Data is everywhere and encryption must follow
Evalueserve.com Pvt Ltd.
Whether in the current digital era or yesteryear, like long ago during Egypt’s time, ensuring the security of sensitive information has always been at the top of every intellect’s mind.
With explosion of data accessibility everywhere and anywhere, be it big data, data on fileservers, data over corporate emails & collaboration tools such as OneDrive for business, Teams, SharePoint, Google Workspace, data on cloud, data over WIFI networks, CRM, AI tools and many other enterprise applications & with ease of information available across ecosystems, this also brings up responsibilities on our shoulders to protect them from cyber-threats, breaches, unauthorized access, and tampering.
Data Encryption Fundamentals
Encryption is a technique in information security that involves converting plaintext data into an unreadable form called ciphertext. It is a process of encoding information using an encryption algorithm and a secret encryption key. Broadly, there are three types of encryption, each of which does the magic of protecting either individually or in combination for the best outcomes.
Symmetric Encryption
It uses the same key for encryption and decryption, which is shared between the sender and receiver. When encrypting data, the sender uses the key to transform the plaintext into ciphertext. The recipient then uses the same key to decrypt the ciphertext and retrieve the original plaintext.
Consider a real-life example: Encrypting a Windows Operating system Laptop using BitLocker makes it efficient and fast, suitable for securing extensive data. However, it comes with the challenge of securing and managing the keys because, in case the keys are compromised, anyone with the key can decrypt the data stored on the Laptop in case of theft.
Key takeaways for CISOs – Point no 1: Be mindful of using secured algorithms such as Advanced Encryption Standard (AES) -256 bits only and not any other weak algorithms like AES 128 bit or DES. Point no. 2: Do save the repository of keys in a password-protected file and a restricted location & last, rotate the keys at whatever frequency works best concerning risk appetite and person-hour resources available. However, it is recommended to be 6 months, which may be practically difficult for many organizations. If budget permits, look for a Hardware Security Module (HSM) with the highest security standards like FIPS 140.
Asymmetric encryption
This is often called public key encryption, which uses a pair of keys: a public key and a private key. The public key encrypts data, while the private key decrypts it. The public key is freely distributed and used for encryption, while the private key is kept secret and used for decryption. This approach addresses the key distribution problem of symmetric encryption, but can be slower due to the complexity of the mathematics involved.
Think about real-life examples as
HTTPS/TLS Encryption – When you visit a secure website, your browser gets the website’s public key to start a secure connection, and only that secure site can decrypt it using its private key. Secure algorithms used are RSA or ECC.
Email Encryption—When you send a secure email to someone using Pretty Good Privacy (PGP), you encrypt the Email using their public key. Only they can read it using their private key.
Digital signatures – Trusted software distribution, like signing Windows updates.
Key takeaways for CISOs: Point 1. Use RSA(Rivest-Shamir-Adleman) of 2048-bit or 3072-bit for strong security, especially for TLS digital signatures /Email encryption. Point 2. Use ECC (Elliptic Curve Cryptography) faster than RSA, but with fewer keys and less computing power. This method is commonly used in Bitcoin or resource-constrained devices such as mobile phones and smart cards. Point 3. Use EdDSA, which is fast and secure for digital signatures, secure logins (SSH) /OpenSSH, etc.
Hybrid encryption
Hybrid encryption combines the advantages of both symmetric and asymmetric encryption, and the simplest reason is that each has its strengths and weaknesses. Imagine like hybrid = secure+fast
Real-world applications are WhatsApp, which uses both asymmetric key exchange and symmetric key for AES for chat messages, or think of HTTPS, which uses RSA/ECC handshake to share session keys while AES encrypts website data.
Data encryption and protection play a vital role, whether data is at rest, in transit, or, more importantly, when data is in use.
Best practices for Data at rest Encryption
A strong AES 256-bit encryption algorithm is used to encrypt the entire system.
Implement robust key management practices, preferably in an HSM, as this would prevent unauthorized access to sensitive information.
Use MFA and practice regular security assessments for added security.
Best Practices for Data in Transit Encryption
Use strong encryption algorithms like TLS to secure data in transit.
Implement VPNs to create encrypted tunnels for your data, especially when accessing official infrastructure or connecting through public WIFI, as this would prevent potential eavesdropping.
Regularly update software systems and be cautious when using Public WIFI.
Best practices for Data in use Encryption
Data in use refers to data actively processed by a system in RAM, CPU, or applications.
Essential techniques for data encryption are Trusted Execution Environments (TEE) and homomorphic encryption, which are mainly used in cloud providers. As part of best practices, apart from TEE, implement memory protection, isolate sensitive workloads, protect against insider threats by following the need-to-know and strict least privilege principles, and continually monitor.
Key takeaways for CISOs on the ICO recommendation are mentioned below when implementing encryption.
- When implementing encryption, four things must be considered: choosing the right algorithm, choosing the right key size, choosing the right software, and keeping the key secure.
- Over time, encryption algorithms may discover vulnerabilities that can eventually make them insecure. You should regularly assess whether your encryption method remains appropriate.
- It is essential to ensure that the key size is sufficiently large to protect against an attack over the lifetime of the data. You should therefore assess whether your key sizes remain appropriate.
- The encryption software you use is also crucial. You should ensure that any solution you implement meets current standards such as FIPS 140-2 and FIPS 197.
- Several organizations, including the National Cyber Security Centre (NCSC), offer advice on appropriate encryption solutions.
- You should also ensure that you keep your keys secure and have processes in place to generate new keys when necessary.
Let us navigate and browse the online world confidently and keep customers happy and feel secure, signing off as of now and continuing to excel in automation and keep things around us encrypted, digitally, or otherwise.
Authored By: Nitan Gulati, Evalueserve.com Pvt Ltd.
