an unreadable code that can only be deciphered with a key or password.

This protects sensitive information from unauthorized access and theft of content.

The two main types of database encryption are

a) Transparent Data Encryption (TDE).ﾠ ﾠ After data is encrypted, data is transparently decrypted for authorized users or applications. TDE helps protect data stored on media (also called data at rest) in the event that the storage media or data file is stolen.

Depending on the implementation TDE be applied at the tablespace level (whole of database) or selectively at a Column level.

Many database vendors offer TDE solutions for selected version of their database products.ﾠ ﾠTypically the addition of TDE requires purchase of an additional licence.

Randtronics DPM easyCipher is a TDE product that sits outside of the database and can provide tablespace level TDE as well as protecting other files on the database folder such as report folders, analytics applications or other areas where potentially extracts of sensitive dataﾠ may exist.

Randtronics DPM easyCipher enables TDE protection for any database that runs in a Window/Linux or Kubernetes environment and thus can

b) Field-level Encryption

File-level encryption when integrated with an enterprise access control system (Randtronic DPM being an example) allows for multiple users to access IT systems whilst preserving the ability to grant or deny access to any user or application to a given file.

Full-Disk and Volume Encryption are basically either on or off - once unlocked, anyone can access anything.ﾠ ﾠﾠ

Full-Disk and Volume Encryption are often used to lock down data in the event that a device or hard-drive is physically stolen.ﾠ ﾠHowever, File-level encryption can also do this whilst a much deeper level of data protection

Starting with an illustration

Jane.Doe@gmail.com

In anonymized form might be

asfasdfas@dsdfdfsdf

Data that has been anonmyized is completely safe in the sense that that it is simply not possible to re-identity the individual by matching the scrambled data field with other records

Pseudonymized form might be:

asdfsfsf@gmail

Pseudonymized form still has some useful information - in this case gmail.com tells us that the person isn't using a work account.     However, for example if the email address was something less generic then given access to a another list of user names and email it might be possible to rematch the record back to Jane Doe.

Examples of pseudonymization include obscuring all but the last 4 digits of a bank account number -- so a clerk can distinguish between a customers various accounts but still not know the full account details.  

Historically, encryption protection an additional feature added to IT systems giving rise to a situation where an organization have may multiple, incompatible data protection 'silos',  each of which requires specialist skills to administer and of course,  changes in one do not automatically flow on.

By contrast a centralized policy-based management system for encryption, other forms of data protection and encryption keys provides a single point of administration.

The benefits of a centralized policy-based system include

• consistency - ensuring that changes are automatically applied everywhere
• role separation - data privacy can be administered independent of the IT organization.   Privileged IT accounts are prime targets for hackers and a centralised policy-based data protection system enables an organization to isolate privileged IT accounts from access to  sensitive data

Encryption keys come in four basic forms: symmetric, asymmetric, public and private.

Enterprise encryption systems typically use asymmetric, public and private keys as symmetric encryption systems have some significant limitations.

• Symmetric encryption: Symmetric-key cryptography uses a single encryption keyﾠ for both encryption and decryption of data.ﾠﾠ
• Asymmetric encryption:ﾠIn asymmetric keys, a pair of keys are used to encrypt and decrypt the data. Both keys are paired with each other and created at the same time. They are referred to as public and private keys
  • Public keysﾠprimarily encrypt the data and are only used to encrypt the data, not to decrypt
  • Private keysﾠare used to decrypt the data. This is the only key that can decrypt the encrypted data. Should be password-protected

Symmetric-key encryption has some advantages,ﾠ it doesn't require a complex backend infrastructure and encrypt/decrypt algorithm is fast but there are some significant limitations and challenges, including: