There was a time when gold was what the thief was after. But reading the newspaper today rarely provides a story in which a train was robbed just for the gold. Today’s thief is after data – personal information. But today’s target isn’t too different from the gold target of a century ago. Both represent wealth and power, and both must be protected to keep organizations viable and successful.
Today, every organization has some kind of data that is the gold of their organization. This data treasure must be protected, just differently than the way gold is protected. Several technical and non-technical tools are used to protect data. The focus of this post is one of those tools: encryption – what it is, where it is and is not effective, and what is its place in an organization’s security strategy.
What is Encryption?
The word encryption (and crypto) comes from the Greek root kruptos meaning hidden. Data encryption, therefore, means hidden data. Data encryption has become a cornerstone of nearly every security strategy. Just like people have hidden gold to protect it, organizations hide data to protect it.
One of the simplest forms of encryption is the Caesar Cypher or what is sometimes called a substitution cypher. In this example, the data is hidden by substituting each character with the character a fixed distance away in the alphabet. That means a +3 Caesar Cypher of the word encrypt would result in hqfubsw. Each cypher character is 3 letters further down the alphabet then the cleartext letter it represents.
The Caesar Cypher is a simple form of encryption. But like all types of encryption, some mathematical process transforms the data from the cleartext to the cyphertext to hide the data. More effective encryption cyphers use more complicated mathematical processes. Additionally, cyphers rely on a key in the mathematical process. The longer the key, the more effective the cypher. The key length for our Caesar Cypher example above is a key length on 1. Modern encryption techniques use key lengths of 192, 256, 1024, and higher along with much more sophisticated methods than the direct substitution of the Caesar Cypher. It is this key that is shared between the data sender and the data receiver so that the hidden data can be successfully recovered.
Symmetric vs. Asymmetric
There are two main ways to use and share the key in the encryption process – symmetric and asymmetric. A symmetric key uses the same key for both encrypting and decrypting. Both encryption and decryption use the same key and mathematically related processes when converting the text.
Asymmetric keys use a key pair that has a special relationship between the public key (the half given to the receiver) and the private key used by the source party. For example, an encrypted web site used asymmetric encryption where the web user gets the public key and the web server uses the private key. Data encrypted with either key can only be decrypted by the other.
Types of Encryption Methods
As described above, keys can be either symmetric or asymmetric. The mathematical process refers to the type of encryption. These are the names you hear describing the encryption used and include 3DES (triple DES), AES, and Rivest-Shamir-Adleman (RSA). Each of these has good and bad points, think of them as encryption strength and processing overhead. While there are encryption methods that are no longer considered effective because computing power is available to hackers, these three are still considered strong encryption methods.
Where is Data Encryption Used?
Encryption is used to protect data at rest (storage) and during transmission (data in motion). Think of how data is stored, transmitted, and processed in your organization. Encryption is used in the first two states – storage and transmission. Data can be protected using the same methods described above to protect data on local hard drives, portable media, cloud services storage, and likely all other media. Similarly, transmitted data can be protected using these methods. The application of the method might differ for storage encryption and transmission, but the underlying mathematical process remains the same. And more importantly, effective data protection is maintained.
What are the Problems with Encryption?
As mentioned above, encryption can effectively protect data during the storage (data at rest) and transmission (data in motion) states. However, encryption during the processing state is generally not effective. It’s not that it is impossible, rather, the application programming would be tremendously impacted through slower processing throughput and code complexity. Las Vegas would say it is a safe bet to assume organizations process data in cleartext form.
The Security Onion – It’s All in the Layers
Encryption can be a great tool to protect data, but it has its limitations. A typical environment frequently includes a system’s hard drive that is encrypted and the data that is transmitted over a secure HTTP connection. The data is safe, in this example, IF the attacker has physical access to the system or if the attacker is “listening” to the traffic flow to and from the system. But there are other ways for the attacker to get to the data.
A trick email could lead an authorized user to install a keylogger that would capture passwords and other valuable information the legitimate user enters. Another attack might install a small bit of code that copies the transmitted data from the normal channel to an unknown stream that allows the attacker to get the same data as the authorized recipient. This type of attack is called a bot and it can easily be installed under certain configurations.
This is why it is so important to use multiple types of security tools. These tools don’t do exactly the same thing, they don’t protect the data the same way, but they work together to form a bigger and stronger barrier to the attacker. Encryption used as a base to protect data at rest and in motion should be supported by other controls – minimum access privileges, active malware blocking, URL filtering to block known malicious sites, and several others.
Summary: Encryption from a Compliance Perspective
Encryption is a great tool, but it can’t be your only protection. The attacker is after your data. If you make it hard to get to the data through the front door, he will try through a window. If you lock the window, he might send you a letter that tricks you into just giving him your gold. When an assessor reviews the security of an organization, one of the first things he asks is what are you trying to protect? In other words, where is your gold? If the assessor finds the data is encrypted at rest and in motion, great. Next, he will wonder what other windows could the attacker crawl through to get to the gold. It would be good for you to consider the same question.
Please contact us at Linford & Company if you would like to discuss your compliance requirements, including HIPAA Compliance Reports and SOC 2 reports.
Terry L.Dalby is an experienced senior assessor and security engineer who has held principal technical roles for healthcare organizations, several large enterprise and service providers. He has consulted for organizations from virtually every sector performing risk assessments, policy reviews, forensics, and security program development. Dalby has earned multiple security-related certifications including HCISSP, CISSP, CISA, CISM, CRISC, CCSK as well as vendor certifications from Microsoft, Cisco, and Checkpoint. He has a BS in Electronics Technology from Northern Michigan University (Summa Cum Laud).