For many people, the very phrase “data encryption” tends to conjure up some pretty strong feelings. Some view it almost as though it were a ‘silver bullet’ for cybersecurity; a guarantee of safety and protection. Others view it more as a nuisance, or obstacle to avoid.
So, which one is it?
In the IT world, data encryption provides a key defense against attackers stealing data. And, in fact, best practices prescribe encrypting nearly all data, both at rest and in transit.
However, many companies only use default settings for encryption.
So, while some view it as a hassle, and others as impenetrable security, the reality remains far more nuanced.
Sure, data encryption is an evolving fundamental technology that provides powerful protection when done correctly. But, an organization that uses obsolete encryption, or that fails to adequately protect encryption keys or certificates, will find both their security and reputation compromised.
Data Encryption Myths
Some organizations hesitate to use encryption because it’s viewed as more hassle than it’s worth. For instance, some remember long wait times for while files to decrypt, during which employees couldn’t work.
Fortunately, drastic increases in CPU speed and system memory reduce these performance hits significantly. Many modern computers and operating systems handle encryption quickly and eliminate most delays.
For the most sensitive users, adopting cloud-based virtual desktop instances may eliminate the perception of performance delays, sine the cloud can devote more resources to decryption.
So, does encryption deliver foolproof security? Sadly, no.
Encryption uses math formulas to scramble the data bits within your files to make it unreadable. Older encryption technologies have flaws, don’t use enough complexity, or can produce patterns that attackers use to break codes.
For example, researchers recently criticized Microsoft Office for poorly executed encryption which leaves patterns in the encrypted files. Since Microsoft can’t fix this without breaking compatibility with Office 2010, those seeking to encrypt their files securely must use another option.
Encryption Best Practices – Data at Rest
When encrypting data at rest, the first consideration is whether to use full disk encryption or file-level encryption.
Generally, full disk encryption provides the best option because it can protect all of the data on a hard drive (or USB drive, or phone, etc.) if the device is lost or stolen.
File-level encryption requires additional memory and computing power, and it is not typically recommended for endpoint PCs, macOS computers, or Chromebooks.
However, we recommend using both full-disk and file-level encryption for the most valuable data on servers or cloud resources that have the extra computing power to process both types of encryptions without performance issues.
Encryption Best Practices – Data in Transit
Data in transit can be more complex, because it encompasses sending email, network traffic, and website traffic such as Software-as-a-Service (SaaS) resources, ecommerce sites, etc.
Each of these uses their own specific encryption.
While connections between two devices and the web’s HTTPS protocol generally use Transport Layer (TLS) encryption, they can also use the Secure Shell Protocol (SSH).
However, security researchers continuously discover weaknesses in certain encryption protocols
As a result, you’ll want to watch for advisories such as the National Security Agency (NSA) guidance to eliminate older TLS (1.0, 1.1) and SSL (2.0, 3.0) encryption protocols that use weak encryption algorithms.
SSL certificates are used by websites to establish HTTPS connections or by programs to declare legitimacy. These certificates must carefully managed to avoid damaged reputations, legal liability, or operational shutdown due to expired or stolen certificates.
For instance:
- Attackers stole Nvidia’s certificates to make malware appear legitimate.
- Spotify’s expired certificates shutdown of all services because SSH could not be established.
Email encryption use S/MIME or PGP encryption protocols, but management of key exchanges through email can lead to encryption key loss, email delays, or other operational issues.
For the exchange of sensitive information by email, organizations often prefer to use a tool to automatically encrypt the emails and manage the keys, or use alternative ways to share the information.
Data Encryption Best Practices – Key Security
Encryption keys must be guarded even more strictly than sensitive data. To help with this, CISA provides a 30-page document to outline security key best practices.
A few highlights include:
- Obtain and follow practices recommended by NLECC.
- Develop an encryption key management plan.
- Limit key distribution.
- Maintain a record of all devices that receive encryption keys.
Also, because using the same encryption keys can allow adversaries to eventually break them, some organizations also rotate encryption keys.
Encryption Management Assistance
While you may need encryption, navigating the sea of options – such as symmetric, asymmetric, 128-bit, 256-bit, CBC-mode, or GCM-mode – can be confusing and time consuming.
But, instead of taking time away from more critical work, you can always reach out to professionals for assistance. Ideal Integrations, along with our cybersecurity division Blue Bastion, can help.
Simply contact us at 412-349-6680, or fill out the form below, and let our security and IT experts will gladly outline your options and best solutions.