Data Security and Encryption Technologies: Standards, Solutions, and Best Practices

Recent reports show that data breach incidents rose to 1,202 by November 2017, a 10% increase over 2016, affecting not only government agencies and Fortune 500 customers but also security vendors themselves.

Attackers now target a wide range of data, from credit‑card numbers to voter registration details, passwords, and encryption keys, often exploiting misconfigurations or insecure cloud servers; high‑profile victims include Equifax, Uber, Verizon, Cloudflare, Deloitte, and Accenture.

Encryption is the primary technique to protect data at rest and in transit. Commonly used encryption approaches are classified as application‑layer encryption (e.g., backup software, databases), gateway‑layer encryption (e.g., encrypted servers, switches), storage‑system encryption, and encrypted disks. Application‑layer encryption offers the best compatibility because it is transparent to storage and network layers and can provide end‑to‑end security.

Gateway‑layer encryption can cause performance issues and often requires custom development, as all data must pass through encryption appliances; typical implementations include SNA switches and dedicated encryption gateways.

The author’s first exposure to encryption was a gateway‑level solution from Bloombase (Spitfire StoreSafe Security Server), which supports multiple algorithms and integrates with SAN, NAS, DAS, and library environments.

Encryption standards are divided into international and national categories. The article focuses on international standards such as IEEE Std 1619‑2007, EU Data Protection Directive 95/46/EG, NIST FIPS 140‑2, SEC Rule 17a‑4, HIPAA, Sarbanes‑Oxley, 21 CFR Part 11, and DOD 5015.2. Among them, FIPS 140‑2 is especially influential, defining four security levels for cryptographic modules.

Additional relevant standards include NIST SP 800‑57 for key‑lifecycle management and the Key Management Interoperability Protocol (KMIP).

Key management systems (KMS) such as SafeNet and Vormetric are widely used in enterprise environments; they centralize key storage, often deployed in active‑passive configurations to ensure reliability, and are increasingly offered as virtual appliances.

The article then details two transparent encryption solutions:

1. Vormetric Transparent Encryption – an agent runs on protected hosts to encrypt/decrypt data, while the Vormetric Data Security Manager handles key management in a clustered setup. The solution is transparent to applications and storage, and also supports cloud encryption via the Vormetric Cloud Encryption Gateway.

2. SafeNet ProtectFile / ProtectApp – ProtectFile provides file‑level encryption for NAS shares, with keys managed by SafeNet KeySecure over SSL. ProtectApp offers API‑based encryption for object storage (e.g., S3) and can protect both unstructured (Excel, PDF) and structured data (credit‑card numbers, SSNs). Both solutions support deployment on physical, virtual, and cloud infrastructures without requiring code changes.

SafeNet KeySecure serves as a centralized key management platform, compatible with FIPS 140‑2 Level 2/3 hardware security modules (HSMs) such as Gemalto Luna or Amazon Cloud HSM, and can protect databases, file servers, virtual workloads, and applications across on‑premises and cloud environments.

The article concludes by noting that these encryption and key‑management technologies provide flexible, standards‑compliant protection for data throughout its lifecycle.