Tokenization vs In-House Encryption vs Evervault Encryption

August 19, 2022 byEoin Power-Moran

Privacy is everything these days. Customers want to know that their data is safe, businesses want to avoid the financial and reputational damage caused by data breaches, and governments are passing sweeping privacy-focused legislation. A clear trend is starting to emerge: businesses that design their services around privacy are more likely to succeed than those that don’t.

To put the problem into perspective, the average cost of a data breach in 2021 was $4.24 million, an all-time high. The World Economic Forum concludes that 95% of all data breaches are attributable to human error. That 95% is mitigable with proper data security measures. You should be able to publish your databases online and be confident that your customer's data will still be safe (not that we would recommend doing so). In the quest for data security, there are three main approaches: tokenization, in-house encryption, and Evervault encryption.

In-House Encryption

The first port of call for most engineers tasked with securing their company's data is to use tried and tested encryption, the ancient art of taking data and performing a transformation on it to produce garbled nonsense at the other end. The first recorded encryption schemes date back as far as the Spartans! However, since then, encryption has become significantly more complicated, and its successful implementation requires a Spartan effort. To implement encryption properly, you need an experienced security engineer with knowledge of today's state-of-the-art encryption schemes, working tirelessly to keep up with the latest trends and advisories from the broader security community.

Ideally, you want to build your security systems on zero-trust models, where you only ever put your trust in things that can definitely (mathematically) prove their trustworthiness. The problem with in-house encryption is that you can’t always trust yourself or your developers. Proper key management is particularly difficult to implement and can quickly become a nightmare if done incorrectly. A delicate balance needs to be struck when it comes to controlling encryption keys: The keys need to be accessible everywhere that data needs to be encrypted or decrypted, but they also need to be totally inaccessible anywhere else on your infrastructure. A failure here can lead to all of your efforts being for nought, as anyone with the key can decrypt all your data, and once they have the key, there’s nothing you can do to take it back.

Tokenization

Tokenization allows a company to offload the troublesome work of key management and application security to a third party by sending them the raw data and receiving a token in exchange. The tokenization provider then stores the data and returns the raw data whenever they are presented with the token. Analogously, tokenization is a cloakroom for data.

While this approach has its advantages, it has two critical weaknesses:

  1. Trust: Tokenization is not a zero-trust model. It requires you to place your trust in a tokenization provider, who isn’t verifiably trustworthy. Ultimately, all tokenization does is move the problem. Human error causes 95% of data breaches. Tokenization providers are just as human as you are. If a tokenization provider were to fall victim to an attack, then that hack would expose all of the private user data they store.
  2. Latency: All storage or retrieval operations must occur through the tokenization provider's API. This added latency would slow down your app, potentially causing pain for your users.

Evervault Encryption

Evervault Encryption combines the verifiable security of encryption with the ease of use of tokenization providers. With the Evervault model, you store your data, and we store your encryption keys. That way, you don’t have to worry about key management on your infrastructure or implementing complicated encryption schemes. And as we don’t store your data, an attack on Evervault won’t lead to your data being leaked, something that a standard tokenization provider can’t guarantee. Since you store your own data, you can choose how it is stored and in which jurisdiction it is resident. We use tried and tested public key cryptography to keep your data secure and easy to use.

Encrypting data with Evervault is simple: it can either be encrypted with our Inbound Relay product or with the encrypt function in one of our SDKs. Relay works as a proxy for your API requests, and then data is automatically encrypted as it passes through the proxy. Using Relay provides effortless security because your server never needs to handle unencrypted plaintext data, which also helps reduce your compliance burden under industry standards like PCI DSS and regulations like HIPAA and GDPR. Alternatively, you can use the encrypt function in our SDKs in either your frontend or backend to encrypt your data directly. Doing this allows you to perform the encryption operations without adding additional latency - a feat that the tokenization providers cannot accomplish.

We then provide rich functionality for you to use your encrypted data securely. Outbound Relay allows you to securely share encrypted strings with third-party APIs, decrypting them as it passes through and optionally re-encrypting the response. Cages enable you to write serverless functions that can securely perform processing on encrypted data.

As you can see, this is a marriage of the benefits of encryption and the benefits of tokenization. You get to collect user data, store it securely and then use it in a controlled environment without the overhead of setting up and managing encryption schemes.

Summary

TokenizationIn-House EncryptionEvervault Encryption
Developer EffortLowHighLow
Network LatencyCan be high, depends on the serviceNone (network)~50ms (0 ms with SDK on encrypts)
TrustHave to trust the providerHave to trust yourselfZero-Trust Model