Making Sense of Encryption Technique Options

Manager of Portfolio Strategy, IBM

While it’s easy to get caught up in all the excitement and opportunity of big data, it’s also easy to forget that it’s still affected by the same problems as any other data. Data breaches don’t distinguish between big or “small” data – if there’s value in the data, everything is fair game for attack. One of the most proven lines of defense against data breaches is to protect the data itself with encryption. While there is often the misconception that data encryption is a nice-to-have, there are increasing pressures and challenges.

Organizations need to comply with government data privacy regulations and industry regulations - for example, the payment card industry data security standard (PCI DSS) and the health insurance portability and accountability act (HIPAA). Failure to comply can result in substantial financial penalties. Private and confidential information is also sought after for profit, business advantage, malicious use and both industrial and government espionage.

In the 2012 IBM Global Reputational Risk and IT study, 61% of executives cited data breaches/data theft/cybercrime as the single most serious threat to the reputation and viability of their firm, well ahead of systems failures or other concerns. As a result, in order to protect private and confidential information, security teams are placing a higher priority on a data security strategy. While a holistic data security strategy consists of multiple capabilities (see figure 1), this discussion will focus on encryption.



Data Encryption Techniques

With data encryption, data at rest (vs. data in motion, for which data activity monitoring is the solution) is transformed to make it unreadable. Although the original data itself is preserved, the encrypted data is meaningless unless it is decrypted with the proper key. There are many different encryption techniques.

File-level encryption

File-level encryption is a form of disk encryption where files or directories are encrypted by the file system itself. This is a flexible and comprehensive approach that supports both structured and unstructured data while having minimal performance impact.

Application-level encryption

With this approach, encryption is custom-coded inside the application. However, this requires access and ownership to the application source code, which may not be feasible in all situations. There is a medium impact to performance.

Column-level encryption

As its name suggests, this approach encrypts specific columns in a database. However, a concern with column-level encryption is that it does not extend to protect unstructured data, which is particularly problematic given the surge in the wide variety of big data. It also has a large performance impact which is not a desirable trait.

Transparent data encryption

This approach encrypts both columns and tablespaces in a database. The challenge with transparent data encryption is that there is no centralized way of managing the solution, nor is there a secure approach to managing keys. There is a medium impact to performance.


Tokenization replaces data with a “token” in a secure repository. However, although this approach has a light performance impact, it only supports limited data types and does not extend well to support multiple use cases.

Storage encryption with network switch

This method encrypts all network storage, but only protects against physical theft. It has a light performance impact, but no access control or auditing is available unlike the other approaches outlined above.

Additional Considerations for a Data Encryption solution

While data encryption technology itself is nothing new, the regulatory, business and big data landscape have evolved to introduce new challenges that a viable encryption solution should address regardless of the encryption technique.

As organizations shift from physical to virtual environments, and subsequently leverage infrastructure in the cloud, the security of their data becomes an even greater concern. Virtualization drastically increases the portability of operating environments, but can also increase the chance that sensitive information and intellectual property (in the form of digital data) can be accessed more easily than ever before by unauthorized individuals and malicious insiders. Given that information now typically resides in various locations throughout the organization, a viable solution must be able to manage encryption policies and access controls over a wide area of distributed data.

Another implication of having widely dispersed data is that the encryption solution must still be able to scale and perform – a solution that works well for a few departmental databases may break down (both physically and financially) when faced with potentially hundreds of sources in a big data environment. With a large environment, transparency of the solution is also critical – having to configure application or database changes for hundreds of servers just to install an encryption solution is not viable.

With sensitive data residing in multiple formats beyond databases such as PDFs, spreadsheets, images, and audio/video recordings, supporting both structured and unstructured data is now a minimum requirement rather than a nice-to-have.

And with the many government mandates now in place to ensure the integrity of sensitive data, an encryption solution must also meet compliance requirements. The solution must provide capabilities for separation of duties so that no one person has complete control of the administration and configuration of the solution.

Getting Help

IBM InfoSphere Guardium Data Encryption Expert is a transparent solution that not only protects your sensitive data while meeting compliance requirements, but is also designed to be scalable and high performance for the demanding and diverse needs of a big data environment. If you have any other thoughts or questions on data encryption, please feel free to share!

More Reading