Application-Level Encryption: Today's Challenge
When you encrypt information at the application level, you can protect sensitive data and control access in a more fine-grained way than is possible with almost any other form of encryption. In many ways the application is the obvious place to encrypt and decrypt data because the application knows exactly which data is sensitive and can apply protection selectively. The application frequently also knows about users, roles, and entitlements and can provide access accordingly. Contrast this with encryption used within storage systems, portable media, or networks, where data is typically encrypted on an all-or-nothing basis because those systems have no knowledge of data classes or specific user entitlements and therefore have limited ability to be selective. Application-level encryption can be policy-based and geared to specific data protection mandates such as PCI DSS. It can provide highly targeted protection that is invoked only when necessary. This protection can be tightly controlled and supervised, even requiring dual controls or other layers of procedural protection that, taken together, directly support compliance reporting obligations.
With application-level encryption you can tailor the type of data protection to the needs of the specific application and business process, creating the highest levels of assurance for your most sensitive data. In addition, if you protect data at the application level, downstream systems—databases, file systems, and storage environments—are exposed only to encrypted information. If they have no means of transforming the data into a readable format, and are segregated from systems that do, then they can be taken out of scope for compliance and auditing purposes. However, organizations considering implementation of application-level encryption face several challenges:
- Adding or changing application-level encryption will typically require modifying the application, which will not be appropriate in every situation. With off-the-shelf software or cloud services, for example, you won’t have the ability to modify the application. Even if you wrote your own application originally, the skills and resources required to change that application may no longer be available.
- If you are concerned with many different business applications, the task of applying application-level encryption in a uniform way across all those applications may pose both technical and organizational challenges.
- Encryption can be a CPU intensive task, consuming valuable systems resources, so if you build encryption into the application layer, you face the challenge of identifying potential performance bottlenecks.
- When considering application-level encryption, you should take into account the ways data is exchanged with other systems. If systems share common data and expect that data to be in a specific format, for example, then you should take steps to avoid breaking one system just by adding encryption to another; format-preserving encryption options are helpful in this case.
Sharing encrypted data between applications means sharing keys, which relies on shared trust models and potentially shared key management systems.
Risks Associated with Application Level Encryption
- Attackers can use development tools, intended for tasks such as application monitoring or debugging, to gain access to encryption keys or simply to turn off encryption, unlocking information within the application.
- Developers adding encryption to applications are often tempted to implement complex cryptographic algorithms themselves. As this practice can introduce unnecessary security flaws, it’s always best to use pre-certified cryptographic implementations.
- While adding encryption to application code has its challenges, these can be minor when compared to the issue of key management. Because inadequate key management can result in stolen or unusable information, developers need to decide whether to include native key management functionality or rely on external key management systems.
- For high-volume, high-speed applications, encryption can degrade performance, limiting capacity and introducing latency, particularly if encryption is being added to an application retrospectively.
Application-Level Encryption: Thales e-Security Solutions
Products and services from Thales e-Security can help you deploy application-level data protection for your most sensitive applications. With the flexibility to handle a broad spectrum of applications, from fully automated, high-volume applications to tightly supervised, low-volume, but nevertheless highly sensitive applications, Thales solutions deliver the data protection and operational efficiency your critical applications require.
nShield hardware security modules (HSMs) create a trusted platform where cryptographic processes can be performed safely and where key material can be protected and managed securely. This trusted layer overcomes the risks inherent in open system software environments in which applications typically execute. With nShield HSMs, developers and organizations have the best of all possible worlds—the ability to take advantage of proven and pre-certified cryptographic libraries, use native cryptographic offload and acceleration capabilities, and exploit a wide range of key management tools to deliver a high degree of control and flexibility. Not only do nShield HSMs provide high levels of assurance for cryptographic operations through the use of tamper-resistant hardware, they also provide the ability to physically protect higher-level application processes through the unique CodeSafe functionality.
- Secure a broad range of applications by mapping diverse security policies and processes to a flexible and hardened data protection platform.
- Take advantage of hardware-based security without compromising on performance or manageability.
- Execute particularly sensitive code within a secure execution environment inside the HSM.
- Deploy with confidence and accelerate implementation projects; Thales’ partnerships with leading vendors deliver HSMs that are pre-certified to work with a wide range of applications and development platforms.
- Maintain high levels of application performance by offloading cryptographic processes onto the HSM.
- Simplify compliance reporting through streamlined policy definition and improved auditability of key business processes.