You might feel like you’ve heard these imperatives a million times: “You need to encrypt your data.” “Your information isn’t secure unless you encrypt it.” “You need to eat your fruits and vegetables.”
But if you’re like a lot of people, you roll your eyes because you have the good intention of taking care of them later. The problem is that ignoring this advice or doing it with half measures can cause irreversible damage. In the matters of data encryption, the damage can be to your company’s reputation, customer trust and financial bottom line. It can also wreak havoc with privacy controls and cause you to run afoul of regulators and auditors.
The problem with such an important security measure becoming trite is that it’s in danger of becoming a simple “check box” item. Organizations with an immature understanding of security may think that the basic encryption capabilities provided by their storage devices or by cloud service providers is enough to keep their data protected and that going further is just falling for the fear, uncertainty and doubt (FUD) stoked by the media and vendors that stand to benefit. Information technology (IT) and security teams are generally short-staffed and overburdened, so it’s all too often the attitude of “check the box, move on to the next task.”
But the reality is more complex than that. Data encryption is essential to protecting sensitive information and privacy, for meeting compliance with regulations and audits, and for ensuring proper data governance. All the IT investment in mobile apps, customer experience and competitive advantage can be squandered in an unforeseen data breach.
How Does Data Encryption Work?
Unencrypted information, like this blog post you’re currently reading, is written in “plaintext.” At its most basic, data encryption involves using an encryption algorithm to scramble or disguise plaintext, rendering it in what’s known as “ciphertext,” which appears as alphanumeric gibberish to a human. An encryption algorithm uses a crucial piece of information, known as an encryption key, to encode or decode the data. Without the encryption key, the algorithm is incomplete and cannot convert plaintext to ciphertext and vice versa.
Most encryption algorithms are publicly known — there are only so many effective ways to obscure sensitive data — so the crucial element of a data encryption strategy is the management and control of the encryption key. Indeed, the key is essential. Encrypted data can be rendered useless forever simply by deletion of the key.
Learn more — register for the webinar
Types of Encryption
Asymmetric encryption, also known as public-key encryption or public-key cryptography, uses the combination of a public key and a private key to create and decode ciphertext. The most common types of asymmetric encryption are:
- RSA, named after seminal computer scientists Ron Rivest, Adi Shamir, and Leonard Adleman. It uses a public key to encrypt data and a private key to decrypt it.
- Public-key infrastructure, PKI, uses digital certificates to govern the keys.
Symmetric encryption uses a single secret key shared between the parties prior to encryption. It’s considered faster and more inexpensive than asymmetric encryption, but to be secure it required encrypting the key itself, which can cause a terminal dependency on yet another key. Popular symmetric encryption types include Data Encryption Standards (DES), Triple DES, Advanced Encryption Standard (AES), and Twofish.
Encrypting Data at Rest Versus Data in Transit
When data is stored on a hard drive or on a server, it is considered data at rest. When data is sent for tasks such as email or over instant messaging applications, it becomes data in transit, or data in motion. Historically, data at rest was the target of breaches so techniques like full-disk encryption and file-level encryption were used to protect the data in the equivalent of a fortress, often with the protection of a firewall.
Data in transit continues to grow in parallel with the explosion of mobile devices, the internet of things (IoT), 5G networks and hybrid multicloud environments. As a result, it has been a growing target of cybercriminals and poses greater challenges to securing it, especially when doing so can negatively impact performance of daily tasks or slow financially sensitive transactions like trading or ecommerce. The common techniques for protecting data in transit involve using secure network protocols like HTTPS, secure socket layers (SSL), FTPS and wireless protocols like WPA2.
The Basics of Key Lifecyle Management
Just like a forgotten combination to a safe or a lost password to a cryptocurrency account, losing an encryption key can mean losing access to what it was designed to protect. Key lifecycle management (KLM) was developed to avoid losing keys or having them stolen. One founding principle of KLM is that keys must be managed separately from the data they are protecting.
A typical key management lifecycle will include the following steps:
Data Encryption for Enterprises
While both the value of data and the attendant criminal activity continue to grow at impressive rates, there are well-established practices for protecting data that have evolved to meet today’s challenges. Here are some of the data protection methods and tools employed by enterprise security teams beyond basic full-disk and file-level encryption:
- Encrypt data at every level: Implement encryption of all sensitive, privileged and other sensitive information. Highly scalable and affordable encryption tools have been widely available for some time, but encryption alone is just a start for enterprise-wide protection. Performing regular vulnerability assessments will uncover and classify sensitive data that is not protected or out of compliance standards.
- Centralized privileged user policy management: It’s critical to have a single management system to provide granular control over who has access to what information, to be able to onboard and offboard users, and to be notified when there are violations. Too often there’s an archeology of tools that have been accumulated over the years — often rooted in specific operating systems or databases or even carried over from merger and acquisition activity — resulting in inconsistent, outdated and overprivileged user access to data. With a single management system that can scale to modern data and cloud models, best practices like principle of least privilege and strict governance controls can be enforced. The risk of insider threat can be greatly reduced when excess privileges and obsolete users are abolished.
- Centralized key management: We have already established that encryption is only as good as the security of the keys themselves. A large organization will possess literally thousands of distinct encryption keys at any given moment, requiring each is managed through every step of the lifecycle, resulting in complexity, vulnerabilities and risks. Having a centralized key manager that adheres to key management interoperability protocol (KMIP) is essential from a security and compliance perspective.
- Bring your own key (BYOK)/Hold/keep your own key (HYOK/KYOK): For over a decade, companies have been moving their critical operations to cloud service providers (CSPs) like Amazon Web Services (AWS), Microsoft Azure, Google Cloud and IBM Cloud. Leading CSPs provide native encryption and key management capabilities, but if you do not own or control the keys to the data stored in CSP environments, can you really say that your data is secured? To answer this question in the affirmative, security leaders deploy cloud encryption key management products that allow them to bring their own key to maintain control over hybrid multicloud environments, irrespective of the CSPs with which they contract.
Whichever way you go about it, encryption is critical to protecting your organization’s most prized asset — its data. And as data privacy, data governance and compliance standards become increasingly important, so too will the keys that hold the power in securing that data.
Interested in learning more? Register for the webinar, “Fight Double Extortion and Ransomware with Modern Data Security.”
Senior Product Marketing Manager, IBM Security
Patrick is a senior product marketer with IBM Security and focused on Unified Endpoint Management (UEM) and the IBM Security MaaS360 offering. He has over t...