The power and limits of confidential computing
A deep dive into how enclaves work
By
Mathew Pregasen
Mathew Pregasen- August 19, 2022
- 6 min read
Tokenization vs Encryption In-House vs Evervault Encryption
Eoin Power-Moran
Engineer
You’ve probably heard about tokenization and encryption, but what’s the difference? And which should your business use? Good questions. We have answers.
Privacy is everything these days. Customers want to know their data is safe, businesses want to avoid the financial and reputational damage caused by data breaches, and governments are passing sweeping privacy-focused legislation. A clear trend is starting to emerge: businesses that design their services around privacy are more likely to succeed than those that don’t.
To put the problem into perspective, the average cost of a data breach in 2021 was $4.24 million (an all-time high). The World Economic Forum concludes that 95% of all data breaches are attributable to human error—and that 95% is mitigable with proper data security measures. You should be able to publish your databases online and be confident that your customer's data will still be safe (not that we would recommend doing so).
Tokenization vs. Encryption: The Differences
In the quest for data security, there are three main approaches:
- In-house encryption
- Tokenization
- Evervault encryption
In-House Encryption
The first port of call for most engineers tasked with securing their company's data is to use tried and tested encryption, the ancient art of taking data and performing a transformation on it to produce garbled nonsense at the other end.
The first recorded encryption schemes date back as far as the Spartans! However, since then, encryption has become significantly more complicated, and its successful implementation requires a Spartan effort.
To implement encryption properly, you need an experienced security engineer with knowledge of today's state-of-the-art encryption schemes, working tirelessly to keep up with the latest trends and advisories from the broader security community.
Ideally, you want to build your security systems on zero-trust models, where you only ever put your trust in things that can definitely (mathematically) prove their trustworthiness. The problem with in-house encryption is that you can’t always trust yourself or your developers. Proper key management is particularly difficult to implement and can quickly become a nightmare if done incorrectly.
You need to strike a delicate balance when it comes to controlling encryption keys. The keys need to be accessible everywhere that data needs to be encrypted or decrypted, but they also need to be totally inaccessible anywhere else on your infrastructure. A failure here can lead to all of your efforts being for naught, as anyone with the key can decrypt all your data—and once they have the key, there’s nothing you can do to take it back.
Tokenization
Tokenization allows a company to offload the troublesome work of key management and application security to a third party by sending them the raw data and receiving a token in exchange. The tokenization provider stores the data and returns the raw data whenever they are presented with the token. Analogously, tokenization is a cloakroom for data. While this approach has its advantages, it has two critical weaknesses:
- Trust: Tokenization is not a zero-trust model. It requires you to place your trust in a tokenization provider, who isn’t verifiably trustworthy. Ultimately, all tokenization does is move the problem. Human error causes 95% of data breaches. Tokenization providers are just as human as you are. If a tokenization provider falls victim to an attack, that hack would expose all of the private user data they store (including yours).
- Latency: All storage or retrieval operations must occur through the tokenization provider's API. This added latency slows down your app, potentially causing pain for your users.
Evervault Encryption
Evervault Encryption combines the verifiable security of encryption with the ease of use of tokenization providers. With the Evervault model, you store your data, and we store your encryption keys. That way, you don’t have to worry about key management on your infrastructure or implementing complicated encryption schemes. And as we don’t store your data, an attack on Evervault won’t lead to your data being leaked— something that a standard tokenization provider can’t guarantee. Since you store your own data, you can choose how it is stored and in which jurisdiction it is resident. We use tried and tested public key cryptography to keep your data secure and easy to use. Encrypting data with Evervault is simple—it can either be encrypted with:
- Our Inbound Relay product
- the Encrypt function in our SDKs
**Relay **works as a proxy for your API requests, and then data is automatically encrypted as it passes through the proxy. Using Relay provides effortless security because your server never needs to handle unencrypted plaintext data, which also helps reduce your compliance burden under industry standards like PCI DSS and regulations like HIPAA and GDPR.
Alternatively, you can use the encrypt function in our SDKs in either your frontend or backend to encrypt your data directly. This allows you to perform the encryption operations without adding additional latency—a feat tokenization providers cannot accomplish.
We provide rich functionality for you to use your encrypted data securely. Outbound Relay allows you to securely share encrypted strings with third-party APIs, decrypting them as it passes through and optionally re-encrypting the response. Cages enable you to write serverless functions that can securely perform processing on encrypted data. As you can see, this is a marriage of the benefits of encryption and tokenization. You get to collect user data, store it securely, and use it in a controlled environment without the overhead of setting up and managing encryption schemes.
Which Will It Be: Tokenization, Encryption, or Evervault?
Here’s a quick recap of tokenization vs encryption in-house vs Evervault encryption:
| Tokenization | In-House Encryption | Evervault Encryption | |
|---|---|---|---|
| Developer Effort | Low | High | Low |
| Network Latency | Can be high, depends on the service | None (network) | ~50ms (0 ms with SDK on encrypts) |
| Trust | Have to trust the provider | Have to trust yourself | Zero-Trust Model |
Not sure which data security solution is right for you? Get started with a free Evervault account to explore our encryption tool and see if it’s the right fit for your business. Have more questions? Our team has answers. Get in touch with a member of our sales team.
Hannah Neary