10 Flaws in Data Protection Today

Author: Kapalya. November 7, 2018

With an increase in IoT and BYOD, the corporate network is no longer the perimeter for a business’ data. Sensitive files now sit on computers, mobile devices, corporate servers and public clouds that are often outside of the corporate perimeter. Managing the security and privacy of this data has become an IT challenge.

While working for the State of Hawaii as a technology advisor, Sudesh Kumar (Kapalya Founder and CEO,) ran into an interesting data protection requirement. He was searching for a way to secure data in-transit and at-rest on user’s desktops, mobile, corporate servers and public clouds. When he couldn’t find one solution that could protect files/folders everywhere it resided, he decided to build the solution himself.

The problem spawned Kapalya’s Encryption Management Platform. Kapalya is a data protection solution that empowers businesses to securely store and share sensitive files at-rest and in-transit across multiple platforms through a user-friendly file system. Through a discovery and development process that included input and ideas from businesses with different data protection use cases and experts from Silicon Valley cybersecurity companies, Kapalya has developed a robust tool to combat today’s security issues.

As you analyze the best encryption solution for your organization, it’s important to do a thorough comparison of key product features such as cryptography algorithms, key management and privileged user access.

Here are 10 flaws in data protection today and how Kapalya’s innovation combats these issues.

  1. File and Folder Encryption
  2. Industry Approach: Encryption keys are assigned at the user-level, each user receives one key for all files/folders.

    Flaws: Since there is only one key per user, if adversaries steal that key, the user’s entire data set is compromised. To mitigate this risk today, security departments are forced to deal with the hassle and maintenance of managing key rotation.

    Kapalya fix: Rather than assigning one key for all your data, Kapalya assigns each individual file and folder with a unique key. With this approach, a user’s entire data set is not exposed if one key is stolen.

  3. File Sharing
  4. Industry approach: Ability to securely share files within a cloud storage provider’s network.


    • Shared files are not encrypted on the cloud or when downloaded onto your endpoint or mobile devices, making them susceptible to compromise.
    • Organizations are using multiple cloud providers to store data, making it impossible to share across different public clouds.

    Kapalya approach: Kapalya performs true end-to-end encrypted file sharing, at no point is your file susceptible to being compromised. The file is encrypted on your endpoint and travels encrypted to the recipient’s endpoint. Plus, your users have the option to share between multiple cloud providers.

  5. Key Storage
  6. Industry approach: Keys are stored on endpoints, servers or within files themselves.

    Flaw: Storing keys in the same place in which the encrypted files are stored makes it much easier for bad actors to locate the keys.

    Kapalya approach: Our platform does not store keys anywhere. Instead they are served in real-time and destroyed after encrypting.

  7. Multi-Vendor Security Strategy
  8. Industry approach: Security teams must employ one vendor to encrypt on endpoints, another for private clouds and yet another to protect on public clouds.

    Flaws: This becomes a challenge for security teams to manage different vendors, handle integrations and train users on how to use the different systems.

    Kapalya approach: Kapalya’s Encryption Management Platform is one solution that encrypts data on endpoints, private clouds and public clouds.

  9. Cloud Key Management
  10. Industry approach: Use your cloud provider’s encryption keys. The feature comes standard for most cloud providers, however integrating your own keys with the cloud provider’s infrastructure requires a high-degree of technical skills.


    • Keys are often stored on the cloud provider’s servers, which could be accessed by privileged users.
    • Each user receives one key for all their files and folders, if that key is stolen, the user’s entire data set is exposed.

    Kapalya fix: Manage your own encryption keys. Kapalya’s management server authenticates users before sending keys from a virtual key server managed by your organization. Once the key is served and the encrypt/decrypt function is run, the key is destroyed. Because the key is destroyed and not stored, your risk of intrusion is highly mitigated.

  11. Server-side encryption
  12. Industry approach: Files and folders are uploaded to the server and then encryption is applied.

    Flaws: Files are exposed and vulnerable while on the endpoint and while in-transit as they move to the server.

    Kapalya approach: Files and folders are encrypted on the endpoint before upload. Therefore files remain protected while at-rest on the endpoint and while in-transit.

  13. Privileged Cloud Admins
  14. Industry approach: Public cloud provider’s administrators could have visibility into your corporate data.

    Flaws: It is risky giving anyone outside your organization access to your corporate data.

    Kapalya approach: With Kapalya, you’re managing your own keys and using client-side encryption, in-turn, cloud administrators are always masked from viewing your data, no settings need to be configured to allow this.

  15. SSL Tunnel
  16. Industry approach: Files are sent in clear-text inside a secure SSL tunnel.

    Flaws: While difficult to hack, SSL tunnels can be decrypted, which would expose the data within the tunnel.

    Kapalya approach: Files are encrypted client-side, thus already encrypted before then being sent through a secure SSL tunnel, providing double the protection.

  17. Proxy-based
  18. Industry approach: Files and folders leaving the corporate perimeter are forced through a proxy gateway that encrypts data before uploading to a file server or cloud.

    Flaws: Files are exposed and vulnerable on the endpoint, open to intruders within your network.

    Kapalya approach: Files and folders are encrypted on the endpoint before upload. Therefore still being protected against inside intruders while within your own corporate network.

  19. Role-based policies
  20. Industry approach: Access to end user data is defined using role-based policies such as existing Active Directory.

    Flaws: Privileged users within your organization have access to end user policies. A classic way intruders steal records is to hack into your network and elevate themselves to these privileged roles that have access to end user’s data.

Kapalya approach: Privileged users never have visibility into end user data, no matter their role. Even if an intruder were elevated to an admin-level, no data would be visible to them.

Learn more about how Kapalya’s Encryption Management Platform can help your organization protect all its sensitive data.