Data encryption is a computing process that encodes plaintext/cleartext (unencrypted, human-readable data) into ciphertext (encrypted data) that is accessible only by authorized users with the right cryptographic key. Simply put, encryption converts readable data into some other form that only people with the right password can decode and view – and is a vital component of digital transformation.
Whether your business produces, aggregates, or consumes data, encryption is a key data privacy protection strategy that keeps sensitive information out of the hands of unauthorized users. This page provides a very high-level view of what encryption is and how it works.Encryption uses a cipher (an encryption algorithm) and an encryption key to encode data into ciphertext. Once this ciphertext is transmitted to the receiving party, a key (the same key, for symmetric encryption; a different, related value, for asymmetric encryption) is used to decode the ciphertext back into the original value. Encryption keys work much like physical keys, which means that only users with the right key can ‘unlock’ or decrypt the encrypted data.
Encryption vs. tokenization
Encryption and tokenization are related data protection technologies; the distinction between them has evolved.
In common usage, tokenization typically refers to format-preserving data protection: data protection that substitutes a token – a similar-looking but different value – for individual sensitive values. Encryption typically means data protection that converts data – one or more values, or entire data sets – into gibberish that looks very different from the original.
Tokenization may be based on various technologies. Some versions use format-preserving encryption, such as NIST FF1-mode AES; some generate random values, storing the original data and the matching token in a secure token vault; others produce tokens from a pre-generated set of random data. Following the definition of encryption above, tokenization of any sort is clearly a form of encryption; the difference is tokenization’s format-preserving attribute.
Encryption plays a vital role in protecting sensitive data that is transmitted over the Internet or stored at rest in computer systems. Not only does it keep the data confidential, but it can authenticate its origin, ensure that data has not changed after it was sent, and prevent senders from denying they sent an encrypted message (also known as nonrepudiation).
In addition to the robust data privacy protection it provides, encryption is often necessary to uphold compliance regulations established by multiple organizations or standards bodies. For example, the Federal Information Processing Standards (FIPS) are a set of data security standards that U.S. government agencies or contractors must follow per the Federal Information Security Modernization Act of 2014 (FISMA 2014). Within these standards, FIPS 140-2 requires the secure design and implementation of a cryptographic module.
Another example is the Payment Card Industry Data Security Standard (PCI DSS). This standard requires merchants to encrypt customer card data when it is stored at rest, as well as when transmitted across public networks. Other important regulations many businesses must follow include The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
There are two main types of encryption: symmetric and asymmetric.
Symmetric encryption
Symmetric encryption algorithms use the same key for both encryption and decryption. This means that the sender or computer system encrypting the data must share the secret key with all authorized parties so they can decrypt it. Symmetric encryption is typically used for encrypting data in bulk, as it is usually faster and easier to implement than asymmetric encryption.
One of the most widely used symmetric encryption ciphers is the Advanced Encryption Standard (AES), defined as a U.S. government standard by the National Institute of Standards and Technology (NIST) in 2001. AES supports three different key lengths, which determine the number of possible keys: 128, 192, or 256 bits. Cracking any AES key length requires levels of computational power that are currently unrealistic and unlikely ever to become so. AES is widely used worldwide, including by government organizations like the National Security Agency (NSA).
Asymmetric encryption
Asymmetric encryption, also known as public key encryption, uses two distinct but mathematically linked keys – a public key and a private key. Typically, the public key is shared publicly and is available for anyone to use, while the private key is kept secure, accessible only to the key owner. Sometimes the data is encrypted twice: once with the sender’s private key and once with the recipient’s public key, thus ensuring both that only the intended recipient can decrypt it and that the sender is who they claim to be. Asymmetric encryption is thus more flexible for some use cases, since the public key(s) can be shared easily; however, it requires more computing resources than symmetric encryption, and these resources increase with the length of data protected.
A hybrid approach is thus common: a symmetric encryption key is generated and used to protect a volume of data. That symmetric key is then encrypted using the recipient’s public key, and packaged with the symmetrically encrypted payload. The recipient decrypts the relatively short key using asymmetric encryption, and then decrypts the actual data using symmetric encryption.
One of the most widely used asymmetric encryption ciphers is RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. RSA remains one of the most widely used asymmetric encryption algorithms. Like all current asymmetric encryption, the RSA cipher relies on prime factorization, which involves multiplying two large prime numbers to create an even larger number. Cracking RSA is extremely difficult when the right key length is used, as one must determine the two original prime numbers from the multiplied result, which is mathematically difficult.
Like many other cybersecurity strategies, modern encryption can have vulnerabilities. Modern encryption keys are long enough that brute-force attacks – trying every possible key until the right one is found – are impractical. A 128-bit key has 2128 possible values: 100 billion computers each testing 10 billion operations per second would take over a billion years to try all of these keys.
Modern cryptographic vulnerabilities typically manifest as a slight weakening of the encryption strength. For example, under certain conditions, a 128-bit key only has the strength of a 118-bit key. While the research that discovers such weaknesses are important in terms of ensuring encryption strength, they are not significant in real-world use, often requiring unrealistic assumptions such as unfettered physical access to a server. Successful attacks on modern strong encryption thus center on unauthorized access to keys.
Data encryption is a key element of a robust cybersecurity strategy, especially as more businesses move towards the cloud and are unfamiliar with cloud security best practices.
OpenText™ Data Discovery, Protection, and Compliance solutions enable organizations to accelerate to the cloud, modernize IT, and meet the demands of data privacy compliance with comprehensive data encryption software. CyberRes Voltage portfolio solutions enable organizations to discover, analyze, and classify data of all types to automate data protection and risk reduction. Voltage SecureData provides data-centric, persistent structured data security, while Voltage SmartCipher simplifies unstructured data security and provides complete visibility and control over file usage and disposition across multiple platforms.
Email encryption
Email continues to play a fundamental role in an organization’s communications and day to day business – and represents a critical vulnerability in its defenses. Too often, the sensitive data being transmitted via email is susceptible to attack and inadvertent disclosure. Email encryption represents a vital defense in addressing these vulnerabilities.
In highly regulated environments such as healthcare and financial services, compliance is mandatory but difficult for companies to enforce. This is especially true with email because end-users strongly resist any changes to their standard email workflow. SecureMail delivers a simple user experience across all platforms including computers, tablets, and native mobile platform support with full capability to send secure, originate, read, and share messages. Within Outlook, iOS, Android, and BlackBerry, for example, senders can access their existing contacts and simply click a “Send Secure” button to send an encrypted email. The recipient receives secure messages in their existing inbox, just as they would with clear text email
Encrypting big data, data warehouses and cloud analytics
Unleash the power of big data security, use continuous data protection for privacy compliance, and enable high-scale secure analytics in the cloud and on-premises. Companies are increasingly shifting their workloads and sensitive data into the cloud, transforming their IT environments to hybrid or multicloud. The Cloud Analytics Market size is set to grow from USD 23.2 billion in 2020 to USD 65.4 billion by 2025, according to a market research report published by MarketsandMarkets.
OpenText™ Data Discovery, Protection, and Compliance solutions help customers reduce the risk of cloud adoption by securing sensitive data in cloud migration and safely enables user access and data sharing for analytics. The encryption and tokenization technologies help customers comply with privacy requirements by discovering and protecting regulated data at rest, in motion and in use in cloud warehouses and applications. These solutions also minimize multi-cloud complexity by centralizing control with data-centric protection that secures sensitive data wherever it flows across multi-cloud environments.
Integration of with cloud data warehouses (CDWs), such as Snowflake, Amazon Redshift, Google BigQuery, and Azure Synapse, enables customers to conduct high-scale secure analytics and data science in the cloud using format-preserved, tokenized data that mitigates the risk of compromising business-sensitive information while adhering to privacy regulations.
PCI security compliance and payment security
Enterprises, merchants, and payment processors face severe, ongoing challenges securing their networks and high-value sensitive data, such as payment cardholder data, to comply with the Payment Card Industry Data Security Standard (PCI DSS) and data privacy laws. Simplify PCI security compliance and payment security in your retail point-of-sale, web, and mobile eCommerce site with our format-preserving encryption and tokenization.
Voltage Secure Stateless Tokenization (SST) is an advanced, patented, data security solution that provides enterprises, merchants, and payment processors with a new approach to help assure protection for payment card data. SST is offered as part of the SecureData Enterprise data security platform that unites market-leading Format-Preserving Encryption (FPE), SST, data masking, and Stateless Key Management to protect sensitive corporate information in a single comprehensive solution.
Protect POS payments data
Encrypt or tokenize retail point-of-sale credit card data upon card swipe, insertion, tap, or manual entry.
SST payment technology
Our Voltage Secure Stateless Tokenization (SST) enables payments data to be used and analyzed in its protected state.
Protect web browser data
OpenText™ Voltage™ SecureData encrypts or tokenizes payment data as it is entered in the browser, reducing PCI audit scope.
PCI security for mobile
Voltage SecureData for data captured on a mobile endpoint throughout the payment flow.
Protect high-value data while keeping it usable for hybrid IT
Manage structured data over its lifecycle and reduce the TCO of application infrastructure
Data-at-rest encryption for Windows
Understand and secure data to reduce risk, support compliance, and govern data access