What You Need to Know Right Now
By Patrick Ancipink | 5 minute read
You might feel like you’ve heard these imperatives a million times: “You need to encrypt your data.” “Your information isn’t secure unless you encrypt it.” “You need to eat your fruits and vegetables.”
But if you’re like a lot of people, you roll your eyes because you have the good intention of taking care of them later. The problem is that ignoring this advice or doing it with half measures can cause irreversible damage. In the matters of data encryption, the damage can be to your company’s reputation, customer trust and financial bottom line. It can also wreak havoc with privacy controls and cause you to run afoul of regulators and auditors.
The problem with such an important security measure becoming trite is that it’s in danger of becoming a simple “check box” item. Organizations with an immature understanding of security may think that the basic encryption capabilities provided by their storage devices or by cloud service providers is enough to keep their data protected and that going further is just falling for the fear, uncertainty and doubt (FUD) stoked by the media and vendors that stand to benefit. Information technology (IT) and security teams are generally short-staffed and overburdened, so it’s all too often the attitude of “check the box, move on to the next task.”
But the reality is more complex than that. Data encryption is essential to protecting sensitive information and privacy, for meeting compliance with regulations and audits, and for ensuring proper data governance. All the IT investment in mobile apps, customer experience and competitive advantage can be squandered in an unforeseen data breach.
Unencrypted information, like this blog post you’re currently reading, is written in “plaintext.” At its most basic, data encryption involves using an encryption algorithm to scramble or disguise plaintext, rendering it in what’s known as “ciphertext,” which appears as alphanumeric gibberish to a human. An encryption algorithm uses a crucial piece of information, known as an encryption key, to encode or decode the data. Without the encryption key, the algorithm is incomplete and cannot convert plaintext to ciphertext and vice versa.
Most encryption algorithms are publicly known — there are only so many effective ways to obscure sensitive data — so the crucial element of a data encryption strategy is the management and control of the encryption key. Indeed, the key is essential. Encrypted data can be rendered useless forever simply by deletion of the key.
Asymmetric encryption, also known as public-key encryption or public-key cryptography, uses the combination of a public key and a private key to create and decode ciphertext. The most common types of asymmetric encryption are:
Symmetric encryption uses a single secret key shared between the parties prior to encryption. It’s considered faster and more inexpensive than asymmetric encryption, but to be secure it required encrypting the key itself, which can cause a terminal dependency on yet another key. Popular symmetric encryption types include Data Encryption Standards (DES), Triple DES, Advanced Encryption Standard (AES), and Twofish.
When data is stored on a hard drive or on a server, it is considered data at rest. When data is sent for tasks such as email or over instant messaging applications, it becomes data in transit, or data in motion. Historically, data at rest was the target of breaches so techniques like full-disk encryption and file-level encryption were used to protect the data in the equivalent of a fortress, often with the protection of a firewall.
Data in transit continues to grow in parallel with the explosion of mobile devices, the internet of things (IoT), 5G networks and hybrid multicloud environments. As a result, it has been a growing target of cybercriminals and poses greater challenges to securing it, especially when doing so can negatively impact performance of daily tasks or slow financially sensitive transactions like trading or ecommerce. The common techniques for protecting data in transit involve using secure network protocols like HTTPS, secure socket layers (SSL), FTPS and wireless protocols like WPA2.
Just like a forgotten combination to a safe or a lost password to a cryptocurrency account, losing an encryption key can mean losing access to what it was designed to protect. Key lifecycle management (KLM) was developed to avoid losing keys or having them stolen. One founding principle of KLM is that keys must be managed separately from the data they are protecting.
A typical key management lifecycle will include the following steps:
While both the value of data and the attendant criminal activity continue to grow at impressive rates, there are well-established practices for protecting data that have evolved to meet today’s challenges. Here are some of the data protection methods and tools employed by enterprise security teams beyond basic full-disk and file-level encryption:
Whichever way you go about it, encryption is critical to protecting your organization’s most prized asset — its data. And as data privacy, data governance and compliance standards become increasingly important, so too will the keys that hold the power in securing that data.