Encryption has been one of the most important ways to defend confidential data. When applied correctly, it provides a near-bulletproof barrier against all unauthorized access to information because it can guarantee that even if the information is compromised, it remains unreadable, unusable and flat out useless when/if stolen. It is also an essential aspect of all prominent compliance regulation – all major cybersecurity standards require encryption.
Although encryption comes in various forms, they are all based on a fundamental idea: The use of a complex mathematical cipher to make data unreadable to third parties.
Encryption and the Three States of Data
A complete encryption strategy incorporates technologies that will defend data in all three of its states.
Data at Rest
Data at rest is located in your data storage area or within various devices, including user clients. For example, information in desktops, laptops, mobile phones, databases, and so on.
Data in Motion
Data in motion is data that is being transmitted from one endpoint to another across a network. The network may be a small office LAN or the World Wide Web.
Data in Use
Data is “in use” when it is being actively accessed by a credentialed user. The data may be generated, updated, erased, or used – or a combination of all – in a single session.
With increasing reliance on cloud-based services, private data is transmitted and used outside of a physical network infrastructure more than ever before. The increasing security challenges this brings with it demand robust and versatile implementation of encryption.
Email is one of the most widely-encrypted data assets. If you are using an internal mail server, you can enable the SSL version of SMTP which only encrypts messages while they are in transit; they are NOT encrypted when they arrive in the recipient’s inbox. When utilizing a cloud provider you can choose to connect to an encrypted port rather than a plain text SMTP/POP port.
For the strongest end-to-end encryption PGP or S/MIME is the way to go, though it can be fairly complex for organizations to implement. This approach uses Public Key Infrastructure (PKI). This allows an email sender to distribute and validate “keys” to make private messages accessible to their intended recipients.
The PKI infrastructure consists of four major participants:
- A certificate authority that issues digital certificates proving ownership of a public key;
- A registration authority that verifies identities for the CA before the certificate is issued;
- One or more secure directory systems that hold the certificates and their public keys;
- A certificate management system.
For a detailed breakdown of email encryption, see this post.
Building an Encryption Strategy
Developing an enterprise encryption strategy is a long-term, collaborative process that should include IT, operations, and management stakeholders.
- Examine what needs protecting. Identify high-value data and regulatory requirements that must be met. Repeatable processes should be developed to identify and prioritize the most sensitive or valuable data for encryption. It is also important to take into account where the data resides. If the system that data resides on is extensively secure then encrypting the data itself may not be necessary.
- Be mindful of the cloud. When encryption is deployed within cloud-based software and data analytics applications, there are several important elements to consider. These include whether all functions of the program will remain available or not, if encryption will meet compliance needs and how keys will be generated.
- Key management. Keys and certificates must be guarded. Select a secure, protected site for key storage, implement access controls. Choose a protected secondary site to host the backup key for the information’s lifetime. Consider using a Hardware Security Module (HSM) solution to centralize key management. Keys can be unintentionally lost, stolen, or destroyed if not managed correctly. They may even expire on their own after a set period of time. That is why key lifecycle management from initiation through distribution, activation, deactivation, and termination is important to solidify and put into policies and procedures. For a more detailed breakdown of key management READ THIS.
- SSL Decryption. Most network security controls cannot decrypt SSL traffic. It is worth looking into an SSL decryption tool for your organization to ensure visibility into important data at points of access.
As your encryption strategy rolls out, make sure employees are trained properly and your policies and procedures are solidified. High-level executive sponsorship is often valuable in accelerating a company-wide change to improve cybersecurity. Aligning teams at all levels with new security practices helps ensure cybersecurity works as intended.