kras99 -


An overview of storage encryption for enterprises

The constantly increasing data volumes and locations -- plus the number of security threats -- should push enterprise storage strategies to include strong encryption.

Storage encryption is a key element in keeping enterprise data safe. It protects data from theft, unauthorized changes and compromise.

This encryption safeguards privacy, secures data from attackers and ensures compliance with industry regulations. Most enterprises use a combination of encryption methods to protect their data on premises, in motion and in the cloud, so it's important to understand the different types and best practices for implementation.

What is storage encryption and how does it work?

Storage encryption is the use of encryption methods for data both in transit and on media such as hard drives. Ideally, data is encrypted at its origin and destination, as well as when it moves between devices and systems.

Encryption works by encoding plaintext data into ciphertext, usually with cryptographic algorithms. To decode the data, the receiving system needs a decryption key, which is a string of numbers also created by an algorithm. Secure encryption uses so many cryptographic keys that no human can guess it, nor can a computer easily calculate the correct string of characters by trying every potential combination.

Types of storage encryption

Storage encryption involves various tools, technologies and approaches for data at rest and in motion. The two most common types of encryption are symmetric and asymmetric:

  • Symmetric encryption. Also known as shared key or private key encryption, it uses the same key for both encryption and decryption. These ciphers are less expensive to produce and don't use as much computing power to work, so there's less delay in decoding the data.
  • Asymmetric encryption. Also known as public key encryption, it uses two separate keys to encrypt and decrypt data. The encryption key is a public key shared among everyone who needs to send encrypted data. Only the holders of the second, private key can decrypt the data.

While symmetric encryption is cheaper and faster to use, it is slightly less secure than other options. An unauthorized person who gets access to the key is able to decrypt data. Asymmetric encryption is more expensive to produce and takes more computing power to use, as the encryption key is often between 1,024 and 2,048 bits. It's more secure than symmetric encryption but isn't suited for large data packets.

Chart of how end-to-end encryption works

Common encryption methods

Enterprises use numerous symmetric encryption methods, including Advanced Encryption Standard (AES) and Twofish. AES is the most popular method. Twofish is used in both hardware and software and is considered the fastest symmetric encryption method.

The most common asymmetric encryption methods are Rivest-Shamir-Adleman and elliptic curve cryptography (ECC). RSA creates the public key by factoring two prime numbers and adds an auxiliary value. RSA keys are typically 2,048 or 4,096 bits. They often encrypt shared symmetric encryption keys. ECC is an advanced asymmetric encryption method that provides security of massive encryption keys with a smaller and more efficient footprint. ECC often secures digital signatures and shared symmetric encryption keys.

Storage encryption involves various tools, technologies and approaches for data at rest and in motion.

Best practices for storage encryption

Enterprises should have a comprehensive data storage encryption strategy. To be most effective, it should incorporate people, processes and technologies. Here are a few best practices to consider.

1. Protect your data everywhere

Account for all the possible states in which your data can occur -- at rest, in motion and in use -- and what controls are available for that state:

  • At rest includes all data in digital and physical environments, like storage objects, containers and hard drives.
  • In motion is data that moves among components, locations, programs, systems and applications.
  • In use is when organizations process data. This process ensures the data is encrypted in hardware memory and software caches.

Users may also want to consider encrypting business-critical data at the individual file, volume or column level to increase protection.

2. Choose the right encryption method

Which encryption method to choose depends on the data, its location, its use and any regulatory requirements. Decide first on symmetric or asymmetric encryption and then the encryption option. Check that it aligns with requirements. Many cloud storage providers include data encryption, so refer to their documentation for the details.

For example, healthcare enterprises must check that the encryption complies with HIPAA, while financial services companies may require Payment Card Industry Data Security Standard compliance.

3. Incorporate encryption into your access management strategy

The principle of least privilege should apply to the entire IT infrastructure, including data encryption. Grant relevant access to encryption methods based on where the data is, where it moves to and from, who uses it and what regulatory requirements apply.

4. Ensure scalability for large teams and large data stores

In an enterprise, data encryption must be scalable so it can handle user bases and IT devices or systems that may expand. Encryption and decryption speed are vital for frequently used data.

Julia Borgini is a freelance technical copywriter and content marketing strategist who helps B2B technology companies publish valuable content.

Dig Deeper on Storage architecture and strategy

Disaster Recovery
Data Backup
Data Center
and ESG