Defense in Depth

3 Considerations for Application-Layer Cryptography

Information Security Officers make sure that company data is protected from hackers. Tozny partners with security teams and product owners, utilizing our deep expertise in end-to-end encryption and identity management to add defense in depth to security programs. Tozny CEO, Isaac Potoczny-Jones recently published a follow-up piece to his popular talk presented at QCon – San Francisco in fall 2019.

Mr. Potoczny-Jones explores how to add “Defense in Depth” to your system using application layer cryptography. The idea behind defense in depth is that layers of security work together to ensure that data cannot be compromised. Database encryption is not enough, HTTPS is not enough, and VPNs are not enough. Together, however, they create a network of overlapping responsibilities that make it hard for a hacker to access digital assets. Adding application layer encryption also shifts the architecture of your security model to an earlier phase of development. This helps create a more intentional security model rather than one of reaction.

QCon InfoQ cryptography


Deploying Defense in Depth correctly is complex and the threatscape of cybersecurity is always changing, but there are several key themes to keep in mind as you implement Defense in Depth:

  • Add application layer encryption – Application-layer cryptography is part of a trend to move more infrastructure and IT accountabilities into developer or DevOps roles.  It also means that a robust security plan is part of your application from the get go.
  • Where does encryption happen End-to-end encryption secures different portions of the data lifecycle than full-disk encryption, which is different from TLS.  End-to-end encryption is an increasingly popular type of application-layer cryptography for it’s broad protections.
  • Know your stack – The shape of your security program depends on many factors. If you are early in development then take the time to plan your defenses. Delivering code securely to end-users is very different depending on the platform.
  • Access Controls – This type of encryption lets organizations enforce access control using key management as well as policy.
  • Plan it out – Privacy and security are greatly improved with these approaches. So despite the challenges, it is well worth it.

Companies involved in a breach are at risk of regulatory fines, losing consumer trust, and roughly 60% of SMB’s with a cyber breach end up shutting the doors as a result.  Adding application layer encryption adds broad security. It can help mitigate fines in the event of a breach, and goes a long way toward maintaining the trust of your clients.

About Tozny

Tozny has deep expertise in cybersecurity, data ownership, and end-to-end encryption. They specialize in enabling businesses to quickly integrate and deploy defense-in-depth in their applications. Our privacy products include federated identity management and encrypted storage solutions.