skip to Main Content


Last Updated:
Analyst Coverage:

Encryption—and its opposite, decryption—is the process of converting data into code that is unreadable by a human who does not possess the necessary key for decrypting it, or turning it back to a readable form. It has its origins in the Greek word kruptos, meaning hidden. Encryption is one of the best methods that can be used for protecting sensitive data from loss or inappropriate access, but for many it is still often an afterthought, used in a largely ad hoc manner.

Why is it important?

Whilst data breaches appear to be everyday news, the vast majority are never reported. According to the Breach Level Index, 9.7 trillion data records have been lost or stolen since 2013, yet only 4% of those records were encrypted, rendering them useless to those who discover the records. When an adversary realises that an organisation is using encryption on a widespread basis, they are likely to move on, looking for easier targets to exploit.

As the number of breaches continues to rise, regulators are demanding higher levels of data protection, with increased sanctions for non-compliance. A prime example is the general data protection regulation (GDPR) of the EU, which affects every organisation that processes and stores data related to those resident in the EU, no matter where the data is handled or kept. As with most regulations, GDPR is not particularly prescriptive regarding the technologies that organisations should implement, with the exception of encryption and pseudonymisation. Data records that have been adequately encryption exempt an organisation from having to disclose that it has been subject to a data breach.

In light of factors such as these, it is clear that taking a data-centric approach to securing an organisation’s assets is the best option, using multilayered encryption for sensitive data both at rest and in motion. Encryption should be the cornerstone of any security programme.

Figure 1: Drivers for encryption

Figure 1: Drivers for encryption

How does it work?

All too often, organisations have deployed encryption to meet specific needs as problems arise, which can lead to gaps in security that leave some sensitive data unprotected. To solve this, an enterprise-wide strategy should be established, led by security executives with input from IT and business units. This strategy will likely involve the implementation of a data security platform that provides for persistent encryption for all data in use in the enterprise, covering data at rest in storage, backup, on devices that include mobile equipment and in services based in the cloud. It will also provide for efficient encryption for data in transit.

Such a platform will solve some of the biggest bugbears of encryption deployments. One of these is key management which, according to the Ponemon Institute is very painful for 57% of organisations. A consolidated platform will ensure that encryption keys are centrally managed, refreshed regularly and kept separate from the data that are protecting to ensure that keys cannot fall into the wrong hands. 
Many vendors offering data security platforms offer key management services, which can be installed on-premise, in a private cloud or in the public cloud as a private instance.

Other beneficial services that can be offered by a centralised platform include data discovery and classification. Not all data needs to be encrypted, which would add to overheads and potentially negatively impact users. Therefore, organisations need to discover all data used and determine its sensitivity so that appropriate controls can be applied and enforced. Other services to look for include analytics and reporting, activity monitoring and real time alerting.

Figure 2 – Strong and stable encryption (Source: ENISA)

Figure 2 – Strong and stable encryption (Source: ENISA)

For encryption to be effective, all devices and data should be considered, including virtual machines, portable storage, mobile devices and data held in the cloud. In the case of the cloud, organisations cannot outsource responsibility for data protection to services providers. Rather, it remains their responsibility and they will be held responsible for fallout from data breaches. Cloud providers should never have access to keys to avoid possible breaches caused by their staff or the perils of subpoenas from law enforcement. Managing keys separately from the cloud services also avoids co-mingling of data in multitenant environment and makes it easier to use multicloud services, simplifying the complexity of moving data among clouds and ensuring that keys are centralised and persistent encryption is used across all cloud instances.

According to Forrester Consulting, 96% of organisations believe that changing from a strategy of multiple point products to a single platform is beneficial, providing higher levels of visibility, and controlling costs and integration concerns.


In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.
EU General data protection regulation

Get security and ops on board with data protection, starting at the top. If you have a compliance officer, bring him or her in as well.
SANS Institute

A data security platform will provide incremental value to other technologies in use, including DLP controls, behavioural analytics and SIEM systems. Many data security platform vendors provide encryption dashboards for major SIEMs, enabling logging and reporting of the effectiveness of encryption controls to ensure that they are working as intended.

A data security platform with encryption at its core will help defend an organisation against the harm caused by data breaches and will be essential for more effectively meeting compliance and audit requirements, even as an organisation’s infrastructure expands to embrace new technologies.

Early encryption systems gained a reputation for being hard to implement and manage, but that is largely a thing of the past. To ensure that they are adequately budgeted for, use cases should be put forward that show the importance of encryption for data protection, defending against data breaches and achieving compliance with ever more stringent regulations. However, it is important that any encryption rollout be accompanied by comprehensive user awareness efforts and training to persuade users that encryption need not be feared and reinforcing its role in protecting sensitive information.

The Bottom Line

Encryption is hot now because of its potential to greatly reduce the fallout from data breaches and to achieve compliance with ever more stringent data protection regulations. No organisation can afford to leave sensitive information in the clear for easy pickings.


Coming soon.


  • AB INITIO logo
  • BIG ID logo
  • DATAGUISE logo
  • Global IDs logo
  • GROUND LABS logo
  • HITACHI logo
  • Informatica (logo)
  • IRI logo
  • MAGE logo
  • SEEKER logo
  • SOLIX logo
  • Waterline Data (logo)

These organisations are also known to offer solutions:

  • Broadcom
MENTIS InBrief (SENSITIVE DATA) cover thumbnail

MENTIS iDiscover

MENTIS iDiscover offers a range of modules that cover all necessary functions for discovering, protecting and monitoring sensitive data.
DATA SUNRISE InBrief (SENSITIVE DATA) cover thumbnail

DataSunrise Sensitive Data Discovery

DataSunrise supports the discovery of sensitive data across a wide range of both relational and NoSQL data sources.
GLOBAL IDs InBrief (SENSITIVE DATA) cover thumbnail

Global IDs Sensitive Data Discovery

Global IDs offers data discovery and classification as part of its EDA platform, thereby providing sensitive data discovery and compliance with regulations.
DATAGUISE InBrief (SENSITIVE DATA) cover thumbnail

Dataguise DgSecure

Dataguise started by offering sensitive data discovery and masking but now includes, additionally, encryption/decryption and extensive reporting.
BIG ID InBrief (SENSITIVE DATA) cover thumbnail


BigID specialises in (sensitive) data discovery and classification and unlike other vendors has been built from the ground up to concentrate in this area.
Cover for the Encryption Hot Report


Why encryption is getting a new lease of life and should be the default option for securing sensitive data.
GROUND LABS InBrief (SENSITIVE DATA) cover thumbnail

Ground Labs Enterprise Recon (2020)

Enterprise Recon offers enterprise-wide discovery of personal, PII and PCI data in accordance with a wide range of compliance regulations.
SOLIX InBrief (SENSITIVE DATA) cover thumbnail

Solix Technologies Sensitive Data Discovery

Solix Common Data Platform acts as a one stop shop for the management and governance of all enterprise data.
Back To Top