• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Current News   »   Data encryption: Threats and best practices

Data encryption: Threats and best practices

  • Posted on:October 2, 2014
  • Posted in:Current News, Encryption, Industry News
  • Posted by:
    Trend Micro
0

Since it first emerged, encryption has long been held as one of the top data protection techniques available. This security approach enables the user to scramble the content of protected systems and documents and utilize a decryption key to decipher it. In this way, only authorized viewers – those with access to the key – are able to read the protected information.

Currently, encryption is leveraged in a range of different settings, including within enterprises, the armed forces, and to protect payment details on e-commerce websites. Although many are aware of the security advantages that encryption can offer, there is one main threat to its protection: the fact that some have yet to adopt it.

A lack of proper encryption
Lawfare contributor Paul Rosenzweig noted that for quite some time within the technology industry, it has become common knowledge that encryption, when deployed properly, can safeguard information against nearly any threat. However, many users – even those dealing with highly sensitive materials – have yet to implement it.

“Yet is has been the case for an equally long time that very few people actually use encryption to protect their vital secrets – not journalists, not criminals, and most assuredly not the … ‘average layman user.,'” Rosenzweig wrote.

He points to a bevy of reasons as to why this is the case, especially in the current environment where threats that could be mitigated by encryption seem to run rampant. Some users may not be aware of the staunch security encryption can offer, or others may simply think they will not fall victim to an attack.

“Of all of these, I tend to think complexity and laziness lead the list – that is, most encryption programs are difficult to use and need to be installed,” Rosenzwieg pointed out. “They don’t have ‘one button’ applications and they are not ‘on’ by default.”

Whatever the reason, the end result is the same: Critical information – that is no doubt an attractive target to cybercriminals – goes unprotected.

Encryption best practices
In this spirit, it is important for all users to understand just how powerful encryption can be when it comes to guarding personal information and sensitive data belonging to a business. When applied correctly, encryption provides a near-bulletproof barrier against all unauthorized intrusion, ensuring that only those permitted to view the content are allowed to.

But what exactly is involved in “proper” encryption use? Consider the following best practices when deploying and utilizing encryption to ensure top notch security:

Examine what needs protection
First, it is vital to understand what information needs encryption protection to decide where the technology will be deployed. In today’s threat environment, a myriad of details are considered valuable to hackers, including payment card information, names, birthdates, social security numbers and intellectual property belonging to a company. Because this data can be utilized for fraudulent purposes and is therefore fair game for cybercriminals, encryption should be put in place to prevent intrusion.

At the same time, users should consider not only what information needs protecting, but when to implement security. When data is sitting in an overarching system with its own security measures, encryption may not be necessary. On the other hand, when content is in transit, or being sent to internal or external parties, encryption is the sender’s best bet to ensure that the information is not intercepted along the way.

Consider how encryption will interact with cloud systems
NetworkWorld contributor Linda Musthaler noted that encryption has become increasingly robust and popular due to the advent of cloud computing technology. Because the cloud vendor manages certain aspects of the system containing data, organizations need an added protection measure to ensure that their company information remains secure. However, when encryption is deployed within cloud-based materials like SaaS and data analytics applications, there are several important elements to consider. These include whether or not all functions of the program will remain available, if encryption will meet compliance needs and how keys will be generated.

“Cloud environments introduce all sorts of complexities to think through before selecting one or more encryption solutions,” Musthaler wrote.

While taking into account these extra precautions may seem cumbersome, including encryption in cloud security can not only offer protection for company information, but peace of mind for administrators as well.

Get details about the encryption algorithm
Musthaler also recommends gleaning details about the algorithm being utilized from the encryption vendor. Although there are overarching requirements for primary encryption algorithms, Musthaler noted that some providers “can take liberties with how they apply the standards.” This can have an impact on the strength of the protection the encryption provides. Therefore, users should ask about the algorithm in place and how it matches up with international standards.

“[I]t’s important for you to ask your vendor questions about the specific modules they use,” Musthaler wrote. “When choosing a solution, it’s best to stick with an encryption module that adheres to industry standards.”

Brocade noted in a recent white paper that other considerations to make with algorithms include the speed of encryption, memory usage, cost, openness and range of application coverage. Factoring in these essentials will help guarantee that the proper algorithm is in place.

Ensure proper key management
Once the technology is in place, administrators must ensure that the decryption key is properly managed. With proper control, keys can lead to serious protection issues, the white paper noted.

“After being created, keys need to be backed up and managed,” the white paper stated. “Keys can be lost, stolen or destroyed unintentionally, or they can expire after a predetermined period of time. All of these are security vulnerabilities.”

Users should select a secure location in which to keep their encryption keys, ensuring that access is limited to only those authorized. A secondary, protected site should be chosen for the backup key and these locations should be maintained for the life of the secured information and its connected key. Brocade noted that there are key management solutions as well as key vaults available that provide the proper environment to maintain keys.

When users are educated about the top-tier protection encryption can offer and deploy it with best practices in mind, they stand a much better chance of thwarting unauthorized access and keeping information secure.

Related posts:

  1. Key management essential to successful cloud encryption strategies
  2. Data in Motion: The Other side of the Cloud Encryption Coin
  3. Cloud security best practices: Benefits of cloud encryption
  4. Ransomware Updates: Newest Threats, Protection Best Practices

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • New Report: Top Three Ways to Drive Boardroom Engagement around Cybersecurity Strategy
  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.