Software Development

Encryption at Rest in a Cloud-Connected World

Tagged with:

Today it is more critical than ever to protect your data from theft. There are many reasons including privacy, security, and to prevent corruption. For these reasons, data in the cloud is routinely encrypted inside the database. This is known as “encryption at rest.” Even if a hacker gains access to a database the data inside of it is useless because the data is encrypted. Modern encryption is not unbreakable, but theoretically takes enough time to crack so that the data is no longer of use.

Not the encryption you are used to
Encryption at rest differs from the encryption most people are familiar with when using “https” URLs for secure access to websites. This protects the data as it is being transmitted over the web. If the data that is sent is encrypted but decrypted on the device (your phone or laptop) before it is stored, then it can be hacked on your device. There are many examples of viruses and malware that do just this, sending your data to a third party. Many ransomware attacks collect and encrypt the original data in a way that can not be retrieved. Encrypting the data locally makes it useless to the hacker.

Unfortunately, many software solutions overlook the data that is stored locally on devices. Part of the reason is because the data is less obvious on these devices. Unless you have the correct tools, especially on Android devices, you can’t even find the data. But simply hiding data is not the same as protecting it. In cyber security, the maxim “Obfuscation is not security” reminds us of this.

Obvious, but not simple
Why then, if encryption at rest is a no-brainer, isn’t it the standard? There are a few reasons. The first is that not all data needs to be protected to this degree. Think of all your Word and Excel documents. They may hold some useful information but are rarely encrypted.

In some cases, the “database” for an app is implemented as a text file or a spreadsheet because there is no need to protect the contents of trivial data such as your grocery list. But the main reason is that encrypting and decrypting the data takes computing power and time. The more powerful the device, like cloud servers, the less time it takes. The converse is true on less powerful devices like smartphones, the encryption and decryption of the data slows down the performance of the app.

Today, most databases offer the option to encrypt the database but rarely as the default and usually requires changes to an existing app to make it work. Changes involve using a different version of the database engine, using tools that can read the encrypted database if needed, and having a cryptographic engine supported by the device. The good news for developers is that all this shields them from changes to the way they access the data. The calls to access the data and the queries remain the same after access to the encrypted database is established.

If this data was posted on the internet …
When deciding if you need to implement encryption at rest, examine the nature of the data. Do you have a mandate to protect the data because it is PII? PII (Personally Identifiable Information) is a general term that covers different types of information associated with an individual. Other data, such as customer contacts, financial information, and internal corporate data may have value to people inside and outside the organization and need protection. A simple question to ask yourself is “If this data was posted on the internet, what would be the impact on the user, the people the data is about, and the corporation?”

This is a design decision
Given the growing power of the devices we use, and the level of attacks on data stored on devices and in the cloud the decision to encrypt data at rest should be one of your early design decisions when writing a new app and should be part of the review process when updating an existing app, such as was the case on this project. To find out what is involved in doing this so you can do a cost-benefit analysis, start by searching online with the name of the database engine you are using (SQL Server, MySQL, SQLite, etc.) and the phrase “encryption at rest”. While you may have a license for the unencrypted version you may have to pay for the encrypted version and there may be multiple versions, especially in the open-source space. Since this is a security issue, you will also want to be using the most recent version and stay aware of vulnerabilities and exploits.

To sum up, you must decide if your data needs to be protected in this manner and how that will impact your development. The good news is that the work can often be done in parallel with other work since it does not require changes to how the data is accessed throughout the app, just during the initial connection in the code. Code and database development can be started with an unencrypted version of the database while you start the development of the other parts of the app. Starting with or upgrading to encryption at rest is very achievable if you consider it early and not late in your project. The benefits are clear if you want to secure your data. Want to learn more about encryption and your development project? Reach out to us and our experts can talk with you about your needs!