Encryption is the process where information is converted from a readable format into one that obscures its meaning from those without the authorisation or ability to decipher it and has long been used to protect sensitive information from prying eyes.
The History Behind Encryption
Julius Caesar around 100 BC, was known to use a form of encryption to convey secret messages to his army generals posted in the war front. This substitution cipher, known as Caesar cipher, is perhaps the most mentioned historic cipher in academic literature. In a substitution cipher, each character of the plain text (plain text is the message which must be encrypted) is substituted by another character to form the cipher text (cipher text is the encrypted message). The variant used by Caesar was a shift by 3 ciphers. Each character was shifted by 3 places, so the character ‘A’ was replaced by ‘D’, ‘B’ was replaced by ‘E’, and so on.
Encryption is invaluable for ensuring that sensitive information that falls into the wrong hands, is prevented from being of use to anyone without the ability to decrypt that information. This has huge benefits when compliance regulations come into play following a data breach, if data was encrypted the requirements for public disclosure are minimised, as the risk to data compromise has been eliminated. This is often referred to as ‘safe harbour’ and can be a lifesaver to organisations facing the stress of a data loss, with all its related impact on the business.
Why you should use Encryption
Encryption with its various techniques of securing data has a key role to play in keeping sensitive and confidential information protected wherever it resides or is being transmitted, for example in emails. As a technology it can be deployed for data stored in servers, backup devices, and cloud services, often referred to as Data at Rest. For data in motion, encryption can be used to secure the transmission path by creating a unique closed point to point route between two or more points and eliminates the risk of a ‘man-in-the-middle’ attack, where a bad actor sits in between your transmissions and looks at your data.
Originally considered to be a complex technology to deploy and manage, it has now moved on and can be easily used by anyone. Gone are the fears that it will slow down access to data or double the size once encrypted.
Here are some points you should know about encryption:
- Due to the increasing levels of both businesses and individuals falling victim to a plethora of cyber-attacks, the need for encryption is at an all-time-high.
- Tokenisation is a form of encryption where applications can still operate but using tokens so that sensitive data is hidden, reducing the risk of exposure. An example of where it would be used is for medical research purposes, where large sets of data related to people are analysed but sensitive data that could be used to identify a person, is replaced with tokens.
- Data masking encryption scrambles information, but it is often done more selectively. An example of where it is particularly useful is in redacting sensitive data in documents such as emails and office productivity documents so that they can be sent largely in plain text but with sensitive information, such as credit card numbers, hidden or masked.
- Providers such as Google or Microsoft, or other centralised providers, offer encryption but if they hold the encryption key, they may de-code data if officially asked to, by a government or law enforcement agencies, or worse still if one of their employees wants to sell your data. For this reason, the technique of ‘bring your own key’ has been introduced where you hold and control your own keys outside of any service provider.
- End-to-End encryption stops third parties from accessing data, as it flows from the sender to receiver only and is used by apps such as WhatsApp. Private networks called Virtual Private Networks (VPN) can be set up to achieve this.
- Public/Private Key encryption is available for all to use but, only the intended receiver will have the decryption key by which to unlock the communication. This process works so any person can encrypt a message using the receiver’s public key, but that encrypted message can only be decrypted with the receiver’s private key.
- Key Management: If keys and certificates are not properly secured the organisation is open to attack, no matter what security controls are in place. Always consider adding a High-Security Module HSM into any encryption plan. The HSM will also help define any key rotation needs and processes to change the key used in any data set.
- Encryption is based on levels of complexity and thus security. The higher the encryption number the better the encryption code. Typically, 256-bit encryption is the standard level.
- There are many names for encryption codes. Some are held for government use only and many others are proprietary. The most common commercial and widely recognised as being of a strong level of encryption are AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adleman), and DES (Data Encryption Standard). Go for these rather than an unproven version.
- Encryption when linked to access control can be a powerful tool in the separation of duties by controlling who or what process can see the data. This means users, in particular system administrators, can be prevented from reading the data but still allowed to manage it, for example, to do backups.
We all want to be able to communicate securely and without interference. Encryption can help us to achieve this and should be considered a core part, if not the starting point of any data security strategy that organisations develop both for data at rest and in motion. For both data security needs and for achieving regulatory compliance; encryption should be the baseline for any data security strategy.