Encryption
Definition
Encryption is the process of converting plaintext data into ciphertext using cryptographic algorithms and keys, rendering it unreadable to unauthorized parties. Encryption protects data confidentiality both at rest (stored data) and in transit (data being transmitted). It is a foundational control required by virtually every compliance framework and is critical for protecting sensitive information from unauthorized access.
Encryption Types
Encryption at Rest
Protects stored data on disks, databases, backups, and storage devices. Implements full-disk encryption, database-level encryption, or file-level encryption. AES-256 is the standard.
Encryption in Transit
Protects data being transmitted across networks. Implemented through TLS 1.2+ for web traffic, VPNs for network connections, and encrypted protocols for email and file transfers.
End-to-End Encryption
Data is encrypted at the source and only decrypted by the intended recipient. Prevents intermediate systems (including service providers) from accessing plaintext data.
Framework Requirements
HIPAA -- encryption is addressable but practically essential; properly encrypted ePHI is exempt from breach notification
PCI-DSS -- Requirement 3 mandates encryption of stored cardholder data; Requirement 4 requires encryption in transit over open networks
SOC 2 -- encryption is expected as part of security criteria for protecting data confidentiality and integrity
ISO 27001 -- Annex A.8.24 requires use of cryptography including key management policies
CMMC -- NIST 800-171 requires FIPS-validated encryption for protecting CUI at rest and in transit