Data Encryption
Definition
Data encryption is the process of transforming readable information (plaintext) into an unreadable form (ciphertext) using a cryptographic algorithm and a secret key, so that only authorized parties can recover the original data. Encryption is commonly applied to protect confidentiality for data at rest (stored in databases, files, backups, endpoints, removable media) and data in transit (moving across networks, APIs, email, or between services). In an ISO/IEC 27001-aligned information security management system (ISMS), encryption is typically selected as a risk treatment and implemented as part of cryptographic controls to reduce the likelihood and impact of unauthorized disclosure. Comparable expectations also appear in other security frameworks as cryptographic protection controls. Effective encryption depends on more than choosing a strong algorithm: it requires defined scope (what data, where, and when), appropriate cryptographic settings, secure key generation and storage, access controls around keys, rotation and revocation processes, and monitoring to detect misuse. Encryption complements—but does not replace—controls like identity and access management, segmentation, logging, backups, and secure configuration. Organizations should also plan for operational realities such as performance, recovery (e.g., key loss), and evidence that encryption is consistently enforced.
Real-World Examples
Startup SaaS protects customer records
A startup encrypts customer data stored in its production database and uses encrypted connections for all API traffic, with documented key rotation and access restrictions for administrators.
Enterprise endpoint and media encryption
An enterprise enforces full-disk encryption on laptops and encrypts removable media, with centralized recovery procedures and audit logs to support investigations and compliance reviews.
SMB secures file storage with separated keys
A small or mid-sized organization encrypts sensitive files before storing them in object storage and separates encryption keys from the data, ensuring only approved services can decrypt content.
Encryption converts readable data into ciphertext using an algorithm and a secret key. Only someone with the correct key (and permitted access) can decrypt the ciphertext back into usable information.
Encryption at rest protects stored data such as files, disks, databases, and backups. Encryption in transit protects data while it moves across networks, such as web traffic, APIs, and service-to-service communication.
Organizations commonly use symmetric encryption (e.g., AES) for bulk data and asymmetric cryptography (e.g., RSA or elliptic-curve methods) for key exchange, authentication, and digital signatures in secure protocols.
AES-256 refers to the AES algorithm using a 256-bit key size. When implemented correctly with secure configurations and key management, it is widely considered strong for protecting sensitive data.
Key management covers how encryption keys are generated, stored, accessed, rotated, revoked, and recovered. Weak key management can undermine strong encryption by enabling unauthorized decryption or permanent data loss.
Safe rotation typically uses staged processes such as re-encrypting data with new keys, maintaining backward decryption capability during transition, validating recovery procedures, and ensuring access controls and logging remain intact.
Encryption is reversible with a key, enabling authorized recovery of the original data. Hashing is one-way and is used for integrity checks and password storage. Tokenization replaces data with a surrogate value and relies on a mapping system.
It depends on risk and architecture. Storage-layer encryption is easier to standardize, while application-layer encryption can provide stronger separation of duties and limit who can decrypt, but adds complexity for operations and search/analytics.
Common evidence includes encryption policies and standards, architecture diagrams, configuration screenshots or settings exports, key management procedures, access logs for key usage, rotation records, and test results showing encryption is enforced.
You need both. Access controls limit who can reach systems and data, while encryption reduces exposure if data is accessed or copied without authorization. Together they provide layered protection and stronger risk reduction.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
