Data encryption; its use is all around us. It protects our phones, our computers (hopefully you have disk encryption enabled on your laptop), your banking information, your passwords that provide access to all your personal and business data. It protects your identity and your privacy (and no, it is not about not having anything to hide).
Encryption is a critical and foundational technological capability that makes our digital lives possible. Without encryption, it would be impossible to have a vibrant internet economy and electronic ecosystem. It protects those elements of our lives that we don’t pay much attention to — our critical infrastructure like power, water, telecommunications, and transportation.
Most people don’t realize just how important encryption is in today’s society. It is the backstage crew that enables everything on stage to perform with wonder and amazement.
We will provide an overview of what data encryption is, how data encryption works, why data encryption is important, what data should be encrypted, and where it should be used.
What Is Data Encryption?
In today’s world, data encryption is a mathematical process that converts plaintext (e.g. readable data) into what is called ciphertext (non-readable data), but the process of scrambling words into something that is unreadable was used over two thousand years ago by Julius Caesar to communicate with his military forces.
Called the Caesar cipher, it basically used an alphabetical rotation scheme where readable plaintext words became “unreadable” because the letters in the original words were shifted one or more letters in the alphabet (e.g. a became b, b became c, etc.).
The process of encryption has a necessary and vital companion, decryption, or the ability to return ciphertext back into plaintext. Without decryption, there is no purpose in encryption because we’d never be able to convert data back into a format that is usable.
How Does Data Encryption Work?
Encryption requires a key which is a random string of bits (1 or 0) generated in a mathematically random way. The key is then used in conjunction with the original data set (plaintext) and the primary encryption algorithm (mathematical procedure) to scramble your data, or make it unreadable.
There are two primary methods of encryption, symmetric and asymmetric. Both enable data to be decrypted. While not technically a method of encryption (since it cannot be reversed), hashing is often lumped into the category of encryption. Hashing uses a hash function (mathematical algorithm) and takes a string of data (e.g. a password) and creates another fixed-length string, or “hash,” that cannot be reversed back to the original value. Any change in the original text will create a deviation in the resulting hash value. Hashing is often used as a means to verify integrity of data, or that data has not changed from its original value.
Symmetric encryption uses a single key to both encrypt and decrypt data. It is also referred to as private-key cryptography. Because the same key is used to both encrypt and decrypt data, it is critical that the key is protected.
With symmetric encryption, the key must be shared between those that need to encrypt data and those that need to decrypt (or read) the data. Therefore, it is paramount that the key is shared in a secure manner because anyone with the key will be able to decrypt the data.
There are other algorithms, called key-exchange algorithms, whose purpose is just to enable a process to securely exchange symmetric encryption keys. Well-known symmetric key algorithms include the Data Encryption Standard (DES) (which is now obsolete) and the Advanced Encryption Standard (AES) which is widely used across the world for symmetric key implementations.
Asymmetric encryption, also known as public-key cryptography, uses two separate (but mathematically related) keys — one to encrypt data and another to decrypt data.
With public-key cryptography, one key (the public key) is used to encrypt data, and the other key (the private key) is used to decrypt the data. Public keys are just that, public, and are shared with anyone who would like to send the owner of the private key encrypted data.
Whether symmetric or asymmetric keys are used, the ability for encryption to protect data hinges on the protection of the keys, else there is no assurance that the encrypted communications maintained their secrecy.
Here is a simple analogy. When you leave your home, you wouldn’t leave your house key in the lock (or even slightly better — under the welcome mat), would you? So don’t leave the private keys in the proverbial lock or under the digital “house mat” which would be, for example, in the same directory as the encrypted data or in another directory that has weak or non-existent access controls.
Why Is Data Encryption Important?
With the ever-present headlines of one data breach after another, it is not a mystery why data encryption is needed. Data encryption is a necessary and vital part of today’s digital age. Without it, we would not be able to safely use the internet to conduct commerce, communicate private information, or enjoy any of the other digital practices that are so ingrained into our daily lives.
Whether it be passwords, health information, financial information, corporate secrets, technological developments (the list is long), data encryption keeps our private data confidential and safe from those that would either exploit it for their own gain or use it for other nefarious purposes. When other protections fail (e.g. boundary defenses, access controls, employee training), data encryption is there as the last centurion to protect what you value — your data. That said, for encryption to fulfill its mission, it must be implemented correctly and the keys must be safeguarded.
What Data Should Be Encrypted?
The short answer to this question is, it depends. Ask yourself whether or not there is any harm with your data being in the public domain. An organization’s data classification policy should outline which data should be encrypted, but I think it is safe to say that more often than not, organizations don’t have a defined data classification policy.
Whether explicitly defined in a policy or not, a risk-based approach should be used to determine whether or not data should be encrypted. What is the impact to your organization if the data were publically available? What is the likelihood that existing controls provide sufficient protection for the data? There are also federal regulations that require organizations to encrypt confidential, private, or personal data.
In my professional (and personal) opinion, organizations and individuals should err on the side of caution and follow the mantra, when in doubt — encrypt it.
Where Should Data Encryption Be Used?
Data can be encrypted either in transit or at rest. Encryption in transit is essentially encrypting data when it is being transmitted from one party to another. With the ever-increasing use of secure protocols (e.g. HTTPS), encryption in transit is becoming more and more the default with today’s digital communications. Where possible, secure transmission methods should be used, whether for internal or external communications.
Encryption at rest is encrypting data in storage; for example, on a file system or within a database. Encryption at rest will protect data from all who are not authorized to read it, including hackers or even employees.
Data encryption is a foundational technology in today’s cyber world. Without it, we would not be able to safely use the internet and other digital technologies that we have come to enjoy and even rely on.
Depending on the use case, symmetric or asymmetric key cryptography is used to scramble our data and render it unreadable by prying eyes, whether employees, hackers, or nation-states.
The ability for encryption to protect our data is dependent on the protection of the keys used to encrypt the data. Without proper safeguarding of the keys, then there is no assurance that your data remains confidential.
A risk-based approach should govern the identification of data that should be encrypted, whether in transit or at rest.
Linford and Company specialize in advisory and assessment services for SOC 1, SOC 2, HIPAA, HITRUST, and FedRAMP. Please contact us if you have any questions or are in need of services in the aforementioned areas.
Related blog posts:
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.