Encryption of 100 percent of all web applications with REST protection

Pfungstadt, June 01, 2024 - While classic security ensures that cyber criminals do not gain access to networks and files, data protection is more concerned about the content of confidential and sensitive information. Personal information, secret company plans, financial and business data, development information and much more must not fall into unauthorized hands, either internally or externally.

Data protection is therefore one of the most important disciplines for organizations - not only to comply with regulations and laws, but also to protect the company from reputational damage, penalties or even espionage. The difficulty with data protection is that sensitive information cannot simply be locked away, because companies want to work with the data. It must therefore be available to authorized personnel in a protected manner. With REST-based data encryption, both data protection and the ability to work with the data unhindered are satisfied. Ömer Tekin, Technical Project Manager at eperi, explains how this works.

Mr. Tekin, data encryption itself sounds like a sensible, not overly complex solution for implementing data protection. What challenges do organizations face with data encryption?

That's right, data protection is completely fulfilled with encrypted data. Absolutely no one outside the organization that has the keys can view the information. And this is precisely the problem. Because you can't work with data that can't be read - which is obviously not an option in today's digital economy.
Instead, modern data encryption - whether on-premises or in a private or public cloud - must include interaction with the applications. And a data protection solution with encryption based on the REST protocol is suitable for this.

Why is this technology, of all things, the key element for data protection?

The difficulty with function-preserving data encryption, i.e. protecting information while at the same time being able to work with the data in a meaningful way, is the many different technologies used to create application software. It is not possible to simply intervene in the code of hundreds of applications to make the previously encrypted data visible again.
The advantage of REST-based encryption is that around 80 percent of web applications are based on this communication standard. This gives us the opportunity to encrypt the data with an encryption gateway while still allowing the application to work.

How can we imagine this data protection in practice?

First and foremost, it is important that the entire process of the REST protection solution with encryption, tokenization and integrated key encryption management runs completely unobtrusively in the background and is neither noticed by the user nor requires constant monitoring by the administrator. Sensitive data that is used in applications for online reservations, online shopping or cloud applications such as HubSpot, HRworks, Personio or ServiceNow, for example, is seamlessly protected using REST protection. No additional development effort is required, nor do existing applications have to be extensively reprogrammed. The encryption policies can be defined centrally and easily for any endpoint and scaled for different applications. The data is encrypted or tokenized according to these specifications before it enters the native REST process. In this way, XML bodies and data within CSV files, as well as other attachments, can also be protected. It is even possible to encrypt files such as .docx, .xlsx, .pdf, .csv, etc., as a whole.

And how do companies and organizations comply with data protection regulations?

Implementing data protection with the help of REST technology is one way of making it compliant. In addition, function-preserving data encryption can also be achieved in the gateway for non-REST-based applications with so-called templates - for Microsoft 365, for example. The most important thing - regardless of whether with REST or with encryption templates - is that sensitive data is never available in plain text outside the environment controlled by the company.

What additional recommendations would you give to companies that want to achieve data protection with encryption technology?

It is important that the encryption of the data is guaranteed in every state, especially when the information leaves the company on its way to the cloud. Secondly, it is essential that it remains possible to work with the data despite encryption.
One particular aspect that we have not yet addressed is absolute sovereignty over encryption. Data protection is only guaranteed if the keys and the encryption process are exclusively in the hands of the company. So it doesn't help if an IT service provider, an encryption provider or even a cloud provider can also access the keys. It would be like locking your front door and giving the spare key to an untrustworthy neighbor.

Thank you for the interview Mr. Tekin and the exciting insights into data protection with a REST protection solution.