Every file, every place, every time

While there are endless File and Folder Encryption (FFE) products on the market, not all are created equal. Many File Level Encryption (FLE) solutions establish security silos for “sensitive” Data or Data users deem the most important, and even then not in all three states (in-transit, in-use, and at-rest). The problem is, in today’s highly connected and work everywhere world, isn’t all Data important?

With our unique approach to Data encryption, you no longer have to decide what Data to protect. Our SecureData technology protects everything, in every place, all the time. It does this by making encryption an inherent property of your Data, as opposed to a collection of reactive systems, restrictive tools that impact usability, and incomplete policies that can never keep up.

SecureData Watch the video
loading...

How to choose the best encryption software

When comparing encryption solutions, we recommend asking these three questions before making a decision:

Does the encryption software offer proactive protection?

If there’s anything the past few years have taught us, it’s that all the bells, whistles, and consulting in the world can’t predict the future. To stay ahead of every threat, every time, proactiveness is key. The problem is, many encryption solutions require active user involvement. If the approach isn’t completely proactive and it places a burden on the user, it’s only natural that these users will find their own (unsecure) methods to get on with their day-to-day work.

Our approach removes the human element to make protection an inherent part of the Data.

Is the encryption software designed to provide 100% protection?

Full Disk Encryption (FDE or sometimes volume encryption) that protects nominated storage devices sounds powerful but the reality is, it only protects Data on a dormant system (please see the FAQs below on the distinction between FDE and File Level Encryption or FLE). To us, security is either 100% or 0% and our FLE is really 100% for every file, every place, and every time.

Our encryption software can be configured to provide this 100% protection. We protect every file (including those on legacy and in-house custom applications), every place (from endpoints to the cloud and back), and every time (in-transit, in-use, and at-rest).

Is the encryption software protecting Data at the endpoints?

It’s important to ensure that the Data protection is provided at the point where it’s being processed so that there are no security gaps, and that no Data in any state (in-transit, in-use, and at-rest) is left vulnerable. When encryption is processed at a server instead of at the endpoint, it leaves gaps that can result in Data being unavailable for legitimate users, available to unauthorized users, or even sent across networks unprotected. 

Our approach protects each and every file at the endpoint and everywhere else.

Why is PKI-based encryption important?

Once you clear the three questions above, the devil is in the details of how the encryption keys are paired and managed. Public Key Infrastructure (PKI) provides a trusted certificate authority for asymmetric encryption, linking unique keys for each user and each of their files. SecureAge PKI-based (i.e. asymmetric) File Level Encryption guarantees three distinct advantages:

File level user authentication

PKI-based Data encryption uses unique encryption keys for each file, while at the same time, building authentication into Data. That means, every time that the Data is accessed the identity of the request is checked, and every file is always protected, in every location - no matter where it is copied.

This differs from other encryption solutions that rely only on symmetric encryption as they have no way of authenticating each user against each file. With access to this single symmetric encryption key, any user can access any Data for any purpose.

Natural and secure file sharing

Asymmetric PKI techniques can be applied in a way that the encryption is an inherent part of the Data and therefore invisible to the user. Symmetric encryption, on the other hand, uses proprietary mechanisms to store and share keys, reducing security and adding an administrative burden to perform key rotation.

With protection and user authentication inherent at the file level, users can naturally create shared folders anywhere they need them. Secure file sharing for a bespoke audience is as simple as creating a folder on your desktop.

Easier compliance

Some industry security standards require that each individual encryption key is not re-used 'too often,' leading to a need for 'key rotation'. The idea is that the more times a key is used, the more likely it is that it will be cracked.

Unlike with SecureAge where each file is encrypted with its own unique key, competitive solutions applying a limited number of keys need to offer a key rotation tool that enables administrators to replace old keys with new. Our asymmetric approach significantly increases data security, while minimising resources required - both in hardware and in human resources - for key management.

Other frequently asked questions about Data encryption

What is the difference between Full Disk Encryption (FDE) and File Level Encryption (FLE)?
As its core function, Full Disk Encryption (FDE) protects everything that is on a computer’s hard drive, including the OS, user files, and any type of Data therein. That protection, however, exists only when the machine is turned off and the FDE encryption key is not present. A recent Data breach investigation notes that only 4% of Data breaches are due to the theft of laptops and other storage hardware; FDE does not help with the remaining 96%.
 
File Level Encryption (FLE), on the other hand, encrypts individuals files with or without actions by the end-user. This encryption can remain whether the computer is on or off, whether the file is open or closed, and whether those files are moving or are at-rest. The SecureAge approach to FLE includes the benefits of FDE for Data files at-rest and also extends protection to files in-transit and in-use; every file, every place, and every time.
 
In other words, the “full” in FDE does not mean what most people think it does – real Data security provides protection for 100% of your files in all three states of usage, anywhere they go, and any way they’re used.
What is the performance impact from SecureAge PKI based File Level Encryption?

Our PKI-based encryption is faster than the graphical user interface which makes it so fast that your employees will never notice. We "stream" Data from the disk, through our encryption engine and into memory so the application does not need to wait for the whole file to be decrypted before use. In fact, the file remains encrypted on disk all of the time.

Modern processors will provide an instruction set specifically for encryption so these security activities do not rob any time from your normal processing cycles. Our government clients who run large databases and typically experience performance hits (due to the combination of CPU, RAM, hard drive performance, and network connection), have been able to minimise performance impact with our solutions.

How easy is it to work with Data encrypted by SecureAge technology? What about Databases?
It's just as easy to work with Data encrypted using SecureData as it was before you installed SecureAge. SecureData works as part of the file system. As an application opens and starts to read a file it is drawn from the file system into RAM. SecureData simply decrypts the Data during this process of "streaming" into memory. Working this way, SecureData supports every process and every application which reads and writes files - even things like the search indexer, which means that users can still search their files even though they're encrypted.

SecureData seamlessly supports Databases. Many organisations have to maintain database systems from different vendors, and purchasing the vendor-specific TDE (Transparent Data Encryption) add-on for each database is expensive. SecureData supports every database system without causing any disruption and requiring no additional database configuration. And because SecureData encrypts all files, you can be assured that sensitive Data held in report, log and temporary files, in addition to unstructured Data, will remain encrypted all the time.

Databases can of course be very large, but SecureData still keeps Data held in the file system encrypted all the time. As each "page" of Data is passed into system memory it is decrypted - not the whole database. This approach ensures good performance while keeping stored Data secure. From the user's point of view there is no difference - they can still work in exactly the same way, running reports, searches and other transactions.
What encryption algorithms are available with SecureAge technology?
Symmetric algorithms include the popular AES (Advanced Encryption Standard) known for its speed and flexibility; everyday Wi-Fi, VPNs, and SSL for example rely on AES. The SecureAge PKI-based approach is different in that it relies on asymmetric algorithms such as RSA without a detectable impact on performance. In addition to RSA, our technology also includes the latest advancements in asymmetric ECC (Elliptic Curve Cryptography).

Our unique approach also allows us to plug in any encryption algorithm that our customers prefer. Many of our government and research clients prefer their own bespoke algorithms and we’re able to extend that level of comfort and compliance to everyone, everywhere.
Why does SecureAge technology rely on Asymmetric Encryption to lock and protect files?
SecureAge's PKI-based encryption uses asymmetric cryptography, providing each user with their own unique key. Each file is encrypted and then locked with the user's unique, personal key so that even privileged users (like Edward Snowden) cannot access Data they have not specifically been granted access to. Symmetric encryption (the technique used by other solutions – just check for yourself) applies the same key across files and users, which means that many users share the same key giving wide access to large amounts of data. As mentioned in the section above on “Why is PKI-based encryption important?,” asymmetric encryption also allows for natural and secure file sharing between users.

SecureAge uses PKI-based asymmetric encryption to remove the trade-off between proven Data Security and Usability. End users don’t even need to be aware that they are using SecureAge and can work as they normally do, sharing files securely and thinking about things other than cybersecurity.
How does SecureAge technology make key management easy?
SecureAge uses a unique Data encryption key for each file so the number of times a Data encryption key is used has limited scope. Access to decrypted Data is managed through authenticated access to PKI-based credentials. Renewal of digital certificates is fully automated, as is the use of the correct certificate for each Data access request.
    What happens if there is a network problem? How are the keys backed up?
    As mentioned above, an important consideration in choosing an encryption product is whether it authenticates users and secures Data at the endpoints. Our encryption software authenticates the user at the endpoint, providing access to their encryption keys which are stored locally in either soft or hard tokens. If a file is encrypted for the authenticated user then access will be granted without any need to request keys from a server. This means that network issues will not affect SecureAge decryption or encryption at the endpoints – whether in the office or on an aeroplane, users do not need to be connected to the network to access files.

    In addition to being stored at the endpoint, keys are backed up centrally using our Security Management Server. Many customers also employ Hardware Security Modules (HSM) as a physical key repository. A user whose machine becomes faulty, or who simply forgets their credentials, can have their backed up keys re-issued so that their data is once again fully available to them. SecureAge is compatible with all HSM manufacturers and we have multiple deployments and projects with our main HSM partner, Utimaco.
    How does SecureAge technology work with DLP tools?
    Data Loss Prevention (DLP) tools and processes perform content inspection and contextual analysis of data in-transit, in-use, and at-rest to try and prevent leaks of “sensitive” Data outside authorized channels. Although we know there’s no such thing as “sensitive” data (ALL Data matters and Data protection is either 100% or 0%), DLP is considered a pillar of many types of compliance and therefore an important check-box for organizations.

    SecureAge encryption is compatible with DLP tools and procedures, allowing all processes to run on the same machine without interruption (e.g. content searches, database queries, other scanning). Every approved application on a system can access all of the encrypted data in real time as if the Data is not encrypted at all. Unlike competitive encryption techniques, SecureAge technology seamlessly integrates with your favourite DLP solutions and more.
    How does SecureAge technology work with SIEM systems?
    SecureAge's comprehensive and detailed logging system can easily be integrated with any SIEM system. SecureAge delivers logs and alerts that can be consumed by the SIEM system so that administrators are alerted to important events while providing full background information for forensic analysis.
    How can SecureAge technology secure cloud-based Data storage?
    The SecureAge approach of encrypting Data at the endpoint means that Data is protected from its first creation right through its lifespan, while your organisation alone controls the securing encryption keys. Where organisations use cloud-based services and applications, it is common for users to download information from those systems, for example, reports, statistics, and material for documents. Recognising that this “ad-hoc” Data is likely to be scattered throughout the network, SecureAge technology ensures that this potentially sensitive information is protected.
    What are the limitations of Full Disk Encryption (FDE)?
    FDE is essentially hardware security. Everything on the hard drive of a computer running FDE – from the OS to applications to files to metadata – will be encrypted when that hardware shuts down. FDE ensures that nothing on that machine can be stolen without the encryption key.

    But when that machine is turned on, the encryption key is entered, and the hard disk is spinning so that the Data on it can be used, FDE no longer protects any of it. All of the files can be removed as plain, unencrypted Data.

    FDE is great if someone steals your laptop from your bag. But it's not so great for the way real people use and lose Data every day. We need to turn our machines on to access our Data, and that’s precisely when FDE can’t help.
    What are the limitations with Transparent Data Encryption (TDE)?
    TDE does not protect unstructured files outside the vendor’s database. Today, most applications make use of unstructured Data but TDE does not encrypt such data, leaving it vulnerable to mis-use and theft.

    TDE does not protect the vendor’s temporary and log files. TDE considers temporary, log and report files unimportant and as a result, they are unsecured. These files can, however, can contain sensitive or proprietary information.

    TDE is database-specific, meaning you'll need separate TDE licences for each database software, and each license will need to be managed separately - costly and time consuming.
    What are the limitations with Homomorphic Encryption?
    Homomorphic encryption is too slow to be practical, with performance hits around 50,000 times that of working with plain Data. This is compared to the tried and true invisible impact of SecureAge PKI-based File Level Encryption.

    Homomorphic encryption requires application modifications. Businesses will need to rewrite or modify their original or more free-form applications whereas our PKI-based encryption does not interfere with other applications and works alongside them.
    What are the limitations with Format Preserving Encryption?
    Format Preserving Encryption (FPE) sounds cools but is limited to structured and well-defined Data sets where users know that they have (e.g. credit card numbers). Data is rarely this clean and neat in the real world.

    FPE is limited to one algorithm, the Advanced Encryption Standard (AES) which NIST identified as “no longer suitable as a general purpose FPE method. While AES can be part of your solution, it can’t be your entire solution.

    Hyper FPE sounds even cooler but it requires significant trade-offs between Data protection and usability; our belief is that only inherent and invisible protection without user involvement is truly secure 100% of the time. Hyper FPE also requires that some Data be plain to run certain type of analytics and applications.
    What are the limitations with Multiparty Computation?
    While Secure Multiparty Computation has the attractive property of being able to work on encrypted Data without decrypting it, each application's software must be modified in order to benefit. This technology undoubtedly has its place, but is more suited to very specific applications rather than for general use. SecureAge technology is invisible to both applications and users means that it can be deployed into existing environments without disruption – and without expensive software updates.
    What are the limitations with Tokenization?
    Tokenized Data is dead weight in that you can’t actually use it for real-time analytics. Since users are aware of how the Data is tokenized, they can find ways to work around it if they choose to do so. Non-tokenized Data is still plain and can lead to identify theft or non-compliance; GDPR considers tokenized Data loss a reportable breach unlike encrypted Data loss which is not.

    Tokenization negatively impacts performance because it can’t take advantage of the AES-NI subset of Intel processors like encryption can, directly hitting the CPU.

    Our technology has a 19-year history of ZERO plain Data breaches

    Our founder, Dr Ngair Teow Hin combined more than a decade’s worth of research with his no-nonsense mindset to create SecureData. Ignoring outdated tribal knowledge, SecureData’s innovative PKI-based technology protects every file, every place, and every time.

    This proactive and pervasive style of Data protection quickly attracted governments who were trying to overcome the problems caused by reactive systems, restrictive tools, and constantly changing cybersecurity policies. SecureData has been the encryption solution of choice for public entities in Singapore, Tokyo, and Hong Kong since 2003.
    Our-technology

    Industry certified

    Industry certified

    Our internal Data security and information management systems received ISO 27001 certification from SOCOTEC Certification International in 2013.

    This ongoing certification ensures that our headquarters remains compliant with ISO 27001 information security management standards for all on-premise Data held.

    common criteria

    Our unique encryption technology, SecureData is undergoing Common Criteria Certification to certify the reliability, quality and trustworthiness of this solution.  

    Common Criteria (CC) Certification provides an independent and objective validation and can be relied upon to help make informed IT purchasing decisions. It is recognised across 31 countries, and a requirement of hardware and software devices used for national security by the U.S Federal Government, among others, as well as some highly regulated industries globally.

    Federal Information Processing Standards
    Our file-level encryption technology, SecureData is currently undergoing the Federal Information Processing Standards (FIPS) certification. This certification will further validate our compliance towards industry leading security standards. The FIPS certification assures businesses that our technology has passed rigorous testing by an accredited lab, and meets a stringent set of requirements that are designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with.

    Regarded as the de-facto standard for encryption by both government and non-government organisations, FIPS certification is considered the minimum benchmark for cybersecurity standards outside the United States. FIPS Certification has also been adopted by authorities in other countries, including  Canada and Japan, as well as across other industries that require high-performing security including the financial, energy, and telecommunications sectors. 

    We are pleased to inform you that UL Verification Services Inc. (UL) has completed their testing of SecureData and submitted a Validation Test Report to the Cryptographic Model Validation Program (CMVP) recommending they issue a certificate of validation.
    wave wave wave wave wave

    No more playing cat-and-mouse

    Get truly proactive and pervasive encryption 

    Our website uses cookies to ensure you get the best experience and can find what you need. Read our cookie policy