PKI Reading Time: 12 minutes

What is the best encryption strategy for protecting your data?

Data encryption is a method that transforms plaintext data into encrypted data known as ciphertext. Encryption can be used to decrypt the encrypted message. Both data at rest and data in use are the methods of encrypting files. An Encryption Strategy can be combined with authentication services to guarantee that only authorized users can access your organization’s data.

Data encryption is typical of two types

  1. Symmetric Encryption

    A single key is used for data encryption and decryption. All authorized users have access to the key, which enables data access.

  2. Asymmetric Encryption

    Data is encrypted and decrypted using two mathematical keys. The public key is used to encrypt data, and the private key is used to decrypt it. Private key is kept secret; on the other hand, the public key is shared with everyone.

States of the Data

There are three basic states of data within any organization. Data must be safeguarded throughout its lifecycle if it is to be secure.

  1. Data at Rest

    Data at rest encryption prevents data from being visible in case of unauthorized access. Organizations can encrypt sensitive files before they are moved or use full-disk encryption to encrypt the entire storage medium. Users need an encryption key to read encrypted data.

  2. Data in Motion

    It is used in big data analytics, as the processing of data can help an organization analyze and gain insight into trends as they occur.

  3. Data in Use

    Encryption plays a major role in protecting data in use or in motion. Data should always be encrypted when it’s traversing any external or internal networks.

For Example: Suppose Bob wants to send Alice a picture of a cheeseburger. Bob took the picture on his smartphone, which has stored it ever since – the cheeseburger photo is currently data at rest. Bob views the photo and attaches it to an email, which loads the photo into memory – it becomes data in use (specifically by his phone’s photo viewer and email applications). Bob taps “Send” and the email with the attached photo travels over the internet to Alice’s email service; it has become data in transit.

Data at Rest

Data at rest encryption is like locking away important papers in a safe. Only those with the key can access the stored papers; similarly, only parties with the encryption key can access data at rest. Encrypting data at rest protects it from negative outcomes like data breaches, unauthorized access, and physical theft. Without the key, the data is useless.

There are different types of technologies to protect the data, which are as follows

FDE (Full Disk Encryption)

For PCs, laptops, and portable electronic devices that can be lost or stolen, FDE is very helpful. The encrypted data will be inaccessible to the thief even if the device is taken. Because one key is used to encrypt the entire hard drive, FDE requires network administrators to enforce a strong password policy and provide an encryption key backup process in case employees forget their passwords or leave the company unexpectedly.

FDE works by automatically converting data on a hard drive into a format that can’t be understood by anyone who doesn’t have the key to undo the conversion. In particular, the hard drive is changed from plaintext that can be read to a ciphertext that can only be read after being converted back to plaintext using a key. Even if the hard drive is taken out and put in another system, the data won’t be accessible without the right authentication key.

FDE is often installed on computing devices at the time of manufacturing. For instance, BitLocker, which is present in some versions of Microsoft Windows, and FileVault, which is part of the macOS operating system, both enable FDE. The users of BitLocker and FileVault can retrieve forgotten passwords. FileVault backs up encryption keys to Apple iCloud, while BitLocker keeps recovery data on Active Directory.

On all Windows-based devices, Microsoft also provides Device Encryption, which secures data by encrypting the drive.

MDM (Mobile Device Management)

MDM technology manages data on mobile devices. They allow limiting access to some corporate applications, restricting access to the device, or encrypting data on mobile or tablet devices. They serve the same purpose as regular encryption if a device is lost, but when the data is transported outside of the device, it does not remain encrypted.

Data at rest still makes an attractive target for attackers, who may aim to encrypt the data and hold it for ransom, steal the data, or corrupt or wipe the data. No matter the method, the end goal is to access the data at rest and take malicious actions

  • Ransomware is a type of malware that, once it enters a system, encrypts data at rest, rendering it unusable. Ransomware attackers decrypt the data once the victim pays a fee.

  • A data breach can occur if data at rest is moved or leaked into an unsecured environment. Data breaches can be intentional, such as when an external attacker or malicious insider purposefully accesses the data to copy or leak it. They can also be accidental, such as when a server is left exposed to the public Internet, leaking the data stored within.

  • Physical theft can impact data at rest if someone steals the laptop, tablet, smartphone, or other devices on which the data at rest lives.

How to secure Data at Rest

  • Implementing encryption solutions is one of the finest and simplest ways for businesses to start shielding their data at rest from employee negligence. Organizations can encrypt employee hard drives using native data encryption tools provided by operating systems, such as Windows BitLocker and macOS’ FileVault. This guarantees that if someone stole the device, then he would not be able to access it without an encryption key, even when booting a computer using a USB.

  • We should also provide physical security to devices and storage media where data is stored. It should be difficult for an attacker to physically access a device or storage media and steal the data. For example, if a company keeps sensitive data in file servers, databases, or workstations, then the physical security of the building is essential.

Data in Motion

If data is not encrypted when being transported between devices, it could be intercepted, taken, or leaked. Data in motion is frequently encrypted to prevent interception because it is susceptible to man-in-the-middle attacks, for instance. It should always be encrypted whenever data travels across any internal or external networks.

Data in motion can be encrypted using the following methods:

  1. TLS/SSL

    TLS / SSL are two of the most well-known cryptography applications for data in Motion. TLS offers a transport layer as an encrypted tube between message transfer agents or email servers. On the other hand, SSL certificates use public and private keys to encrypt private conversations sent over the internet.

  2. HTTPS

    The secure variant of HTTP is HTTPS. The protocol protects users from man-in-the-middle (MitM) attacks and eavesdroppers. HTTPS is typically used to secure internet connections. Still, it has also established itself as a common encryption method for communications between web hosts and browsers and between hosts in the cloud and non-cloud contexts. HTTPS is an SSL certificate used for HTTP communication.

  3. IPsec

    Internet Protocol Security is used by the Internet Small Computer System Interface transport layer to protect data in Motion (IPsec). To prevent hackers from seeing the contents of the data being sent between two devices, IPsec can encrypt the data. Because IPsec employs cryptographic techniques like Triple Data Encryption Standard (Triple DES) and Advanced Encryption Standard. It is widely utilized as a transit encryption protocol for virtual private network tunnel . IPsec also uses SSL certificates. To keep data in Motion secure, encryption technologies can also be integrated with already-existing enterprise resource planning systems.

How to Secure Data in Motion

  1. Encrypt the data itself before the data travels over a network. For example, if we are transmitting data over the internet, we should first encrypt the data and then transmit it.

  2. If data is transmitted over a connection, we should use encryption to secure the connection first. For example, if data is transmitted between two hosts, we can use a VPN to establish a secure connection between the two hosts first and then transmit the data.

Data in Use

In environments where either the keys or the data are in use, alternate controls are typically offered since decryption keys and decrypted data must be fully unavailable to an attacker for encryption to provide security. When using cloud services, businesses should search for a distributed solution like an HSM to keep their keys safe and independent of the service provider.

How to secure Data in Use

  1. We should use encryption to encrypt the data wherever possible.
  2. We should take proper security measures to ensure that data in use is not being shared with unauthorized parties illegitimately or accidentally.


Asymmetric or Public Key Infrastructure encryption (PKI) is the most used method of email security  or managing key distribution and validation, PKI is frequently used, and consists of the following.

  1. An organization that issues and validates digital certificates or a certificate authority (CA). A certificate is a digital record that proves a public key’s ownership.
  2. Before issuing a digital certificate to a requestor, a registration authority (RA) serves as the certificate authority’s verifier.
  3. Information can be made secret or hidden by the Encryption process, which is based on a mathematical technique called a cipher. A code (or key) is needed to decrypt the information for the intended receivers for Encryption to perform. Data that isn’t encrypted is known as Plain text, while encrypted data is known as cipher text.

How does email encryption work

Public-key cryptography, also known as asymmetric Encryption, is the basis for email encryption. A set of keys-public and private-will be assigned to each email address. The public key encrypts messages as they are sent and is available to everyone. The email account’s owner is the only one with access to the private key. Only the associated private key can decrypt the messages once the public key has encrypted them into an unreadable jumble.

To protect them from being deliberately targeted by an attacker, we must encrypt all our emails, not just those that contain critical information. Email encryption offers protection from potentially harmful links or impersonation of identities as scams like phishing and spoofing grow more common. Data sent via email is secured with end-to-end email encryption so that only the sender and the receiver can access and read it.

Applications of Email Encryption

  1. Eavesdropping

    The radio communications between your PC and a wireless router are intercepted by an attacker using a computer. When using encrypted email, only those who hold the private key can decrypt the message.

  2. Spamming and Phishing

    Phishing emails offer a severe security risk, in contrast to spam emails you receive from advertising without asking for them. Phish are sent out to obtain your sensitive information, like banking information, login credentials, etc. They frequently impersonate reputable companies. A layer of security is added by storing passwords as hashes, implementing DMARC (Domain-based Message Authentication, Reporting, and Conformance), and encrypting sensitive data.

  3. Spoofing

    Email services, like postal services, do not need a precise return address to send a message. A cybercriminal can forge an email’s return address to make it appear as though it was sent from a reputable account, even though it wasn’t. By ensuring that every individual within your organization signs their emails to demonstrate trust, you may utilize email signing certificates to stop this kind of attack.

Building your strategy

Seven essential components might aid in the development of a successful end-to-end strategy

  1. SSL Decryption

    Encryption is a fantastic way to safeguard data, but it is also a fantastic way to conceal dangers. Different encryption techniques have different data handling capacities and key requirements for decryption. Most network security tools cannot decrypt and examine HTTPS (SSL) communication.

    As more services – like Facebook, Twitter, YouTube, Google Search, and DropBox, to name a few – utilize SSL encryption to help protect consumers, they unintentionally make it more difficult for businesses to ensure that harmful code isn’t leaking into network traffic. Cyber attackers are taking advantage of this weakness; thus, it’s crucial to consider SSL decryption technology when selecting the appropriate encryption solutions for your business to secure visibility into crucial data at points of entry and outflow.

    Tools that are used to decrypt the SSL Certificates are:

    • Giga SMART SSL TLS Decryption
    • Fidelis Decryption
    • A10 Networks Thunder SSLi.
  2. Key Management

    Protect your keys. No matter the security measures, the company is vulnerable to attack if keys and certificates are not securely safeguarded. Many firms need a clearer understanding of their inventory and have thousands of keys and certificates.

    They need to know the systems to which keys and certificates grant access, how they are utilized, or who is in charge. Organizations must be aware of the keys and certificates used in the network, who has access to them, and how and when they are utilized. By centrally managing keys and certificates, it is possible to acquire a comprehensive overview of the organization’s inventory as the initial step in acquiring this data. You’ll be able to detect unusual activities, like rogue self-signed certificates.

    • Encryption Key Lifecycle Management

      While managing the lifecycle of encryption keys can be difficult for organizations with many keys, it is necessary to verify the integrity of the keys and, consequently, the integrity of the data itself. From the moment they are created through their entire lifecycle of initiation, distribution, activation, deactivation, and termination, keys must be protected using a trustworthy key management solution.

    • Heterogeneous Key Management

      Unified access to all the encryption keys and a 360-degree “single pane of glass” investigate the overall strategy made possible by a centralized key management platform. It is possible to gain a detailed picture of how the keys are being used and, more crucially, whether they are being accessed improperly by requiring that all keys be controlled from the same location and in the same fashion.

      Without a comprehensive solution for heterogeneous key management, the company would constantly be searching for rogue keys and battling to guarantee that encrypted data is reliable and can be decrypted when needed.

  3. Certificate Management

    To function securely, every system that is connected to the internet or another system needs at least one digital certificate. That said, maintaining PKI for a company or a business unit typically requires an administrator to manage hundreds or even thousands of certificates. Each individual certificate is linked to several factors, each of which is unique, including:

    • Varying expiration dates (and hence, renewal necessities)
    • Issued by multiple certificate authorities.
    • Consisting of unique system vulnerabilities that need to be individually monitored and addressed.

    To maintain their effectiveness, these certificates must also be continually checked. To prevent the system from being filled with undesirable certificates, administrators must have control over who can request and approve certificates. All these processes are impossible to handle on manual systems like spreadsheets, prompting the need for a specialized certificate management process.

  4. Communication with HSMs

    Hardware Security Modules (HSMs) are hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures. Some hardware security modules (HSMs) are certified at various FIPS 140-2 Levels. The access control mechanisms and procedures for connecting with the HSM must be extremely secure because it houses the most sensitive data (crypto keys).

    HSM is used for critical infrastructure as it’s very expensive and costly to maintain, and access shouldn’t be given to everyone. For this reason, PKCS #11 is the industry’s most well-known, widely used, and recognized standard. The PKCS #11 standard, also known as the “PKCS #11 Cryptographic Token Interface Base Specification,” was created by RSA Labs in 1994. The most recent version, version 2.40, was created in collaboration with OASIS

    One of the more narrowly focused technical standards that outlines specific specifications for common public-key cryptography operations and their platform-independent programming interfaces is PKCS #11. It defines a cryptographic token API agnostic of the platform and works with HSMs and smart cards. Support for the PKCS #11 standard is implemented by all businesses that sell HSMs.

    For Microsoft Windows-based deployment environments, the API is accessible as a DLL file; for Linux-based deployment environments, it is available as SO files. The most popular symmetric and asymmetric tokens and keys (DES/Triple DES, AES, RSA, DSA, etc. keys and X.509 digital certificates), as well as the hashing and encryption methods needed to create, modify, and discard these crypto tokens, are all implemented in the API.

  5. Collaboration

    The development of an encryption scheme requires coordination. The best way to approach it is as a major task that involves management, IT, and operations. Identify the rules, legislation, policies, and outside factors that will affect decisions about purchasing and implementing new technology by first gathering essential data from stakeholders. The next step is identifying high-risk locations, including laptops, portable electronics, wireless networks, and data backups. Furthermore an encryption strategy can be developed to mitigate the identified gaps.


There are several software solutions that can help & protect the data, even though they have different vulnerabilities and attack routes. Data in motion and at rest are both protected by firewalls, antivirus software, DLP tools, and with encryption strategies. Data exists in three states: data at rest, data in use, and data in motion, depending on its movements. Data that is not transmitted from one device to another or from one network to another is referred to as data at rest. Local data on computer hard drives, archived data in databases, file systems, and storage infrastructure are all included.

Data that is currently being updated, processed, erased, accessed, or read by a system that is kept in IT infrastructures like RAM, databases, or CPUs is referred to as data that is in use. This kind of data is actively being stored, not passively. On the other hand, Data is transferred from one location to another, whether between computers, or virtual machines, from an endpoint to cloud storage or across a private or public network. Data in motion becomes data at rest once it gets to its destination

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.


About the Author

Ambika Rastogi is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo