File Level Encryption FAQ

Recent data breaches that have been making headlines globally have shown that many organizations are still on the losing end when it comes to data protection. The issue is pressing, given that data is the new Gold and a source of competitive advantage for any data-driven business.

This is especially true in these testing times where many are working from home due to the Covid-19 outbreak. Below is a Data Protection FAQ specifically on file-level encryption:

FAQ

1. Do we need data protection if we already have perimeter, network and system security?

Yes, to prevent a data breach from hackers, ransomware and compromised privilege accounts that can bypass your security mechanism eg. firewall, IDS, IPS, antivirus etc.

2. What is in impact of a data breach?

Mainly financial cost incurred from business disruption, resources, branding, legal and compliance fines. According to the 2019 cost of Data Breach report by Ponemon Insitute, the average cost of data breach is $2.62M in ASEAN.

3. What do most data breaches have in common?

  • Sensitive data stored in clear
  • Privilege account compromised
  • Lack of granular access control
  • No separation of duties
  • Breach was detected much later

4. Why is disk and volume encryption inadequate?

It primarily helps to only prevent data disclosure resulting from physical theft. Data is no longer safe nor encrypted while system is in use. OS credentials can also be compromised to gain access to sensitive data in the machine.

5. What are more secure options for data-at-rest protection?

Encryption at file-folder level and database column-field level encryption, tokenization and masking.

6. What is file and folder encryption?

File Encryption enables users and administrators to encrypt specific files and folders on a device. Different user groups and users are granted different access levels. It also protects sensitive data from privileged users, cloud providers and outsource workers.

7. How are sensitive files protected from compromised privilege accounts?

The encryption engine’s access control can override OS permissions granted to root admin, domain admin or any user accounts as it resides in the kernel level. This ensures unauthorized accounts are unable to access to certain folders and content of sensitive files

8. What other protections can it offer?

You can specify the type of applications that can decrypt specific files.

9. Why should I use a different encryption tool than my existing native tool?

A centralized encryption platform that is agnostic will eliminate silos of encryption mechanism required for different systems. This entails tangible cost savings in terms of sticky licensing, time, resources and expertise as it does not lock you in to a particular OS, database or hardware.

10. Do we need deploy encryption in every system?

No. Only systems, databases or machines that contain sensitive data. This will reduce the scope and cost of encryption.

11. What happens if files and database file are stolen by unauthorized users?

Data remains protected as file content will be encrypted while database files cannot be mounted or will be deemed corrupted when accessed.

12. How do you manage different type of users accessing to the encryption console?

A fine-grained and role based access control is available to restrict access to certain menus and settings within the console while providing specific users with “Need-to-know” access.

13. Any changes required to application and database?

No. The solution works transparently to application and database

14. I’m concerned about performance. What are expected overheads?

About 2-3% overheads which can be offset by solid state disk technology and powerful CPUs

15. What platform does it support?

It can encrypt any file or format on Windows and Linux platform

16. What type of algorithm is being used?

It uses industry standard 256-bit for encryption operation

17. Are encryption keys stored securely?

Yes. An internal key management system manages the Data Encryption Keys (DEK) and Key Encryption Keys (KEK). The KEK can also be manage externally and separately from the encryption engine using a Key Management system and/or a variety of HSMs.

18. Any down time required to existing system during deployment?

Yes, only during migration stage from UAT to Production. Beyond that, all changes to policy is conducted in real-time without down time.

19. If and when DR is activated, will we be able to decrypt the retrieved data?

Yes, as long as there is a periodic backup of data and encryption keys. The common backup best practices apply here.

20. Can this help us meet regulatory compliance requirements?

Yes, it meets requirements from PDPA, PCI DSS, RMiT, GDPR, ISO27001, HIPAA, ePHI etc