Data encryption

Massive quantities of sensitive information are managed and stored online in the cloud or on connected servers. This is because it’s virtually impossible to conduct business or go through personal life day to day without your sensitive data being transmitted and stored by the networked computer systems of various organizations.

Data encryption algorithms scramble plaintext so that only the person with the decryption key can read it. This process provides data security for personal information that users receive, send, and store on mobile devices, including those connected to the IoT.

Data encryption technology secures both transmitted data (in-flight data) and stored digital data (at-rest data) on computer systems and the cloud. As the internet has changed computing and systems have gone online, modern encryption algorithms (ciphers) have replaced the outdated Data Encryption Standard (DES) to protect IT communications and systems.

These algorithms guard confidentiality and fuel core security initiatives including integrity, authentication, and non-repudiation. The algorithms first authenticate any message to verify its origin, and then check its integrity to verify that its contents remained unchanged during transmission. Finally, the non-repudiation initiative prevents senders from denying legitimate activity.

There are two main kinds of data encryption: symmetric encryption and asymmetric encryption. In symmetric encryption, a single, private password both encrypts and decrypts data. Asymmetric encryption, sometimes referred to as public-key encryption or public-key cryptography, uses two keys for encryption and decryption. A shared, public key encrypts the data. A private, unshared key that must remain protected decrypts the data.

Symmetric-key encryption is quicker than asymmetric encryption, but before decryption can take place, it requires the sender to exchange the encryption key with the recipient. This in turn has led to massive numbers of keys for organizations to manage securely—a growing problem. For this reason, many data encryption services have adapted to using asymmetric algorithms.

Beyond the symmetric and asymmetric distinction, there are several methods of encryption and handling secure data in practice today. Each data encryption standard was developed to meet different security needs. The most common examples of data security encryption techniques are:

Data Encryption Standard (DES): The US government established the Data Encryption Standard (DES) in 1977, but today it is a low-level data encryption standard for protecting sensitive data. Due to decreases in hardware costs and technological advances, DES is basically obsolete.

Triple DES: Triple DES (3DES) encrypts, decrypts, and encrypts data, thus running DES encryption three times. In the process, it boosts the DES key size of 56-bits to 168-bits, so it’s more difficult to hack, though it demands more resources from the system. 3DES, therefore, reinforces the original DES standard, which is too weak to encrypt sensitive data. It is a symmetric-key block cipher, which means it uses symmetric encryption to encrypt segments of data using a fixed block size.

RSA (Rivest–Shamir–Adleman): RSA (Rivest–Shamir–Adleman) is named for the three computer scientists who invented it to encrypt data in transit in 1977. This public-key encryption cryptosystem is among the most widely adopted modes of asymmetric cryptography, in part due to its key length. RSA’s public key is based on three values: two very large prime numbers and one other number that together combine to secure the data in transit.

Advanced Encryption Standard (AES): Since 2002, AES has been the standard used by the US government and it is also commonly used in consumer technologies worldwide. Based on the Rijndael block cipher, AES is a symmetric cipher.

Blowfish: Like DES, Blowfish is now outdated, although this legacy algorithm remains effective. This symmetric cipher divides messages into blocks of 64 bits and then encrypts them individually. Twofish has succeeded Blowfish.

TwoFish: TwoFish, used in both software and hardware applications, uses keys up to 256 bits in length yet is among the fastest encryption algorithms. This symmetric cipher is also free and unpatented.

Encryption and SSL: Secure sockets layer (SSL), a feature of most legitimate websites, encrypts data in transit, but not at rest. Data should be encrypted as it is written to disk for any amount of time, despite the use of SSL technology. The “s” in the “https://” and the padlock icon in the URL bar signal secure SSL encryption.

Elliptic curve cryptography (ECC): Elliptic curve cryptography (ECC), preferred by certain agencies such as the NSA, is a powerful, fast form of data encryption used as part of the SSL/TLS protocol. ECC uses a completely different mathematical approach that allows it to use shorter key lengths for speed, yet provide better security. For example, a 3,072-bit RSA key and a 256-bit ECC key provide the same level of security.

End-to-end encryption (E2EE): End-to-end encryption refers to systems in which only the two users communicating, who both possess keys, can decrypt the conversation. This includes, for example, even the service provider who cannot access end to end encrypted data.

The following data encryption best practices help organizations understand how to encrypt data efficiently and securely:

Secure your encryption key. At every step, the key must be protected. Always watch for mistakes that would allow unauthorized parties to access your data. For example, the data encryption key itself cannot be part of an unencrypted file. Instead, protect encryption keys by rotating them on schedule, separating the access limits and duties of users, and separating the data and the keys.

Encrypt all sensitive data. All sensitive data must be encrypted, for example with data encryption software, no matter how unlikely they are to be stolen or where they are stored. The theft itself is a problem. Simply encrypting all sensitive data renders it far more difficult for attackers to do something damaging should they breach your systems.

Analyze data encryption performance. Effective data encryption is not just secure, but also efficient. Data encryption that consumes excessive memory and time is not performing well.

Stronger encryptions demand a tremendous amount of computing resources to hack, but it is still possible to break some encryption algorithms using computer programs to access encrypted content. Data security and encryption remains essential to all IT strategies and can deter hackers from accessing sensitive information, but it cannot be the sole focus of your IT security strategy.

Encrypted data in transit is sometimes vulnerable to malware on infected authorized devices. As the data travels across networks, the malware “eavesdrops” and “sniffs” the data.

Encrypted data at rest can be vulnerable on the storage device itself, from malware, and at the hands of unauthorized users who access keys or user passwords.

A very common way to attack encryption is a brute force attack, or randomly trying keys until finding the right one. Obviously, success in this kind of attack is directly tied to key size, as the length of the key determines how many keys are possible and therefore how plausible the attack is. For this reason, data encryption strength and key size are directly proportional, and as both increase, so do demands on computational resources.

Alternative techniques include side-channel attacks which tend to look for errors in the design of the system or execution, hoping to find a weakness in how the cipher is implemented, if not the cipher itself. In contrast, an attack based on cryptanalysis will exploit an actual weakness in the cipher.

Most successful hacks of encrypted data involve gaining access to the encryption keys via techniques such as phishing and social engineering. This is why those who manage such keys must be ever-vigilant against such things.

The primary benefits of data encryption are as follows:

You can apply data encryption tools and technologies across multiple devices. This enables work from home policies and empowers e-commerce.

Data encryption enables more secure communications. Data encryption enhances online security by ensuring all transmitted messages are unreadable to unauthorized users since the data has been encrypted.

Hacking is a serious risk. Cybercrime and large-scale data breaches are an ongoing risk for any organization, and even the best security can be hacked. This means you should assume that sensitive data can be lost, intercepted, or stolen—and it must be encrypted should that take place.

Encryption supports data integrity. Business initiatives sometimes fail due to poor data quality. Businesses can support smarter decisions if they protect their data integrity against hackers and other sources of data corruption.

Regulations require it. In the healthcare vertical, the Health Insurance Portability and Accountability Act (HIPAA) requires providers to encrypt sensitive patient data online. In the retail sales vertical, businesses must adhere to the Fair Credit Practices Act (FCPA) and other consumer protection regulations. And institutions of higher learning must protect student records under the Family Education Rights and Privacy Act (FERPA).

Data encryption protects intellectual property. Digital rights management systems encrypt data at rest — in this case, intellectual property such as songs or software—to prevent reverse engineering and unauthorized use or reproduction of copyrighted material.

It can enhance trust and provide a competitive edge. Data encryption offers reliable security both for people who handle sensitive data and those who trust their data to others. A holistic data encryption strategy consistently applied is essential to staying in line with competitors. Many businesses also signal to their customers that they take privacy seriously by encrypting data even when regulations don’t require them to.

Data encryption ensures that businesses remain compliant with applicable regulatory standards. It also assists them in guarding their customers’ valuable data. These are some of the reasons why data encryption is important.

Data encryption solutions such as data encryption software and cloud data encryption are often categorized based on whether they are designed for data at rest or data in transit. Attackers may target stored data—data at rest — or data that is being sent in some way, which is data in transit.

As employees use removable media, external devices, and web applications more frequently as part of ongoing operations, data encryption solutions must cope with the increased organizational challenges of preventing data loss and protecting the data itself. Once employees move data to mobile devices or the cloud, businesses may lose control of it.

For these reasons, data encryption is an essential component of the best data loss prevention solutions. They are designed to prevent hackers from introducing malware and stealing data from cloud and web applications and external and removable devices. However, part of protecting the data is ensuring it will not be usable to hackers should it fall into the wrong hands.

Solutions for data at rest must simply be configured so that any applications accessing the stored data will be able to decrypt it. Solutions for data in transit are more burdensome from an administrative standpoint, in that they must ensure both data encryption and decryption capabilities for both senders and recipients.

Data at rest does not travel between devices or networks. This kind of information includes data on a flash drive, database, hard drive, or laptop. The appeal of data at rest is that it frequently contains logical details such as suggestive file names that help hackers pinpoint and steal sensitive data including credit card numbers, healthcare information, intellectual property, and personal information.

Proper disposal of data assets is itself an important part of a security protocol because by eliminating unnecessary data you reduce your amount of data at rest and corresponding risk of exposure. For data at rest that remains, data encryption strategies can take place at four levels:

Application-level data encryption encrypts data where it is generated before it is written to the database. You can, therefore, customize the application level data encryption process based on individual user roles and permissions.

Database level data encryption refers to encrypting either the entire database or parts of it. At this level, the database system manages and stores encryption keys.

Storage-level encryption converts all data written to any type of storage into an indecipherable format automatically. This can be done by a physical device installed in the data path, or via software that runs at a device driver level.

Like storage-level encryption, device-level encryption automatically converts all stored data into an indecipherable format, except this encryption is done by the device itself. Device-level encryption can be either full disk encryption or tape drive encryption.

Like full disk encryption, file system level data encryption can encrypt entire databases and their contents. However, file system level data encryption enables users to encrypt individual files and directories using software agents. These agents determine whether data should be encrypted based on policies. This means the encryption is performed via software.

Implementing data encryption is a process with several important elements:

Collaborative strategy: Approach the development of a data encryption strategy as a collaborative effort. Include members of IT, management, and operations. Key data stakeholders should work to identify the laws, regulations, and other external factors that will affect implementation decisions. They can then identify areas of high risk, such as wireless networks, mobile devices, laptops, and data backups.

Data classification: Define a data classification policy that divides information into risk groups. Use data classification tools to facilitate this process and prevent accidental miscategorization or disclosure. Analyze metadata to further determine which data is sensitive and how best to protect it.

Protect decryption keys: Insecure certificates and decryption keys always leave an organization vulnerable, regardless of whatever other protections are in place. Some businesses have thousands of certificates and decryption keys, yet they have no real sense of who is managing them, how they are being used, or which systems they provide access to. Decryption keys and certificates should always be centrally managed according to set protocols.

Key management includes encryption key life cycle management and heterogeneous key management. Encryption key lifecycle management refers to centrally managing keys from the time they are created until they are deactivated and terminated. A heterogeneous key management solution (KMS) provides the central view into the organization’s entire certificate and key environment and enables better encryption key lifecycle management.

Control and limit access: Only authorized users should be able to access sensitive data. Strong access-control methods are at the heart of successful data encryption strategies, including the right combinations of passwords, file permissions, and two-factor authentication. Audit access controls routinely to ensure they remain valid.

Use SSL decryption technology: Encryption alone is not enough, because although more applications are using SSL encryption to keep users secure, most network security controls cannot decrypt and inspect HTTPS (SSL) traffic. This means malicious code can slip more easily into network traffic. SSL decryption technology affords you insight into sensitive data at points of egress and ingress, where it is vulnerable.

Druva has standardized on cloud-based digital envelope encryption, which allows users to keep data secure and leverage it to their advantage more readily. Extended services around analytics, compliance, legal data management, and search, all come with the extended cost efficiencies inherent to cloud services.

Envelope encryption is the practice of encrypting data with an encryption key and then encrypting the key with a root key that you can fully manage. Cloud-based digital envelope encryption offers many benefits:

• Extended services accessibility: The decryption key only resides in the session memory, so decryption can happen in the cloud without risking the information.
• Data lockout prevention: The core key can be enterprise-wide, allowing an administrator to easily reset an end-user’s password or access the data as needed.
• Key durability: The core key only exists in memory, so it can be enterprise-wide without being corrupted or compromised.
• No vendor access: Vendors lack access to the key, and not even a subpoena, court order, or warrant can compel data production.

Learn more about the Druva platform and cloud data encryption.

Now that you’ve learned about data encryption, brush up on these related terms with Druva’s glossary:

• What is data archiving?
• What is eDiscovery?
• What is ransomware?