1) How do you describe the differences between tokenization and encryption?
Encryption takes the original value of sensitive data and through mathematics, generates a new value. The mathematics is what makes this value secure. Ultimately, the recipient needs the real value, so a key that supports the mathematics is shared between two parties. At the end of the day, your protected data is still being passed through networks and stored in databases, and you are at the mercy of whoever might gain access to the key. There are a lot of challenges in protecting and securing encryption keys, and most organizations struggle with the responsibility of properly and consistently securing and rotating those keys.
Tokenization uses mathematics too, but in a different way. Tokenization uses mathematics to randomly generate a value that is completely unrelated to the data that needs protection. Compromising the token or the mathematics behind the generation of the token does not yield the protected data. The security is based on storing the original data in a Secure Token Vault. The token representing the data holds no value without access to the Token Vault. The responsibility of protecting the data shifts from the company holding and protecting the key, to the provider of the Token Vault. The Token Vault provider is much better equipped to secure the data because access to the vault is more granularly controlled and audited.
2) Where is encryption best applied?
Encryption is most appropriate during transmission of sensitive data. This prevents anyone in-between the sender and the recipient from looking at the data. Encryption at rest is also important for data that is stored on removable media or in places where theft might occur. Sometimes, people think encryption is the panacea for security, which gives them a false sense of security. Ultimately, the question is who controls the encryption keys and how is access to those keys managed and audited.
3) Where is tokenization best applied?
Tokenization is most appropriate for active data that is being used by many people or business processes throughout an organization. Payment data is an example of active data that is stored and processed by many systems. The challenge in using encryption with active data is that every person and business system needs to have a key to decrypt the information, which increases the risk of the key being stolen, and with it the data. With tokenization, using active data in business processes greatly reduces the risk of data being stolen.
4) As the data security industry continues to question which method works best, what is your advice – use both? Layer them? How to apply appropriately?
Both methods are appropriate to use throughout your organization. Encryption can be applied in multiple ways throughout the organization to protect network traffic carrying sensitive documents. Tokenization is better applied to specific data elements like credit card numbers or social security numbers, where the documents need to pass and be used by multiple people and processes, while protecting certain pieces of the document. Layering the two methods, in a payment stream for example, creates an even more flexible and secure environment. Encryption can be used at the point of data entry to immediately safeguard the payment data, even before it is transmitted to the Secure Token Vault and the token returned for storage and subsequent processing. In this scenario, sensitive data never enters the IT business environment, so only tokens are ever passed among people and business processes.