Encryption in enterprise software architectures has a deployment pattern problem that has not been adequately addressed despite years of investment in cryptographic tooling. The dominant pattern is perimeter encryption: data is encrypted in transit between services (TLS) and encrypted at rest on disk (volume encryption or transparent database encryption). This provides strong protection against a specific threat class — an attacker who intercepts network traffic or gains physical access to storage media — while providing essentially no protection against the threat class that actually causes most enterprise data breaches: an attacker (or malicious insider) who has obtained credentials for an application or database that decrypts data for legitimate access. If your application decrypts all sensitive data before presenting it to the application layer, an attacker with application-level access sees plaintext. Perimeter encryption protects the channel, not the data.
Data-layer encryption — encrypting sensitive data fields individually, with keys that are not available to the application tier processing the data for legitimate operations — is the architectural response to this gap. The concept is straightforward; the engineering is genuinely hard. Encrypting individual database fields preserves data at rest security but breaks most indexing and query capabilities, because you cannot run a SQL query against an encrypted field the way you can against a plaintext one. Searchable symmetric encryption schemes exist, but they are complex to implement correctly and carry performance overheads that vary significantly by use case. Key management at the field level — ensuring that different data categories use different keys, with appropriate key rotation policies and access controls — is a significant operational burden if implemented custom by each application team. Cossack Labs' product library approach — providing application developers with well-engineered, audited cryptographic building blocks for field-level encryption, key management, and selective data access — addresses the deployment friction that has historically prevented data-layer encryption from moving beyond regulatory-mandated contexts (payment card data under PCI DSS, certain healthcare data under HIPAA) into general application architecture.
Our diligence on Cossack Labs in 2022 was primarily a cryptographic engineering assessment. The risk in cryptographic infrastructure companies is not the business model — the use case is clear and the regulatory tailwind is strong — it is the risk of implementation error. Cryptography is a domain where subtle implementation mistakes can invalidate the security guarantees of a theoretically sound design: a misuse-resistant authenticated encryption scheme that fails to randomise nonces correctly, a key derivation function applied without appropriate domain separation, a comparison function vulnerable to timing attacks that leaks key bits. We reviewed their core libraries with this in mind: Themis, their cross-platform cryptographic library, and Acra, their database encryption system. The assessment confirmed that the cryptographic implementations were sound and that the team had genuine depth in applied cryptography — not just familiarity with standard library calls, but understanding of the threat models their implementations were addressing.
The regulatory pressure supporting data-layer encryption adoption is accelerating. GDPR's data minimisation and purpose limitation principles create a technical requirement — not just a policy requirement — to ensure that data is accessible only to systems and personnel with a legitimate need for it. Pseudonymisation as a GDPR risk reduction measure (explicitly mentioned in Recital 26 and Article 25) maps naturally to field-level encryption with access control: a system that can process pseudonymised records — identifiers replaced with encrypted tokens — without having access to the decryption key for the identifier fields provides a technically demonstrable reduction in breach severity for data subjects. As GDPR enforcement actions have increasingly scrutinised the technical implementation of data protection measures rather than just policies, the business case for data-layer encryption tooling has moved from "security best practice" to "defensible evidence of appropriate technical measures."
We also see a post-quantum migration dimension to this investment that was nascent in 2022 and has become more concrete since. Cossack Labs' architecture, with its modular cryptographic primitive selection, is positioned to support algorithm agility — the ability to migrate to post-quantum algorithm families (CRYSTALS-Kyber, CRYSTALS-Dilithium) without requiring a ground-up replacement of the encryption infrastructure. Applications that have built their field-level encryption on a well-designed abstraction layer can migrate the underlying algorithms when the organisation's post-quantum readiness programme requires it. Applications that have implemented ad-hoc encryption with direct library calls will face significantly more expensive migration paths. This architectural advantage is not the primary investment thesis — the near-term data protection use case is — but it represents a meaningful long-term differentiation as enterprise post-quantum migration requirements move from anticipation to mandate.