The Importance of Data Encryption
By Robert Brown III
October 6, 2024
Encryption of data is the best way to prevent someone from reading and using it. Data encryption is the last line of defense against data thieves and other bad actors. Unfortunately, almost no one actually encrypts their data. As a result, their data is vulnerable to attack.
Worse, most users of the data do not demand it to be encrypted because they believe that it already is! They believe that their data is already secure because of HTTPS ,VPNs, or other communication methods that provide encryption. This is not necessarily true, and as a result their data is vulnerable.
In this paper, we will explore the encryption methods used to protect data used by a web application, explain how they differ from actual data encryption, and how actual data encryption can protect data from unauthorized access.
Network Encryption
The way that most systems protect data is through network encryption. This is usually done through the use of Hypertext Transfer Protocol Secure (HTTPS), which is an application protocol that encrypts the communication between the browser and the web application that handles a database. This is illustrated in Figure 1.
Figure 1: Encryption using HTTPS
HTTPS encrypts all requests going from the Browser to the Web Application. So when a user requests, for example, a list of patients, that request is encrypted before it is sent to the Web Application. The Web Application, upon receiving the request, gets the list of patients from the database and returns that list back to the browser as a response. Since the response is returned through HTTPS, it is encrypted once again before being sent to the browser.
Note that in Figure 1, the Browser can access the Web application from anywhere. This is because the Internal Network (Intranet) is exposed to the Internet. This means that the Browser can access the Web Application from within the Internal Internet or from the Internet.
There are, however, times when systems can be protected by making them invisible to the Internet. In order to access such systems over the Internet, a user has to log onto a Virtual Private Network (VPN). A VPN makes the protected Internal Network visible to those who log into it. This is illustrated in Figure 2 below.
Figure 2: Protected Network with a VPN
Note that the VPN also encrypts all communication between the Browser and the Web Application, making it private. This means that all communications will be encrypted, regardless of whether or not they are using a secure communication method. When a user is using HTTPS, the VPN actually adds encryption to the HTTPS encryption.
Data Vulnerability
The network encryption systems described above are excellent for protecting communication between the user and the application(s) they may use. Unfortunately, they do not actually protect the data. A hacker without an account can still access the data in the database in a number of ways — including breaking onto the Host Machine and querying the database, as shown in Figure 3.
In Figure 3, a hacker finds a way to get inside the Internal Network, finds the Host Machine, and queries the database. While a database generally has its own authentication designed to prevent unauthorized persons (or applications) from accessing it, the Web Application usually has the necessary credentials in order to perform its task. If the hacker can acquire those credentials (and they usually can), they can query the database and acquire everything in it. If, for example, the hacker was seeking to acquire patient data, then all of it can be grabbed from the database.
Granted, there are many safeguards on and around the Host Machine designed to prevent hackers from getting onto it and accessing the database. These safeguards include firewalls, administration accounts with difficult to guess passwords, carefully set access controls, and even 2- Factor Authentication. The problem is that one reason why there are so many data breaches is that hackers are finding ways to get around those defenses. A means must be utilized to prevent a hacker from getting the data, even if they can get into the database itself.
Figure 3: A Hacker Break- In Scenario
The way to prevent hackers from being rewarded by their access to a database is to actually encrypt the database. The result of database encryption is illustrated in Figure 4.
Figure 4: Hacking an Encrypted Database
As the figure shows, a hacker successfully breaks into a Host Machine, compromises the database credentials, and performs queries to get the data. Since the actual data in the database is encrypted, the hacker gets “gobbldegook” instead of the data.
The Web Application, on the other hand, has the ability to access the data and decrypt it — or even send it encrypted to the legitimate user’s browser for decryption. In this manner, the data remains secure and accessible only to those who should have access to it.
Conclusions
It should be noted that using an encrypted database does not remove the need for all the other defenses used to secure the data. Firewalls, administration accounts, and other defenses should still be in place. The encrypted database should be the last line of defense against hackers attempting to steal data.
At Protectorus, we utilize all the defenses needed to keep hackers out of our databases, but we also encrypt our databases in the event that a hacker gets past our defenses. We have found that the actual encryption of data prevents even the best hackers from being able to use it, even if they find a way to access it.