Implementing enterprise encryption can be a daunting and complex process. Organizations struggle with questions such as: What data should be encrypted? Where should encryption occur?

In a recent SHARE presentation, Eysha Powers, Software Engineer at IBM, discussed various encryption techniques available and the pros and cons of each. She also advised how to work within available budget and resources to layer multiple crypto technologies, protecting sensitive data against the threats specific to your environment.

Powers described the levels of encryption as a pyramid shape, where the bottom represents the widest coverage, and the top level offers complexity, in the form of granular control over applications. Here’s an overview of the various layers, including the advantages and costs involved in each.

Full Disk and Tape Encryption

At the bottom of the pyramid, full disk and tape encryption offers the broadest coverage: 100 percent coverage for data at-rest, with zero host CPU cost. This encryption protects at the DASD subsystem level against intrusion, tampering or removal of physical infrastructure.

With full disk and tape encryption, there will still be a number of people within your environment who can view the encrypted data, like your security admin, data owner, Db2 admin and storage admin. Any data center technicians, however, won’t be able to view the encrypted data, despite being able to remove the storage device.

Full disk and tape encryption is fairly low cost to configure, implement and maintain. Having just one encryption key means there’s minimal key management required, and there’s no application overhead or real manpower needed.

File or Dataset Level Encryption

The next level up the pyramid is file or data set level encryption, which provides broad coverage for sensitive data using encryption tied to access control, for in-flight and at-rest data protection. Data set encryption offers the ability to eliminate storage admins from the compliance scope; at this level, both storage admins and data center technicians won’t be able to view encrypted data.

Key management is the biggest area where you’ll have to do some work and planning, since data set encryption uses protected encryption keys managed by the host. It’s still fairly low cost overall, but key management requires some resources: defining what the keys are, what the naming conventions will be, associating keys with data sets, and so on. Nonetheless, file or data set level encryption allows you to encrypt in bulk, with low-overhead.

Database Encryption

Database encryption provides protection for very sensitive in-use (Db level), in-flight and at-rest data, with granular protection and privacy managed by the database. Database encryption allows for highly selective encryption and granular key management control of sensitive data, encrypting sensitive data at the Db2 row and column levels and IMS segment level.

Database encryption is low cost for the most part, but Powers warns that there are a couple elements that may add up. You’ll have to set up and manage a key, but once that’s set up it should be fairly straightforward. Additionally, you may have application outages to implement encryption, and you’ll need to consistently make updates according to regulatory changes.

Application Encryption

At the very top of the encryption pyramid, application encryption is used to selectively protect hyper-sensitive data, like PAN credit card data, when lower levels of encryption are not available or suitable. Data protection and privacy are provided and managed by the application. One advantage of application encryption is how highly granular it is; for example, you could encrypt just four bytes of data if you wanted to.

But, that granularity also means there are high costs associated with configuration, implementation and maintenance. You’ll need a robust team that has the skills to write, develop and test your application. Application encryption requires ongoing maintenance, key management, application outages to implement, and attention to regulatory changes and new business requirements.

Ultimately, no one encryption technology will be sufficient on its own. As Powers recommends, work to weave together some combination of full disk and tape encryption, file or data set level encryption, database encryption, and application encryption to create the best crypto strategy for your organization.