Encryption measures must be adapted to the state of the data and should be state of the art (see State of the art). Possible states of data are:
-
Data-at-Rest (persistently stored data, e.g. data in databases),
-
Data-in-Transit (data during data transmission, e.g. emails), and
-
data-in-use (data that is read, processed, written or deleted, e.g. data in main memory).
Data-in-Transit can be encrypted using SSL (Secure Sockets Layer) and TLS (Transport Layer Security). Both are encryption protocols for secure data exchange over the Internet. Examples for the use of SSL/TLS are websites that use HTTPS (Hypertext Transfer Protocol Secure) instead of HTTP.
There are two options for encrypting data-at-rest:
-
Encryption of data at the application level: In this case, the data is already encrypted before it is transferred to the database. Both symmetrical (e.g. AES 256-CCM, AES 256-GCM) and asymmetrical encryption (e.g. RSA 3000) are suitable encryption methods.
-
Encryption of data at database level: With this variant, the data stored on the database is encrypted. This is often done using built-in software such as Transparent Database Encryption (TDE, for Oracle and MS SQL) or symmetric encryption methods according to AES (e.g. AES 256-CBC, AES 256-GCM for MongoDB).
Encryption of data-in-use is a comparatively new approach, as data usually has to be decrypted for use. Good authentication mechanisms, e.g. single sign-on (SSO) or multi-factor authentication (MFA), are primarily protective. An example of a method for encrypting data-in-use is Secure Encrypted Virtualisation (SEV), which encrypts the main memory with the help of special hardware.