Two critical strategies for enterprise data encryption

Data security and regulatory compliance demands are growing across various industries and countries. Organizations are increasingly challenged by evolving threats that require new processes and technologies, further complicating the task of securing and managing their data.

Be it phishing, social engineering or a data breach, there seems to be a new type of attack on the horizon every day. One such attack in particular was related to the decommissioning of unencrypted equipment.

In this highly publicized case, an enterprise agreed to pay $60 million to settle a data breach suit because confidential personal information was compromised via decommissioned data center equipment. Allegedly, a software flaw left unwiped data on old, unused servers in unencrypted form.

How can dark data still be an issue faced by security leaders in 2022? Here’s an example:

Think about a cell phone. Whether it is iPhone, Samsung, or some other mobile phone model, the personal data on the phone is encrypted by default — there is no need to manually encrypt the data or manage an encryption key. However, these are very real issues for enterprise data stored in data centers in various industries, especially ones with large edge deployments: retail, banking, healthcare, etc. So what solution is there for enterprise data centers?

1. Enterprise data encryption should be enabled by default.

Encryption at rest protects data wherever it's stored, whether on a hard drive or in the cloud. The enterprise referenced above may have encountered the data breach because encryption for data at rest was likely never initially enabled for the data on these specific decommissioned servers.

When thinking about encryption, considering the software and the hardware layers together is imperative. In order for third-party software to be secure, security must be built into the hardware. One way to do this is to have an encryption key generated at the hardware layer, which strengthens the protection against potential backdoors linked to software weaknesses. By building a security foundation at the hardware layer, companies can lay the groundwork for secure authentication and encryption key management.

Furthermore, the hardware-generated key should be streamlined at the hardware layer to eliminate the need for users to manage those keys. Not only does this enable application owners to focus on their applications, but it minimizes the risk of human error.

Why does matter? A master, hardware-based encryption key means that, like a smartphone, every time data is written to enterprise hardware, it is encrypted automatically and the user never needs to think about it. Encryption is always on.

For additional security, some companies may want to implement in-flight encryption, which protects against man-in-the middle attacks or someone nefariously accessing the network. Additional security measures like two-factor authentication and role-based access control (RBAC) should also be considered.

2. Automate the process of erasing boot or local data drives on decommissioned servers.

Assuming enterprise data is encrypted from day 1, once the server is decommissioned, the easiest and most effective way to keep user data secure is to destroy the encryption key. It only takes seconds to do, and once an encryption key is destroyed, the data is irrevocably lost. This means that even if the infrastructure is misplaced or stolen, there is no risk of a data breach ever happening.

Again, just as users don’t need to think about managing encryption on their smartphones, this two-pronged approach of “always-on” data encryption and heavy automation of back-end security tasks will help companies protect data residing on decommissioned data center infrastructure devices without requiring an inordinate amount of manual management on the part of users.

After all, just because a device has been discarded doesn’t mean the sensitive data residing on it can be considered “disposed of,” so to speak. Opportunistic hackers could find nefarious uses for that data if the device isn’t protected to the same standard as active hardware currently in use.