Encryption is a method of adding a layer of security to data. This prevents the data from being stolen or lost. It is the process of encoding information, which is accessible only by authorised parties.
Even if a potential hacker gets a hold of the data, the information stored in the cipher text is non-readable.
Encryption can be used in two situations.
- Encryption in Transit.
- Encryption at Rest (EAR).
Encryption in Transit
Data is usually encrypted when it is in transit (transferred from one place to another). This is to prevent others from accessing the data en route. This provides a considerable level of security for the information.
Encryption at Rest (EAR)
Although the encryption of data during transit provides good security, encryption of the same when it is stored in the servers provides an even higher level of security. EAR prevents any possible security leaks or losses when it is in storage.
This method of encryption is done using the AES-256 protocol. Symmetric encryption algorithm, which uses 128-bit blocks and 256-bit keys, is used for encrypting/decrypting the data. It is one of the more advanced methods of encryption.
Many modes of operation of AES have been defined. Some of them are:
- Electronic Codebook (ECB)
- Cipher Block Chaining (CBC)
- Cipher Feedback (CFB)
- Output Feedback (OFB)
- Counter (CTR)
the CRM encrypts the data using the Counter mode.
Keys are the means through which you can retrieve the encrypted data. The key used to convert the data from plain text to cipher text is called Data Encryption Key(DEK). The DEK is further encrypted using the KEK (Key Encryption Key), thus, providing yet another layer of security.
Hence, the data in your CRM is equipped with three layers of security.
- Encrypted data (Cipher text) is stored in the Services Database.
- Encrypted DEKs are stored in KMS (Key Management System).
- Encrypted KEKs are stored in IAM (Identity and Access Management) servers.
The retrieval of data is on three levels. Hence, the level of security is increased considerably.
Encryption Process
- The encryption agent determines, from the metadata, whether to encrypt the field before storing it in the database.
- The encryption agent checks the cached memory for matching DEKs. If no matching DEKs are found, the encryption agent requests a DEK from the KMS.
- The KMS checks its database for a matching encrypted DEK.
- If the matching encrypted DEK is found, the KMS decrypts the encrypted DEK and returns it to the encryption agent.
- If no matching DEK is found, the KMS generates a DEK. This new DEK is encrypted with KEKs and stored in the KMS servers.
- If the matching encrypted DEK is found, the KMS decrypts the encrypted DEK and returns it to the encryption agent.
- The agent receives the Data Encryption Key (DEK), then encrypts/decrypts the data using 256-bit AES encryption.
- The cipher text (the encrypted data) is then stored in CRM (in the Services Database/File System).