listen to this article:
Encryption is a crucial component of enterprise security as it keeps data private and secure, provides authentication, and ensures regulatory compliance. The security mechanism does this by ensuring data in transit and storage remains protected even in the event of a breach as perimeter security is no longer reliable.
However, encryption is an intricate topic as it varies depending on the type of encryption used, the algorithm implemented, and the keys sizes used. These variables result in different encryption techniques that are suitable for different use cases in an enterprise. In this blog post, we’ll analyze the various encryption types and approaches and some essential considerations for encryption and key management.
How Does Encryption Work?
Encryption provides security and privacy by converting plain text into cryptic text, known as ciphertext, using a complex algorithm and a key. The ciphertext is a jumbled mess of random characters, so it hides the original message from malicious actors. The intended recipient can then decrypt it to convert it back to plaintext using a decryption key.
What Are the Most Common Encryption Techniques?
Encryption of data can be done using various techniques that vary depending on the encryption process and how the keys are applied.
Symmetric encryption works by encrypting and decrypting data using the same key. The encryption technique is fast and efficient for large amounts of data. However, it introduces the weakness of key sharing between multiple users.
Examples of symmetric encryption algorithms include:
- AES (Advanced Encryption Standard)
- 3DES (Data Encryption Standard)
- Blowfish (Drop-in replacement for DES or IDEA)
- IDEA (International Data Encryption Algorithm)
AES is the most used symmetric encryption algorithm today, and it is mostly used with 128 or 256-bit keys.
Asymmetric (or Public Key) Encryption
Asymmetric encryption uses two different but mathematically related keys to encrypt and decrypt data. The encryption key is shared amongst authorized recipients or made available to the public (public key), but the decryption key is stored securely by the owner and never shared (private key).
Since the decryption key doesn’t need to be transmitted, asymmetric encryption is used for protecting confidentiality, and it generally provides better security than symmetric encryption. However, the method is slow and resource-intensive.
Examples of asymmetric encryption algorithms include:
- Rivest Shamir Adleman (RSA)
- Elliptic Curve Cryptography (ECC)
- The Digital Signature Standard (DSS), which incorporates the Digital Signature Algorithm (DSA)
- Diffie-Hellman exchange method
Asymmetric algorithms are mostly used for digital signature/message authentication.
How About Hashing?
Hashing is often regarded as an encryption technique. It is a process that converts an input of any size into a fixed-size string of text. Just like encryption, it uses a mathematical function. However, unlike encryption that facilitates secure storage or transmission of data, hashing is used to verify whether data is correct without needing to see it. The hash value produced can’t be reversed, so the technique is also called one-way encryption.
Hashing is mainly used in authentication systems to avoid storing plaintext passwords in databases. It’s also widely used for digital signature processes and validation of data and other files.
The three encryption techniques are usually combined and used to encrypt data at various digital states.
What States of Digital Data Do We Encrypt?
Data can be compromised at any point in an enterprise, so it’s necessary to ensure that it’s always protected throughout its entire lifecycle. This results in three data encryption states.
Data at Rest
Data at rest is data that is not actively moving from device to device or network to network. The data is typically stored on a hard drive, laptop, flash drive, or archived/stored in some other way.
To protect data at rest, enterprises can simply encrypt sensitive files prior to storing them and/or choose to encrypt the storage drive itself.
Data in Motion/Transit
Data in motion or transit is data actively moving from one location to another, such as across the internet or through a private network. To protect data in transit, enterprises often choose to encrypt sensitive data before transmission and/or use encrypted connections to protect the contents of data in the transmission channel.
Some of the most popular data-in-motion encryption methods are Wi-Fi Protected Access (WPA/WPA2) for wireless access, Virtual Private Networks (VPNs) for remote access, Secure Shell (SSH) for secure remote systems administration, and Secured Sockets Layer (SSL) for Web browser to server communications.
Data in Use
Data in use is data that is stored in non-persistent memory, typically in a computer’s random-access memory (RAM), CPU caches, or registers, while actively being processed by computing equipment. This type of data is particularly difficult to encrypt as it is actively being processed, and encryption may impact performance or make processing impossible altogether.
Most Common Data Encryption Approaches
Beyond the differences associated with the varied data states, there’s a range of encryption approaches available today, and they all offer varying levels of functionality and granularity.
Full Disk Encryption
Full disk encryption involves encrypting every bit of data that goes on a disk or storage device (such as SAN or NAS) to prevent unauthorized access to data in storage. The encryption approach is easy to implement as it operates on a set-it-and-forget-it maintenance model.
File System Encryption
This encryption method is a form of disk encryption where the file system itself encrypts individual files or directories. This contrasts with full disk encryption, where the entire partition or disk in which the file system resides is encrypted. The approach is suitable for handling the encryption of unstructured data types such as emails, documents, images, and A/V files.
Database encryption is the process of converting data within a database from plain text format into a meaningless ciphertext using a suitable algorithm. The encryption can be done at the fi or column level.
Several database encryption technologies have been developed to encrypt databases, allow encryption of sensitive data inside client applications, and prevent encryption keys’ exposure in the database engine. These include Transparent Data Encryption (TDE) employed by Microsoft SQL, IBM DB2, Oracle DB, and MongoDB and Always Encrypted utilized by SQL Server databases.
Application-level encryption is a data-security solution that encrypts sensitive data within the application instead of relying on the underlying transport and/or at-rest encryption. ALE is regarded as the most secure approach to enterprise data protection as data becomes inherently protected wherever it is.
This solution can support different mechanisms such as format-preserving encryption (FPE), order-preserving encryption (OPE), and tokenization. For example, with FPE, a 16-digit credit card number remains a 16-digit number after the encryption process. This scheme is useful when third parties process information that needs to be encrypted, but the application using it should be oblivious to the change.
Implementing an Effective Cryptographic Strategy
It’s important to keep in mind that an effective encryption strategy – and information security in general – is a process, not a product. This means that the success of the cryptographic infrastructure is based on how the implementation is planned and the technology is chosen, deployed, and managed.
For a start, understand the type of data that you need to protect, choose the right algorithm, select secure key sizes, and opt for a FIPS 140-2 certified vendor. On top of that, ensure that the key management platform you choose can protect the keys wherever they are (on-premise or in the cloud) and throughout their entire lifecycle. The ideal situation is to have a centralized cryptographic management system that can monitor all activities in a single pane of glass and implement a centralized policy on how keys should be used. This will help ensure that the organization meets its encryption objectives and satisfies industry compliance standards.