Data Security: Tokenization vs. Encryption

    Data is the new gold. Today, all businesses, whether large or small, collect, store, receive or transmit data to a certain degree. And irrespective of which device, technology, or process is used to manage, store or collect, this data must be protected. That is where data security enters the picture. 

    Data security refers to a set of processes and practices designed to protect this digital information from unauthorized access, corruption, or theft throughout its life cycle. When properly implemented, robust data security strategies protect an organization’s assets against cybercriminal activities and against insider threats and human errors.

    Although data security is a concept that encompasses every aspect of information security, we shall restrict our discussion to file and database encryption solutions. These solutions serve as a final line of defense for sensitive information by obscuring its contents through encryption or tokenization. Let’s take a closer look at the two terms related to data security.

    What is Encryption?

    Data encryption is a term for the process of using an algorithm to transform plain text information into an unreadable form called ciphertext. This ciphertext is generated using an encryption key. To decrypt this unreadable text to its original plain text format, one would require an algorithm and a decryption key.

    There are two primary approaches to encryption:

    • Symmetric Key Encryption. In symmetric key encryption, a single key is used to both encrypt and decrypt the information. This method is analogous to a key that can be used to lock and unlock the door of a house. The significant drawback of this encryption is that if the key is compromised, it can unlock all of the data it was used to secure. 
    • Asymmetric Key Encryption (or Public-Key Encryption). This method uses two different keys for encryption and decryption. For combating the issue associated with the compromised key, asymmetric key encryption was developed to allow multiple parties to exchange encrypted data without managing the same encryption key. In addition, it is possible to freely distribute this public key as it only locks the data and never unlocks it.

    Also read: Enterprise End-to-End Encryption is on the Rise

    Applications of Encryption

    • Encryption is one of the most common methods of obscuring sensitive information. Thousands of businesses around the globe use encryption to secure the following types of sensitive data:
      • Cardholder data (CHD)
      • Payment card information (PCI)
      • Personal data
      • Personally identifiable information (PII)
      • Nonpublic personal information (NPI)
      • Financial account numbers and many other types of data
    • SSL (Secure Sockets Layer) encryption is commonly used to protect information transmitted on the Internet. 
    • Millions of people encrypt data on their computers or phones using built-in encryption capabilities of operating systems or third-party encryption tools. This encryption helps protect against an accidental loss of sensitive data in case of theft of said computer or phone. 
    • Encryption can also thwart government surveillance and theft of sensitive corporate data.

    What is Tokenization?

    Tokenization as a term comes from the Payment Card Industry Data Security Standard (PCI DSS). It is a process of turning a meaningful piece of data into a random string of characters called a token. A token has no meaningful value, and it only serves as a substitute for the actual data. However, you cannot use it to guess the original data in case of a breach. That’s because tokenization, unlike encryption, does not use a cryptographic method to transform sensitive information into ciphertext. 

    No algorithm or key can be reversed to derive the original data. Instead, tokenization uses a token vault database that stores the relationship between the token and the sensitive value. Optionally, the real data in the vault can be further secured via encryption, thus offering a dual-layer of data security.

    The design of a token is also given due consideration to make it more useful and user-friendly. For example, when you receive a message on your phone informing you of any online transaction, the last four digits can be preserved in the token. So the tokenized number would be displayed as “*******1234”. 

    This is done because you can see a reference to the actual bank account number or the card number used for payment. In such a case, for security purposes, the merchant only has a token, not a real card number.

    Applications of Tokenization

    The most common application of tokenization is protecting payment card data. It helps merchants reduce their obligations under the Payment Card Industry Security Standards Council (PCI DSS). 

    For processing a card payment, the token is submitted to the vault, where an index is used to fetch the corresponding real value of that token for the authorization process. For the end-user, this operation is seamlessly performed by the browser or application almost instantaneously.

    Tokens are increasingly used to secure other types of sensitive or personally identifiable information, including email addresses, telephone numbers, account numbers, social security numbers, and so on.

    Also read: Steps to Improving Your Data Architecture

    Encryption vs. Tokenization

    Encryption and tokenization differs in many ways, but the primary difference between the two is the method of security each uses. While tokenization uses a token to protect the data, encryption uses a key. 

    Other major differences include:

    • Encryption is easy to scale for large data volumes since it uses keys to encrypt or decrypt data. Whereas with tokenization, it is rather difficult to scale up securely while retaining the performance metrics as the database increases in size.
    • We can use encryption for both structured fields and unstructured data (such as entire files). In contrast, tokenization can only be used for structured data fields (such as payment cards or Social Security numbers).
    • While encryption makes it easy to exchange sensitive data with third parties (who have the encryption key), tokenization makes data exchange difficult since it requires direct access to a token vault mapping token values.
    • One of the drawbacks of encrypting data is that it breaks functionalities such as sorting and searching. To that end, new format-preserving and searchable encryption schemes were developed to protect information without sacrificing end-user functionality. Although, such schemes come with a trade-off of lower encryption strength. With tokenization, you can maintain the format without sacrificing any strength of security.
    • With encryption, the original data leaves the organization but in an encrypted form. Whereas with tokenization, the original data never leaves the organization, thus satisfying certain compliance requirements

    What’s Best for Your Business: Tokenization or Encryption?

    The simple answer is both, whenever possible. That said, there are nuances to employing either method.

    With local operation employing tokenization, the key material (whether an AES key or a tokenization table of any sort) must be present on the endpoint. For local operations, the key material is downloaded from a server and used, introducing network latency into the system. If operations are performed remotely, that key material is more secure since it remains on the remote server. On the contrary, encryption can be offered both locally and as a web service. Since it eliminates network latency once that key is initially downloaded, local operations are robust and fast.

    Tokenization also suffers from scalability issues. As the number of issued tokens increases, collisions are likely to occur more frequently.

    By far, the biggest drawback of encryption is that it employs a mathematical process to encrypt data, which makes it reversible. By design, any form of encrypted data can be returned to its original, unencrypted form. And because of this reversible nature, governing entities tasked with enforcing regulatory compliance still view encrypted data as sensitive data. 

    Hence, organizations can expect significant additional expenditure in purchasing supplementary solutions to sufficiently protect this encrypted data. Further, these solutions get compounded by significant expenses involved with meeting compliance obligations for other business areas.

    As more enterprises continue to move their data to the cloud, data security methods such as encryption and tokenization will be used extensively for securing data stored in cloud services. These security measures are robust in their own ways, each having its benefits and drawbacks. However, both hold equal value in keeping the digital world secure for both enterprises and end users.

    Read next: Best Data Visualization Tools & Software for 2021

    Kashyap Vyas
    Kashyap Vyas
    Kashyap Vyas is a writer with 9+ years of experience writing about SaaS, cloud communications, data analytics, IT security, and STEM topics. In addition to IT Business Edge, he's been a contributor to publications including Interesting Engineering, Machine Design, Design World, and several other peer-reviewed journals. Kashyap is also a digital marketing enthusiast and runs his own small consulting agency.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles