One of the most effective controls to help secure your business’s data is encryption. Encryption has been around since the dawn of man, and it continues to get more complex and effective. Encryption is the act of taking raw, human-readable data known as plaintext and rendering it unreadable in a format known as ciphertext. This is done using a complex algorithm using encryption keys. After data has been encrypted, it can be securely transferred and stored. An attacker looking in will see nothing but ciphertext, making achieving their aims much more difficult. When a valid end user needs to view the actual data, the algorithm decrypts the data, rendering it back into the original plaintext.
There are two main types of encryption:
Symmetric Encryption: uses ONE key to both encrypt and decrypt data
Asymmetric Encryption: uses TWO keys; a public key for encryption and a private key for decryption
In today’s digital landscape, encryption is a necessity for an effective cybersecurity program. It is important to keep in mind that encryption is not a 100% defense. Attackers are always on the move to find ways to crack the most secure encryption algorithms, and with the advance of powerful technologies like quantum computing, it is all but inevitable that they will eventually succeed. However, implementing current encryption measures makes a huge difference, and luckily for you, they are often implemented by default in consumer-grade technology. Still, there are several extra encryption controls that should be enabled in your business network for the best security.
Encrypted data falls into one of three categories:
Data in Rest: this is data that resides on a stationary piece of storage with encryption applied. The data is only accessed by authorized personnel when the situation requires.
Data In Transit: this is data that is currently being moved between devices in a network, or between networks themselves. This is the data that your employees deal with every day when they log onto Internet services to perform their work. Data in transit can be easily captured by external threat actors, making encryption extremely valuable in its case.
Data In Use: this is data that is actively being accessed as part of a session. This commonly refers to database management system transactions, which are generally out of scope for your average small business. However, this label can also apply to documents being edited or websites being loaded.
Encryption measures should be in place for each of these categories. Below are some examples of common-sense encryption measures that should always be in place in your organization’s network.
Data at Rest
Every document, photograph, and project file that you and your employees opt to store on your computers qualifies as data at rest. All files stored on network drives and file servers also qualify as data at rest. Even though cloud storage resides on a third party’s network, encryption measures are still necessary. Consult the shared responsibility documentation with your cloud providers to determine who is responsible for applying encryption.
All these storage locations usually already have security controls in place, mainly access controls. However, to keep with defense in depth, it is important to take the initiative by applying encryption for extra security.
Microsoft offers an easy-to-implement storage encryption service with its Windows operating system, known as BitLocker. BitLocker uses the Advanced Encryption Standard (AES) to encrypt storage devices fully. It provides options for 128-bit keys or 256-bit keys. BitLocker can also be configured to encrypt the entire storage device or just the currently used space.
Any entity that seeks to access a BitLocker-encrypted host needs to provide credentials. These credentials could be a password, PIN, or cryptographic smart card/key. BitLocker uses Trusted Platform Modules (TPMs) on modern motherboards to store its cryptographic keys. The TPM provides additional security by not releasing the BitLocker keys unless the integrity of the system is fully intact.
BitLocker is available on the Pro and Enterprise versions of Windows. It cannot be used with Home versions unless it is tied to a Microsoft Online Account.
If you're looking for an open-source tool to encrypt storage devices, VeraCrypt is a good option. VeraCrypt is an improvement on the retired TrueCrypt project and implements several significant security improvements. These include memory protection, AES hardware acceleration, and encryption for RAM. VeraCrypt is a good option if you are looking for more granular control over the encryption of storage in your organization.
If you have opted to use Linux in your environment, then encrypting computer hard drives is quite simple. Most Linux distros present the option during setup to encrypt the host disk using Linux Unified Key Setup. This encryption standard will encrypt your device and store its cryptographic keys, like BitLocker. Always opt for LUKS encryption when installing any Linux systems in your organization. Keep in mind that the LUKS setup will direct you to create a passphrase that will henceforth be required to use the system.
When it comes to cloud storage, implementing encryption for data at rest is significantly easier. Most of the legwork is done by the cloud provider. Platforms like Azure and AWS use a technique called Server-Side Encryption (SSE), which encrypts all data when it is moved to the cloud server. The encryption functionality is explicitly performed by the server, not the user's application. The cloud server will decrypt the data whenever you move it out of the cloud.
SSE on cloud platforms is usually not enabled by default. Make sure to review documentation and apply the appropriate settings to implement encryption whenever you set up a storage volume on a cloud platform.
Data in Transit
Data in Transit should have encryption measures applied at every step of the way. In a basic business environment, many of these encryption measures are made readily available.
To encrypt your internal network communications, ensure that you configure your routers and wireless access points with the most advanced security standard. Most consumer-grade routers provide the following options for security:
- WEP (Wired Equivalent Privacy)
- WPA (Wi-Fi Protected Access)
- WPA2 (Wi-Fi Protected Access 2)
Under no circumstances should Wi-Fi be configured to use WEP. It is an extremely outdated standard and can be easily cracked. WPA should also be avoided in favor of WPA2. However, these days, many routers provide the newest standard, WPA3 (Wi-Fi Protected Access 3), which is the best possible option for protecting wireless networks. When planning your network deployment, try to purchase WPA3-capable technologies and enable the standard network-wide.
In terms of applications, many reputable mainstream applications make encryption a core tenet of their functionality. Zoom allows users to enable end-to-end encryption for their meetings, keeping communications protected as they traverse the Internet. Online vendors like Amazon use various techniques to provide server-side and client-side encryption to their customers, protecting their sensitive financial data.
An important rule of the Internet is to always make sure that any websites and services you interact with are SSL/TLS encrypted. SSL/TLS protects communications by encrypting data sent between an end device (the client) and the target website (the server). Whenever you connect to an SSL/TLS-encrypted website, the TLS handshake is performed to negotiate and configure a secure session. This ensures that all data sent between the user and the website remains out of the view of an attacker looking in.
It is easy to know if a website is SSL/TLS encrypted or not. The HTTP protocol is the standard protocol used to transfer data between web servers and clients. However, HTTP by itself is insecure as it transfers data in plaintext. SSL/TLS encryption is applied on top of HTTP to create HTTPS, the secure version of the protocol. If you look at the URL for a website, you will see the link denoted with either HTTP or, hopefully, with HTTPS. Under no circumstances should you share data with any website using plain HTTP, as attackers looking in can see your information laid bare. Every website your organization shares data with should be using HTTPS. You can also confirm the security of a website by looking at the far-left side of the URL bar. If the website is SSL/TLS encrypted, you will see a lock icon, often colored green. If the website lacks encryption, you will usually see a gray “I” icon warning you about the insecurity of the website.
Data in Use
Implementing data in use is generally not in the scope of a small business cybersecurity program. While data in transit is data that is actively moving across networks, data in use refers to the data that is actively being processed by your system's resources. Data in use encryption may be built into your operating system itself. While you may not have the means to implement advanced data in use encryption, you can supplement the already provided mechanisms by ensuring that proper access controls and continued authentication policies are implemented.