Since it first emerged, encryption has long been held as one of the top data protection techniques available. This security approach enables the user to scramble the content of protected systems and documents and utilize a decryption key to decipher it. In this way, only authorized viewers – those with access to the key – are able to read the protected information.
Currently, encryption is leveraged in a range of different settings, including within enterprises, the armed forces, and to protect payment details on e-commerce websites. Although many are aware of the security advantages that encryption can offer, there is one main threat to its protection: the fact that some have yet to adopt it.
A lack of proper encryption
Lawfare contributor Paul Rosenzweig noted that for quite some time within the technology industry, it has become common knowledge that encryption, when deployed properly, can safeguard information against nearly any threat. However, many users – even those dealing with highly sensitive materials – have yet to implement it.
“Yet is has been the case for an equally long time that very few people actually use encryption to protect their vital secrets – not journalists, not criminals, and most assuredly not the … ‘average layman user.,'” Rosenzweig wrote.
He points to a bevy of reasons as to why this is the case, especially in the current environment where threats that could be mitigated by encryption seem to run rampant. Some users may not be aware of the staunch security encryption can offer, or others may simply think they will not fall victim to an attack.
“Of all of these, I tend to think complexity and laziness lead the list – that is, most encryption programs are difficult to use and need to be installed,” Rosenzwieg pointed out. “They don’t have ‘one button’ applications and they are not ‘on’ by default.”
Whatever the reason, the end result is the same: Critical information – that is no doubt an attractive target to cybercriminals – goes unprotected.
Encryption best practices
In this spirit, it is important for all users to understand just how powerful encryption can be when it comes to guarding personal information and sensitive data belonging to a business. When applied correctly, encryption provides a near-bulletproof barrier against all unauthorized intrusion, ensuring that only those permitted to view the content are allowed to.
But what exactly is involved in “proper” encryption use? Consider the following best practices when deploying and utilizing encryption to ensure top notch security:
Examine what needs protection
First, it is vital to understand what information needs encryption protection to decide where the technology will be deployed. In today’s threat environment, a myriad of details are considered valuable to hackers, including payment card information, names, birthdates, social security numbers and intellectual property belonging to a company. Because this data can be utilized for fraudulent purposes and is therefore fair game for cybercriminals, encryption should be put in place to prevent intrusion.
At the same time, users should consider not only what information needs protecting, but when to implement security. When data is sitting in an overarching system with its own security measures, encryption may not be necessary. On the other hand, when content is in transit, or being sent to internal or external parties, encryption is the sender’s best bet to ensure that the information is not intercepted along the way.
Consider how encryption will interact with cloud systems
NetworkWorld contributor Linda Musthaler noted that encryption has become increasingly robust and popular due to the advent of cloud computing technology. Because the cloud vendor manages certain aspects of the system containing data, organizations need an added protection measure to ensure that their company information remains secure. However, when encryption is deployed within cloud-based materials like SaaS and data analytics applications, there are several important elements to consider. These include whether or not all functions of the program will remain available, if encryption will meet compliance needs and how keys will be generated.
“Cloud environments introduce all sorts of complexities to think through before selecting one or more encryption solutions,” Musthaler wrote.
While taking into account these extra precautions may seem cumbersome, including encryption in cloud security can not only offer protection for company information, but peace of mind for administrators as well.
Get details about the encryption algorithm
Musthaler also recommends gleaning details about the algorithm being utilized from the encryption vendor. Although there are overarching requirements for primary encryption algorithms, Musthaler noted that some providers “can take liberties with how they apply the standards.” This can have an impact on the strength of the protection the encryption provides. Therefore, users should ask about the algorithm in place and how it matches up with international standards.
“[I]t’s important for you to ask your vendor questions about the specific modules they use,” Musthaler wrote. “When choosing a solution, it’s best to stick with an encryption module that adheres to industry standards.”
Brocade noted in a recent white paper that other considerations to make with algorithms include the speed of encryption, memory usage, cost, openness and range of application coverage. Factoring in these essentials will help guarantee that the proper algorithm is in place.
Ensure proper key management
Once the technology is in place, administrators must ensure that the decryption key is properly managed. With proper control, keys can lead to serious protection issues, the white paper noted.
“After being created, keys need to be backed up and managed,” the white paper stated. “Keys can be lost, stolen or destroyed unintentionally, or they can expire after a predetermined period of time. All of these are security vulnerabilities.”
Users should select a secure location in which to keep their encryption keys, ensuring that access is limited to only those authorized. A secondary, protected site should be chosen for the backup key and these locations should be maintained for the life of the secured information and its connected key. Brocade noted that there are key management solutions as well as key vaults available that provide the proper environment to maintain keys.
When users are educated about the top-tier protection encryption can offer and deploy it with best practices in mind, they stand a much better chance of thwarting unauthorized access and keeping information secure.
