Data protection is a growing concern for organisations – be it big or small. Indian enterprises are seriously looking at data encryption technologies to protect the corporate data. Almost all organisations back up their data regularly and maintain offsite copies for data retention and disaster recovery purposes. However, despite the fact that backup tapes contain confidential and regulated data, few companies have taken the necessary steps to ensure that data backed up and transported offsite for storage is secure.

Encryption provides the highest level of protection and is the most secure way to protect backup tapes. Another driving factor behind data encryption is unwiring your enterprise data and making them available to customers, partners and vendors.

Therefore, both hardware and software majors are coming up with latest encryption technology enabled solutions. According to Arun Ramachandran, head, Presales and Professional Services, India and Subcontinent, Sybase, “The software based unwired enterprise solutions offer security features at every level in unwiring an enterprise data. This includes security features which will prevent data loss from lost or stolen mobile devices, security features at data integration solution which abstracts and transforms the data so that sensitive information is not exposed.”

Hardware and software-based encryption

An enterprise may require both software and hardware-based data encryption. Software encryption is being adopted widely by the industry as it offers better granularity and control on the data being encrypted or decrypted. Encrypting data at rest rather than traditionally encrypting data in motion is an important emerging trend.

Software-based encryption is slower as compared to hardware, but can be very granular which gives an overall performance boost to the select set of data that needs to be retrieved or updated. “Software encryption uses industry standard encryption algorithms such as AES-256 to encrypt data. Encryption keys are used to encrypt and decrypt data. The storage, management and distribution of keys are important factors. If it takes the latest supercomputer an almost infinite time to crack data encrypted using AES-256, a compromised key can get it done in seconds. Many databases support encryption of sensitive tables, rows or columns at origin. The advantage of encrypting data at its origin is that it encrypts only the data that needs to be encrypted, thereby minimizing overhead,” explains Ramachandran.

Hardware-based encryption is quick but not granular enough. Hence, retrieving a small set of data can be expensive in terms of performance and latency. Sunny John, country manger, Quantum, states, “Hardware-based encryption is more popular in India. Software encryption takes CPU cycle time and makes the system slow. Hardware encryption use special processors that encrypt/decrypt data at the lowest binary level of data. They are normally used to encrypt an entire disk or tape.”

Nonetheless, encryption slows database performance. The encryption and decryption of encrypted columns can add processor overhead to every transaction.

Implementing appropriate data access control

“A prerequisite to implementing effective data access control is that organisationsclassify their data into security classes that can be used for different policies, procedures and management. The bottom line is that not all data is born equal and different data types require different levels of protection,” believes Soumitra Agarwal, marketing director, NetApp.

Security analysts suggest that adopting four classes such as very confidential, confidential, company internal and public/non sensitive of data is sufficient for most organisations and that such an approach will provide an adequate balance between security and ease-of management. Once the data is classified, companies need to put policies, procedures and access control methods in place to match appropriate levels of security.

The CIO must consider the overall applications in the organisation and accordingly decide the level at which encryption is required. Database level encryption is the most appropriate, since the database stores, updates and retrieves data. The performance is tuned to suit the data set of the organisation.

“The CIO should consider if the entire database or a table need to be encrypted. There are few columns such as credit card number, bank account number, social security number and pan card number that are sensitive. The stock of the number of coconut oil bottles in your inventory table need not be encrypted. So encrypting the columns using a column level encryption strategy is very optimal to most customers,” opines Ramachandran.