Enterprise information security gets more complicated every year. Our glossary of data security terms can help you stay up to date on the technologies and concepts you're likely to encounter as you address your organization's cybersecurity challenges.

Advanced Encryption Standard (AES)
A specification for symmetric-key encryption and the strongest, most widely-adopted standard for data encryption in use today. When AES is implemented correctly, there are no known cryptographic attacks that can break it. A brute force attack on a 256-bit AES key, using all computing resources on Earth, would take billions of years to complete.
Asymmetric Encryption
An approach to encryption in which two different (but mathematically related) keys are used for encryption and decryption. Asymmetric encryption was introduced in the 1970s and is commonly used in secure messaging applications and to protect data transmissions between web browsers and servers. Asymmetric encryption is also the basis for public-key infrastructure.
An intentionally-introduced vulnerability in a cryptosystem that allows those with knowledge of the vulnerability to access encrypted information. While some politicians have advocated the use of mandated backdoors for law enforcement purposes, most cybersecurity experts agree that any form of backdoor creates a fatal weakness in a cryptosystem.
Brute-Force Attack
An attempt to access encrypted information by trying all possible keys until the correct decryption key is found. While brute-force attacks can easily defeat primitive encryption methods, they are computationally infeasible against more advanced methods like AES-256.
Certificate Authority
A company that issues public-key certificates. The certificate authority signs the certificate to warrant that it issued the certificate and has received satisfactory documentation of the certificate owner's identity.
The unreadable text resulting from an encryption operation. Plaintext is converted to ciphertext using an encryption algorithm and an encryption key. If a strong encryption algorithm such as AES-256 is used and the key is kept secret, no one without the key will be able to derive the plaintext from the ciphertext.
Client-Side Encryption
A data protection technique in which information is encrypted on a user device (client) before being transmitted to a server. Client-side encryption is an alternative approach to server-side encryption, in which data is not encrypted until after transmission.
Mathematical analysis of a cryptographic system with the goal of deciphering encrypted information without knowledge of the key.
A collection of protocols for encrypting and decrypting information. Cryptosystems include algorithms for generating keys (and the methods used to exchange them), along with the algorithms used for encryption and decryption.
Data-Centric Security
An approach to cybersecurity that focuses on protecting data itself, rather than relying on firewalls or other forms of perimeter security to keep data safe. Data-centric security strategies typically take an organization-wide, policy-based approach to finding, classifying, and protecting sensitive data. These strategies are rapidly gaining popularity as organizations look for ways to address the challenges of data proliferation and evolving cyber threats.
Data Classification
The process of adding metadata tags to files, to indicate what type of information is contained in the files and how the data should be used. Data classification is an important element of a data-centric security, and is typically performed in conjunction with data discovery before encryption or another form of protection is applied.
Data Discovery
The process of scanning files to determine what types of data they contain. Data discovery is typically used (along with data classification) to identify files that need to be secured using encryption or other data protection techniques.
Digital Certificate
A special message that contains a public key and identity information about the owner, usually including name and perhaps email address. An ordinary, end-user digital certificate is digitally signed by the certificate authority to warrant that the authority issued the certificate and has received satisfactory documentation f the owner's identity. This warrant, from a trusted certificate authority, enables the certificate to be used to support digital signing and authentication, and encryption of data uniquely for the owner of a certificate.
A form of data protection in which sensitive information (plaintext) is converted into an unreadable series of characters (ciphertext) using an algorithm and an encryption key. Once data is encrypted, it can be converted back into plaintext using the proper decryption key and algorithm.

PKWARE's Smartcrypt is the only data security platform that combines data discovery, data classification, and data protection into a single workflow.

Encryption Algorithm
A series of computational steps used in converting plaintext into unreadable ciphertext.
Encryption Key
A unique data string that, together with the plaintext, determines the output of an encryption algorithm.
End-to-End Encryption
Can be used to describe any implementation of encryption in which data is encrypted at the point of creation and remains encrypted as it travels to its destination. The term is most often applied to secure messaging apps and other communication channels.
File System Encryption
A data encryption technique in which encryption and decryption take place at the file system layer of a protected device. When paired with user-based access controls, file system encryption can prevent unauthorized data access on a given device; however, the protection is lost when data is copied or transmitted to another device.
Full Disk Encryption
A data encryption technique in which encryption and decryption take place at the physical storage layer of a device. Since decryption occurs as soon as the device is powered on and data is read from the disk, full disk encryption only provides protection against physical theft of the storage medium.
Key Exchange
The process of sharing cryptographic keys so that two or more people can exchange and access encrypted information. Key exchange often poses a significant challenge: when used in symmetric encryption, keys must be shared with authorized users while being kept secret from others, and when used in asymmetric encryption, keys must be authenticated by a trusted authority.
Key Generation
The process of creating cryptographic keys for use in encryption and decryption. Keys are typically generated using cryptographic algorithms, using random data as a seed value to ensure that the key output cannot be predicted.
Key Management
The series of tasks needed to ensure that cryptographic keys are created and used so that authorized users can access encrypted information, while unauthorized individuals or groups cannot. Key management can include a wide range of tasks depending on the size and complexity of the organization, but typically includes key generation, key exchange, key rotation, key revocation, and key storage.

Find out how PKWARE's innovative Smartkey technology streamlines the key management process and makes enterprise-wide encryption a reality.

Native Encryption
Encryption functionality that is built in to an operating system or application.
A secret text string (often created by an end user) formed by a series of letters, numbers, or words. Passphrases are commonly used in symmetric encryption workflows, but can be difficult to exchange securely.
Persistent Encryption
Encryption that travels with the protected data, even when the data is moved or copied from the device where the encryption was applied. Non-persistent forms of encryption include transparent data encryption (TDE), which protects data at rest in a specific location, and transport layer security (TLS), which protects data as it travels across a network.

PKWARE's Smartcrypt applies persistent encryption to sensitive data, keeping it protected from unauthorized use even when it leaves your organization's network.

Private Key
In asymmetric encryption, a private key is used to decrypt information that was encrypted using a public key. Private keys are mathematically related to public keys, but cannot be derived from them using currently-available technology.
Public Key
In asymmetric-key encryption, a public key is used to encrypt data for a specific recipient. The recipient's public key is visible to anyone and can only be used to encrypt data. The recipient then uses a separate private key to decrypt the protected information. Public keys are typically validated by a certificate authority and packaged in a digital certificate with information that establishes the identity of the public key's owner.
Public Key Infrastructure (PKI)
An approach for sharing sensitive information using asymmetric-key encryption. A public-key infrastructure includes the protocols for creating, validating, and exchanging digital certificates. PKI is highly secure when implemented correctly, but creates significant administrative burdens at the enterprise scale.
Quantum Computing
A still-theoretical approach to computing in which data is stored in "qbits" that hold more information and allow for faster processing than binary bits. Many cybersecurity experts have raised concerns that quantum computers (when they become available) may be able to break many forms of encryption in use today.
A form of malicious software that encrypts the victim's data and then demands a ransom payment in return for the key needed to decrypt the data. Few, if any, ransomware attackers are known to have actually provided a decryption key to victims who paid the ransom.
Side-Channel Attack
An attempt to access encrypted information by gaining information about how the encryption was applied or implemented, rather than defeating the cryptography itself. Some side-channel attacks depend on gathering information about system timing, power usage, or other indicators that may provide hints at how encryption keys were generated.
Symmetric Encryption
Encryption in which the same key is used to encrypt and decrypt the protected information. Symmetric encryption is highly secure when implemented correctly, but the need for senders to share keys with recipients can create significant operational challenges.
A form of data protection in which sensitive information is replaced with a randomly-generated token, or placeholder value. Relationships between tokens and original values are maintained in a separate database, so that the original data can be returned to its place for use by authorized users.
Transparent Data Encryption (TDE)
A method of protecting data at rest in a database or file. Data is encrypted in the location where TDE is applied, and is decrypted when authorized users or applications request the data. Since decryption takes place before the data is provided to the requesting user or application, the process is "transparent" and does not require additional software at the endpoint. However, this also means that the protection is lost as soon as the data travels outside the location where TDE is applied.
Uncontrolled Encryption
Encryption by employees using products and passphrases they have chosen themselves, as opposed to using a company-standard approach to data protection. When employees lose or forget their passphrases, the organization can lose access to encrypted files, often requiring labor-intensive efforts to recreate the inaccessible data.

PKWARE's Smartcrypt enables organizations to apply their data protection policies across the entire enterprise, eliminating the problem of uncontrolled encryption.