Securing Data at Rest & Using Data Securely

Data security plays a crucial role in today's digital landscape: The Open Worldwide Application Security Project (OWASP) goes so far as to say “Data is fundamentally the only asset companies should thrive to protect”. As a developer, you’re likely frequently looking at software architecture diagrams and considering where the data is moving within your systems. What may not be top of mind is how you’re securing the data as it’s processed or when it hits your data stores, in order to protect it from discovery or exposure by a malicious party.

In this post, we’ll delve into how you can secure data that’s actively being changed or updated (in use) and data that you’re keeping in storage, like in a database or CDN (at rest).

Securing Data in Different States

There are different risks and dangers to data based on the “state” of the data, which refers to where it is in its life cycle; creation, in use, in transit, at rest or ready for destruction. This means different methods of protection are required.

Securing data at rest requires implementing measures like encryption, identity and access management (IAM), and data integrity checks to safeguard data from attacks or compromise. Processing data securely is a recent advancement; in the past, it was nearly impossible to protect data as it was being altered, updated or deleted. Now, technology like Trusted Execution Environments (TEEs) and secure enclaves allow developers to run code that processes sensitive data in an isolated computing environment. This secure environment is shielded from snooping via backdoors, tampering and unauthorized access, even in the event of a compromise of the primary operating system.

How to Store Data at Rest Securely

While many data storage options have built-in encryption, this is often not enough protection. Additionally, if the database encryption method set up encrypts the entire database, anyone who gets access to the keys that can decrypt that database then gains access to all the data stored inside.

The best way to secure your data at rest is to encrypt it before it gets to the data store. Two popular approaches to consider in this situation are field-level encryption and server-side encryption.

Field-level Encryption

Field-level encryption transforms sensitive data — like credit card numbers or PII — into ciphertext at the application layer. Sensitive information is encrypted at the edge and then remains encrypted throughout your application. This method also allows you to select specific fields that you want to encrypt, so you can both ensure that the sensitive fields are protected and reduce latency by leaving any unnecessary fields in plaintext.

This method has the following advantages:

• Enhanced Protection: Even if unauthorized access occurs, the encrypted information remains incomprehensible without the proper encryption keys.

• Granular Control: Selectively encrypting specific fields with sensitive data allows focused encryption efforts, minimizing the performance impact on non-sensitive fields.
  
• Flexibility and Interoperability: Field-level encryption is compatible with various database systems and applications, making it adaptable and easy to integrate.
  

You can choose to implement field-level encryption yourself (which requires choosing an encryption scheme, applying it to the data, and managing your own keys), or you can utilize options from a variety of providers. Some offerings include Evervault Inbound Relay, Couchbase, Amazon Cloudfront, and MongoDB.

Server-side Encryption

The other option available is to encrypt data on your server. In fact, if you are using Amazon S3, there's a high chance you’re already using server-side encryption.

The difference between field-level and server-side encryption is where the encryption is taking place — if we think of encryption like an umbrella of protection, if you put the umbrella up sooner (i.e. on the client) you’re covered. But if you wait to open the umbrella until the data is on the server side, you leave yourself vulnerable in the space between the client and the server.

Server-side encryption has its advantages — it is often inexpensive to implement and you offload the key management concerns to a provider. However, there is a greater risk of attack. Server-side encryption options are available with the Evervault server-side SDKs, Azure, Amazon, and Google.

Choosing a Secure Data Storage Method

When it comes to selecting the right secure data storage method, there are several important factors to consider:

• Data sensitivity: Certain fields may need stronger encryption or additional security measures based on their importance and impact if compromised. Standards like PCI DSS mandate encryption on fields such as cardholder data.
  
• Scalability and performance: Evaluate whether the desired method can effectively handle your data volume and accommodate future growth without sacrificing performance or introducing bottlenecks (here’s how we set up load testing with Artillery).
  
• Key management: How does the storage method manage encryption keys? Ensure that the chosen method offers secure and reliable key management mechanisms.
  
• Integration with existing systems: Evaluate how well the selected storage method integrates with your existing infrastructure and systems.
  
• Cost considerations: Assess the overall cost implications of the storage method. This includes initial setup costs, ongoing maintenance expenses, and licensing fees. Strike a balance between the level of security you need and the financial resources available to your organization.

IAM controls

Limiting who has access to a resource is a first-order defense: It is no coincidence that all cyber security and privacy standards call out both these controls as key to achieving adequate protection. A continuous and layered approach is required to achieve a robust security posture and protection of identity is essential. Minimizing user and system access to functionality, services and data, when used in conjunction with encryption, provides a solid foundation on which to build, particularly in a cloud environment.

IAM controls can be particularly complicated with various cloud providers. The best way to understand how these work is to build a POC — providers like Okta, Auth0, Microsoft AzureAD, AWS, and Google Cloud all offer free tier accounts that you can use to get a feel for them (here’s one developer’s journey with some helpful tips for getting started).

How to Secure Data in Use

TEEs and Secure Enclaves

Secure enclaves, also known as Trusted Execution Environments (TEEs), are purpose-built spaces within a system that establish a highly secure and isolated environment for executing critical processes and safeguarding sensitive data.

While using secure enclaves would be overkill for most data processing, performing computations on highly sensitive data or proprietary algorithms require a high level of confidentiality. Securing the data in these instances is crucial. While in the past most developers relied on only processing this data in on-premises servers, as we move into a cloud-based world it will become necessary to use this technology.

Now there are a variety of TEE hardware offerings for security data in use, like ARM TrustZone, Intel Software Guard Extensions (SGX), AMD secure encrypted virtualization (SEV), NVIDIA Hopper, and open hardware like RISC-V.

Hardware can be … hard. If you’re a developer keen to explore secure enclaves, you can utilize their full power with tooling like Evervault Cages, which allows you to deploy a Docker container to an AWS Nitro Enclave.

Best practices for utilizing secure enclaves

Implementing secure enclaves effectively requires adherence to best practices that ensure optimal utilization and maximize the benefits they offer. Here are some key guidelines to consider:

• Try a cloud-based TEE abstraction: Implementing secure enclaves can be complex with very specific development requirements. A service like Cages allows developers using any stack to try secure enclaves.
• Practice thorough threat modeling: Conduct a comprehensive assessment of potential threats and risks specific to your environment. Identify the sensitive data and operations that require protection within the enclave.
• Utilize attestation: One of the most important practices when using secure enclaves is that you are able to cryptographically prove that what you are running inside the enclave is what you intended to run. This practice is called attestation. In order to ensure the integrity of your code and data, you will want to have a sound attestation process.
• Complete regular security patching: Keep the secure enclave software and firmware up to date with the latest security patches and updates. Regularly review and apply security fixes to address any vulnerabilities that may arise over time. This practice helps maintain the resilience of the enclave against emerging threats.
• Set up audits and monitoring: Implement comprehensive auditing and monitoring mechanisms to track and detect any suspicious activities within the enclave. Regularly review logs and monitor enclave behaviour for any anomalies or security incidents. Promptly investigate and respond to any identified threats or breaches to minimize their impact.

Homomorphic Encryption

Homomorphic encryption is a type of encryption for data in use that allows encrypted data to be processed without needing to decrypt it. Like any other types of encryption, the original or processed data can never be accessed without the encryption key. You can utilize partially homomorphic encryption (RSA is an example of this), somewhat homomorphic encryption, and fully homomorphic encryption.

Unfortunately homomorphic encryption is very inefficient. Despite advancements, it is still too slow and has limited real-world use. There are also no attestation measures available for homomorphic encryption. While it may be a viable option in the future, at present it’s a riskier choice.

Combining Encryption and Secure Enclaves

Using encryption with secure enclaves is a powerful strategy to protect sensitive information. Pairing these two security measures, keeping data encrypted and only decrypting it within an enclave, you can minimize the risk of unauthorized access while keeping your software architecture intact.

Conclusion

Protecting data is a major priority. Practices like client-side encryption, secure data storage methods, and using secure enclaves are your best protection against data breaches and attacks. As data continues to proliferate, maintaining awareness of its value, attractiveness to attackers and applicable regulations for its protection requires time and effort. Clear themes persist however across the security and privacy by design paradigms.

Implementing strong access control and authentication, applying cryptography to sensitive data, systems maintenance and change management, resilience and incident response are key to consider from the outset when building a robust security posture for sensitive data processing systems.

Want to chat with us about your data protection approach? We’d love to hear from you. Sign up for an Evervault account to try our encryption APIs and Cages for free and let us know how we can help.