Data encryption and key management in the real world

Best practices dictate that we must protect sensitive data at the point of capture, as it's transferred over the network (including internal networks) and when it is at rest. Protecting data only sometimes - such as sending sensitive information over wireless devices over the Internet or within your corporate network as clear text - defeats the point of encrypting information in the database. It’s far too easy for information to be intercepted in its travels so the sooner the encryption of data occurs, the more secure the environment will be. A comprehensive encryption solution doesn’t complicate authorized access to the protected information - decryption of the data can occur at any point throughout the data flow wherever there is a need for access. Decryption can usually be done in an application-transparent way with minimum impact to the operational environment. Due to distributed business logic in application and database environments, organizations must be able to encrypt and decrypt data at different points in the network and at different system layers, including the database layer. Encryption performed by the database management system can protect data at rest, but more security oriented corporations will also require protection for data while it’s moving between applications, databases and data stores. One option for accomplishing this protection is to selectively parse data after the secure communication is terminated and encrypt sensitive data elements at a very granular level (usernames, passwords, etc.). Application-layer encryption and mature database-layer encryption solutions allow enterprises to selectively encrypt granular data into a format that can easily be passed between applications and databases without changing the data.