Building a foundation of trust through robust security.
Encryption, often described as the art and science of hiding information, plays a variety of roles in maintaining data security and privacy. Encryption primarily ensures the confidentiality of information, and can be used to further enforce access and use restrictions as required.
Encryption is widely acknowledged to be a fundamental aspect of the reasonable security necessary to protect personal information, and encryption solutions are an important aspect of the modern digital enterprise. Some regulations, such as IRS Publication 1075, require certain types of information to be encrypted using specified technology while the information is in storage or being transmitted over the internet. Other regulations, such as the GDPR and CCPA, don’t require encryption, but recognize the important role it plays in the securing of personal information.
In addition to direct guidance from regulatory authorities, courts were considering whether data was encrypted long before the GDPR and CCPA were enacted. Courts would often observe that encryption was an industry standard practice for confidential information, and provide greater relief from liability to companies that had encrypted data when compared to those that had not. These prior holdings are now reflected in laws like the CCPA and GDPR. For example, the CCPA protects companies from certain types of lawsuits in the event of a data breach if the information in question was encrypted and the person with unauthorized access lacked the encryption key. And the European Commission Article 29 Data Protection Working Party provides guidance that “Encryption is therefore absolutely necessary and irreplaceable for guaranteeing strong confidentiality and integrity.”
Encryption strategies for legal compliance can vary based on the state of the data as well as its classification. Data is generally considered to be in one of three states: in transit, at rest, or in use. Data in transit is data that is actively moving from one network to another, such as when it is moved from local storage to a cloud-based storage account. Data at rest is inactive data that is not actively moving between networks, such as data stored on a hard drive, device, or cloud storage account.
Encryption of data—particularly personal information—in transit is largely viewed as an absolute requirement for the protection of confidentiality. When at rest, there are a variety of security measures that can be implemented to protect against unauthorized access, modification, or deletion other than encryption. In these cases, encryption is less seen as a requirement for the protection of personal data provided that other measures are implemented in its place. For enterprises storing personal information of those covered by the CCPA, however, encryption of data at rest can limit legal actions in the event of a data breach and should be considered as part of a legal mitigation program regardless of any additional security measures in place.
NetApp offers a variety of encryption solutions, depending on which products or services you use. These include both hardware and software encryption solutions, at either the volume or disk level, as well as encryption key management solutions for the administration of the keys used to encrypt and decrypt data.
For customers of NetApp Cloud Data Services, encryption is managed under the shared responsibility model, with storage-level encryption managed through the applicable cloud storage provider. Our public cloud services provider partners provide their own encryption solutions: Amazon Web Services, Microsoft Azure, and Google Cloud Volumes Service.
European Data Protection Authority guidance on the importance of encryption in the protection of personal information under GDPR.
Hardware and software encryption solutions utilizing NetApp ONTAP solutions.
Key management solutions to enable centralized management of encryption keys.