A Definition of Data Encryption

Data encryption translates data into another form, or code, so that only people with access to a
secret key (formally called a decryption key) or password can read it. Encrypted data
is commonly referred to as ciphertext, while unencrypted data is called plaintext. Currently,
encryption is one of the most popular and effective data security methods used by organizations.
Two main types of data encryption exist - asymmetric encryption, also known as public-key
encryption, and symmetric encryption.

Data encryption is a security method where information is encoded and can only be accessed or
decrypted by a user with the correct encryption key. Encrypted data, also known as ciphertext, appears
scrambled or unreadable to a person or entity accessing without permission.

How Data Encryption is Used

Data Encryption is used to deter malicious or negligent parties from accessing sensitive data. An
important line of defense in a cybersecurity architecture, encryption makes using intercepted data
as difficult as possible. It can be applied to all kinds of data protection needs ranging from
classified government intel to personal credit card transactions. Data encryption software, also
known as an encryption algorithm or cipher, is used to develop an encryption scheme which
theoretically can only be broken with large amounts of computing power.

Types of Encryption – Symmetric and Asymmetric

Encryption is often applied in two different forms, a symmetric key or an asymmetric key. A
symmetric key, or secret key, uses one key to both encode and decode the information. This is
best used for one to one sharing and smaller data sets. Asymmetric, or public key cryptography,
uses two linked keys – one private and one public. The encryption key is public and can be used
by anyone to encrypt. The opposite key is kept private and used to decrypt.

What is encryption?
Encryption is a way of scrambling data so that only authorized parties can understand the
information. In technical terms, it is the process of converting plaintext to ciphertext. In simpler
terms, encryption takes readable data and alters it so that it appears random. Encryption requires
the use of an encryption key: a set of mathematical values that both the sender and the recipient
of an encrypted message know.

Although encrypted data appears random, encryption proceeds in a logical, predictable way, so
that a party receiving the encrypted data and in possession of the key used to encrypt the data can
decrypt the data, turning it back into plaintext. Truly secure encryption will be complex enough
that a third party is highly unlikely to decrypt the ciphertext by brute force – in other words, by
guessing.

Data can be encrypted "at rest," when it is stored, or "in transit," while it is being transmitted
somewhere else.

What is a key in cryptography?

A cryptographic key is a string of characters used within an encryption algorithm for altering
data so that it appears random. Like a physical key, it locks (encrypts) data so that only someone
with the right key can unlock (decrypt) it.

What are the different types of encryption?

The two main kinds of encryption are symmetric encryption and asymmetric encryption.
Asymmetric encryption is also known as public key encryption.

In symmetric encryption, there is only one key, and all communicating parties use the same key
for encryption and decryption. In asymmetric, or public key, encryption, there are two keys: one
key is used for encryption, and a different key is used for decryption. Either key can be used for
either action, but data encrypted with the first key can only be decrypted with the second key,
and vice versa. One key is kept private, while one key is shared publicly, for anyone to use –
hence the "public key" name. Asymmetric encryption is a foundational technology for SSL
(TLS).
Why is data encryption necessary?
Privacy: Encryption ensures that no one can read communications or data at rest except the
intended recipient or proper data owner. This prevents cyber criminals, ad networks, Internet
service providers, and in some cases governments from intercepting and reading sensitive data.

Security: Encryption helps data breaches, whether the data is in transit or at rest. If a corporate
device is lost or stolen and its hard drive is properly encrypted, the data on that device will likely
still be secure. Similarly, encrypted communications enable the communicating parties to
exchange sensitive data without leaking the data. Encryption also helps prevent malicious
behavior such as man-in-the-middle attacks.

Authentication: Public key encryption, among other things, establishes that a website's origin
server owns the private key and therefore was legitimately issued an SSL certificate (see What is
public key encryption? to learn more).

Regulations: For all these reasons, many industry and government regulations require companies
that handle user data to keep that data encrypted. Examples of regulatory and compliance
standards that require encryption include HIPAA, PCI-DSS, and the GDPR.

Benefits of encryption

The primary purpose of encryption is to protect the confidentiality of digital data stored on
computer systems or transmitted via the internet or any other computer network. A number of
organizations and standards bodies either recommend or require sensitive data to be encrypted in
order to prevent unauthorized third parties or threat actors from accessing the data. For example,
the Payment Card Industry Data Security Standard (PCI DSS) requires merchants to encrypt
customers' payment card data when it is both stored at rest and transmitted across public
networks.

Modern encryption algorithms also play a vital role in the security assurance of IT systems and
communications as they can provide not only confidentiality, but also the following key elements
of security:

 Authentication: the origin of a message can be verified.

 Integrity: proof that the contents of a message have not been changed since it was sent.
 Nonrepudiation: the sender of a message cannot deny sending the message.

Definition of Data In Transit vs. Data At Rest

Data in transit, or data in motion, is data actively moving from one location to another such as
across the internet or through a private network. Data protection in transit is the protection of this
data while it’s traveling from network to network or being transferred from a local storage device
to a cloud storage device – wherever data is moving, effective data protection measures for in
transit data are critical as data is often considered less secure while in motion.
Data at rest is data that is not actively moving from device to device or network to network such
as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way. Data
protection at rest aims to secure inactive data stored on any device or network. While data at rest
is sometimes considered to be less vulnerable than data in transit, attackers often find data at rest
a more valuable target than data in motion. The risk profile for data in transit or data at rest
depends on the security measures that are in place to secure data in either state.

Protecting sensitive data both in transit and at rest is imperative for modern enterprises as
attackers find increasingly innovative ways to compromise systems and steal data.

What is Data at Rest?

When data collects in one place, it is called data at rest. For a hacker, this data at rest — data in
databases, file systems, and storage infrastructure — is probably much more attractive than the
individual data packets crossing the network. Data at rest in these environments tends to have a
logical structure, meaningful file names, or other clues, which betray that this location is where
the “money” is — that is, credit cards, intellectual property, personal information, healthcare
information, financial information, and so on.

Of course, even data “at rest” actually moves around. For a host of operational reasons, data is
replicated and manipulated in virtualized storage environments and frequently “rests” on
portable media. Backup tapes are transferred to off-site storage facilities and laptops are taken
home or on business trips all of which increases risk. Regardless of whether the information has
actually been compromised, organizations can take no chances and must act on a potential
breach, which often results in significant cost and, in some cases, mandated public disclosure,
corporate embarrassment, and customer dissatisfaction.
Data Encryption in-transit
As the name implies, data in-transit should be seen much like a transmission stream: a great
example of data in-transit is a typical web page we do receive from the internet whenever we
surf the web. Here’s what happens under the hood in a nutshell:

1. We send a HTTP (or HTTPS) request to the server hosting the website we’re visiting.
2. The web server accepts our request, processes it by finding the (static or dynamic) content
we’ve asked for, then sends it to us as a HTTP (or HTTPS) response over a given TCP port
(usually 80 for HTTP and 443 for HTTPS).
3. Our client, usually a web browser such as Google Chrome, Firefox or Edge, receives the HTTP(s)
response, stores it on its internal cache and shows it to us.

As we can see, there clearly is a data trasmission going on between the server and the client:
during that trasmission, the requested data (the web page HTML code) becomes a flow that goes
through least five different states:

1. it starts at-rest (server storage),

2. then changes to in-use (web server memory),
3. then to in-transit (using the HyperText Transfer Protocol on a given TCP port),
4. then again to in-use (web browser),
5. and finally to at-rest (client cache).

Reasons to use it

Now, let’s take for granted that both the server and client have implemented a strong level of
data encryption at-rest: this means that the first and the fifth state are internally safe, because any
intrusion attempt would be made against encrypted data. However, the third state – where the
data is in-transit – might be encrypted or not, depending on the protocol the server and the client
are actually using to transmit the data.

Here’s what usually happens under the hood when the HTTP protocol is being used:
As we can see, the security issue is quite evident: when the web server processes the incoming
request and transparently decrypts the requested data, the channel used to transfer it to the web
client (HTTP) is not encrypted: therefore, any offending party that manages to successfully pull
off a suitable attack (see below) could have immediate access to our unencrypted data.

How can it help us

If you’re curious about which kind of attacks can be used against a unencrypted TCP-based
transmission protocol such as HTTP, here’s a couple of threats you should be aware of:

 Eavesdropping: a network layer attack that focuses on capturing small packets from the
network transmitted by other computers and reading the data content in search of any type of
information (more info here).
 Man-in-the-Middle: a tampering-based attack where the attacker secretly relays and/or alters
the communication between two parties to make them believe they are directly communicating
with each other (more info here).

Implementing proper encryption in-transit protocols to secure our critical data transfer endpoints
will definitely help us preventing these kind of threats.