Encryption-in-use is an integral part of the data protection lifecycle required to tackle the governance, compliance and security hurdles that stand in the way of broader adoption of cloud-based services.
Cloud data exists in 3 phases:
- Data at rest
- Data in transit, or data in motion
- Data in use
Data at Rest
Data at rest refers to inactive data that is physically stored in a digital form, such as a hard drive, database, data warehouse or at the cloud service provider’s data center. Traditionally, many corporations have multiple controls in place to ensure that data at rest is secure; such as encrypting hard drives and physically securing data centers. Today data must be secured while stored at the cloud service provider’s data center – no matter where it travels.
Data in Transit
Data in transit, or data in motion, refers to data as it traverses across any network. Examples of data in transit are email, or data sent to and from a public cloud. Organizations that interact with personal or confidential data and regularly send the data from one locale to another generally utilize encryption protocols to ensure that data in transit is persistently encrypted; such as PGP, S/MIME or transmission over Secure Sockets Layer (SSL).
Data in Use
Data in use refers to the actual processing of data in computer memory, in addition to on-screen display and presentation of the data. Existing encryption solutions render the encrypted data useless to most applications, so that essentially when encrypting data using most encrypting solutions, data in use cannot exist in an encrypted state.
Encryption of data at rest and data in transit are long considered essential in defining security controls. However, in an era where many organizations utilize cloud applications – where confidential or personal data is stored and processed at a cloud service provider – encryption of data at rest and data in use is insufficient. In order for a cloud service provider to support processing of encrypted data – even a simple action like searching through email – requires decrypting the data prior to the data processing. This process introduces latency as well as the larger concern, that the cloud service provider has direct access to your data in the clear.
Encryption-in-use allows organizations to feed encrypted information into cloud applications and still perform operations against the encrypted data. While authorized users at the organization holding the encryption keys can access their data, the data remains opaque and inaccessible even to the cloud service provider administrators with full access to the customer instance.
Vaultive’s encryption is applied prior to the data transmission over WAN and protects across the data’s lifecycle: in transit, at rest and in use. The encryption scheme is implemented at the field level, and employs cryptographically generated metadata to maintain content characteristics necessary for server-side operations. Unlike other approaches, Vaultive does not use deterministic word-level encryption in order to preserve server-side functionality. If encrypted multiple times, a given value never appears as the same encrypted string. Vaultive’s encryption-in-use does not require modifications to the applications, nor is a separate database required to maintain the data and encryption values.