- Security TWENTY
- Women in Security Awards
Encryption has been part of the data security armoury since the beginning. There was even a form of it going back to ‘ancient times’, when messages would be scribed on a messenger’s bald head before allowing the hair to grow back, thus hiding the message! writes Colin Tankard, pictured, MD of Digital Pathways.
In fact, it should be the one security tool every organisation uses to protect personal information, customer data, trade secrets, employee files, tax information, credit card numbers, and more. However, there is always a fear that encryption will slow down the process of accessing data, due to decryption speeds, or that data will significantly increase in size, costing more in storage. But these are all old problems which have long since been eradicated.
Encryption is the process of changing the underlying electronic information that constitutes the data in such a way that it is unreadable by anyone who does not ‘hold the key’. The key allows the user to change information back to its original form (decrypt) so that it is usable and readable. Thus, encryption safeguards the organisation’s data from potential threats and ensures that even if an intruder gained access, it would be unreadable as they would not have the key to decrypt it. This is often referred to as Safe Harbor and is a ‘get out of jail free card’ when the need to notify a data breach is required, for example, under the General Data Protection Regulations (GDPR). If a data breach occurs and personal identifiable information (PII) is lost, the breached party must notify all individuals who are impacted. But there are exceptions for data which is encrypted with strong, certified methods and keys, properly managed. These Safe Harbor clauses greatly minimise the damage that can be caused from a breach.
Encryption protects the data, regardless of where the data resides. It protects it whilst sitting on organisation’s laptops, in data centres, cloud services and websites. It also protects data while being transmitted around the Internet.
Cyber-attacks against business networks have become more sophisticated and are no longer limited to Times 1000 companies. No organisation is safe from the threat of a security breach and increasingly the target for attacks are small businesses, who are the most vulnerable. In 2020, 60 per cent of all targeted attacks were at SME businesses, according to the Department for Business, Energy & Industrial Strategy (BEIS).
Encryption also helps to meet industry regulations. If an organisation handles data that might include customer financials and account information, cardholder data and transactions as well as non-public personal information, it is highly likely that data generated and/or used by the organisation has strict regulations and compliance guidelines. The broad categories that require the most regulation include financial data, health data, private individual data, military and government data and confidential/sensitive business data. Regulations and standards in the UK that require encryption are PCI DSS and the GDPR, but there are many others that by having encryption, makes compliance easier.
If moving highly sensitive information to the cloud, encryption and retention of encryption keys can alleviate concerns with the migration. The data owner retains control to determine when to deliver or revoke keys and, controls who sees what information and when. Encrypting sensitive information in the cloud prevents access to anyone without the key, even if your cloud storage provider’s security fails or, another person gains access to your account such as a rouge cloud employee. It is also worth noting that keeping keys outside of the cloud service providers domain allows true separation of controls.
Before an enterprise can decide how to encrypt, it has to determine what needs to be encrypted. Developing an encryption programme should be part of an overall enterprise risk management and data governance planning process. A comprehensive approach that considers specifically which data sets, structured or unstructured, should be encrypted and how the key management should work.
There is no single universal standard for encrypting all data on all systems, all of the time. A successful approach will depend on the sensitivity and risk level of the organisation’s information and its data storage methods. The first step is understanding the different types of encryption and what they can and cannot do.
For data to be secure, it must be protected throughout its lifecycle. It is therefore important to consider the state of the data you are trying to protect:
Data in motion: being transmitted over a network
Data at rest: in your storage, servers, cloud, desktops, laptops, mobile phones, tablets and IoT devices
Data in use: in the process of being generated, updated, erased, or viewed.
Each type of data presents unique challenges, and each may have different tools and methodologies that can be used to secure it.
Encryption types for data-at-rest include:
Full Disk Encryption (FDE): for endpoint protection
Hardware Security Module (HSM): for key management lifecycle protection
Encrypting File System (EFS): for storage protection
Encryption for Storage Protection include:
File and Folder Encryption (FFE): for unstructured data protection
Database Encryption: for structured data protection.
Application Level Encryption include:
Tokenization: where sensitive data is replaced or hidden using encryption
Encryption: for data-in-motion.
The most common method of protecting data in motion is the use of a secure sockets layer virtual private network (SSL VPN). Technologies such as SSL VPN are critical in the effort to protect against ‘man-in-the-middle’ attacks and ‘packet sniffers’. The other common form of data in motion is Email, where Public Key Infrastructure (PKI) is widely deployed for handling key distribution and validation.
It is imperative to remember that an encryption project, and IT security in general, is a process not a product. Effective encryption takes time. In addition to careful consideration of data states and encryption techniques, these four key elements can help you build a successful end-to-end approach:
1. Collaboration: Creating an encryption strategy requires a collaborative effort. It is best to approach it as a major initiative that includes members of management, IT, and operations. Start by bringing together key data stakeholders and work to identify the regulations, laws, guidelines, and external influences that will factor into purchasing and implementation decisions. From there, you can move on to identifying high-risk areas, such as laptops, mobile devices, wireless networks, and data backups.
2. Data classification: Knowing what data needs protecting by its value to the company is a key starting point. Data classification policies and tools facilitate the separation of valuable information, that may be targeted, from the less valuable.
3. Key Management: If keys and certificates are not properly secured the organisation is open to attack, no matter what security controls are in place. Always consider adding a High Security Module (HSM) into any encryption plan. The HSM will also help define any key rotation needs and processes to change the key used in any data set.
4. Access Control: Ensuring only authorised users can access data is critical in the effort to prevent it from being tampered with by anyone, inside or outside, of the organisation. By linking access controls with encryption it enables separation of duties, letting administrators manage data, backing-up but ensuring the content cannot be read.
There are no silver bullets in IT security, and encryption is no exception. Targeted attacks have penetrated even the most secure and isolated computer systems, acknowledging the fact that it is virtually impossible to prevent attackers from breaching networks and stealing data. Encrypting sensitive data can add to an organisation’s return on investment (ROI) in security and render data useless in the event of a breach, but only if it is part of a comprehensive strategy that incorporates encryption with key management, access control and SSL decryption.
No matter what size business, safeguarding data is no longer optional. From government fines to customer relationships, encryption can save a lot of financial and public relations pain. With a strong security strategy that includes encryption and key management, organisations are able to do more with data, applications, and products.
The message is clear, do away with the headache, start encrypting today.