After Edward Snowden exposed the NSA’s spying and information collection, companies (and individuals) became a lot more interested in adopting encryption to better protect their data. However, that’s easier said than done. IT and security staff and anyone else in the decision-making process need to understand what encryption options are available first, and then sift through a long list of criteria that the encryption standards need to meet. There is no one-size-fits-all solution for encryption, unfortunately.
Two primary types of encryption are commonly used: symmetric and asymmetric or public-key. In symmetric encryption systems, the same key can be used to encrypt and decrypt ciphertext. A public-key system uses the concepts of the public key and the private key. The public key can be used by anyone to encrypt data, but the private key is required to decrypt ciphertext.
Answering a series of questions about your business requirements, including compliance, system and partner considerations, will lead you toward one type of encryption or the other, or a combination, in some use cases.
What Is the Encryption Timeframe?
Before even beginning to consider any encryption approach, you need to know when you should consider deploying it. The general rule of thumb is to use encryption that can survive a brute-force attack at least long enough that the data is no longer important to keep secret, according to Robert Hansen, VP of WhiteHat Lab, WhiteHat Security:
“So if it's a credit card number, ideally the encryption used should require a survivability of least a few years under attack because that is when the credit card company will issue you a new number. For nuclear secrets, maybe it's decades, or centuries.”
What Types of Data Will Be Encrypted?
Then you’ll want to think about the type of data you’ll be protecting. Is it transit – dealing with network traffic – or at rest -- the data stored in a database or in archives on disk?
At-rest encryption deals with encrypting files on disk or records in databases so that an attacker who gets access to your machines won’t be able to extract all of the sensitive records, such as customer information, billing and credit information.
Transit encryption is becoming essential, not just for sites and services that handle sensitive information, but everything, for a few reasons, explained Patrick Nielsen, senior security researcher with Kaspersky Lab. “Proper, authenticated transit encryption ensures that you’re communicating with the person or service you intended, and it prevents anyone, whether it be a cybercriminal or foreign intelligence agency, from manipulating with and scooping up the traffic.”
A key point here is “manipulating with,” Nielsen added. Even when you’re not dealing with particularly sensitive information, you may want to ensure that an attacker who controls a public network can’t perform actions on your behalf. Technologies like TLS (Transport Layer Security), HSTS (HTTP Strict Transport Security) and HPKP (HTTP Public Key Pinning) are essential in achieving this, even if content encryption isn’t the top priority.
“Most of the web’s major websites, even ones handling ‘trivial’ information, have switched from being HTTP to HTTPS in the past few years, in part because encryption helps protect against other forms of attack than just eavesdropping, and because the overhead of encryption is negligible in most environments,” Nielsen stated.
What System Restrictions Exist?
Deciding which encryption method to use depends on the system being implemented and requirements, Devin Egan, co-founder and CTO of LaunchKey. For example, sometimes both symmetric and public-key are used together because of the advantages each has. Symmetric encryption is much faster but the system may need a secure way to share that symmetric key with a third party. In this case, data could be encrypted with a symmetric key, and that symmetric key could be encrypted and shared with the public key of a recipient. Or you may want to use a different approach altogether, like hashing, which can’t be decrypted.
Ideally, everything should be encrypted, because in many cases that makes it more difficult for an adversary to know what is sensitive and what isn't, said Hansen. But encryption isn’t free, which means budget will play a role in what and how you approach encryption. If you are limited, according to Hansen, there is an order of importance to follow: anything that can affect life, private information, property, and then money, in that order. Nielsen added the caveat that all network traffic should be encrypted. Stored data is trickier, since it is much more difficult to protect through encryption. “Disk encryption does not stop an attacker from abusing the software that has the encryption key. This software is almost always automatic and ‘always on,’ which means it’s powerless to stop most attacks,” he said. Instead, disk encryption is more useful in meeting compliance issues, rather than as a security measure.
Encryption, of course, doesn’t operate in the bubble of your own IT department. You may have partners or vendors who need access to the data or regulatory issues that must be followed. Compliance is especially important to follow, said Mike Taylor, Applications and Product Development Lead with Rook Security, because failure to do so could mean you’ll end up in the court room.
Who Will You Be Exchanging Encrypted Data With?
Another consideration, Taylor added, is communication between systems. “Occasionally, there are issues where two systems have difficulty communicating because they are using different encryption protocols,” he said. This scenario typically occurs when the two systems are of disparate technical generations and the older one does not support the standards of the new system. In these cases, the chosen encryption algorithm is typically the most modern one supported by the older system. This can increase the risk of data compromise if the only available encryption options have been shown to be insecure.
No single encryption solution provides the correct fit for all circumstances, Taylor pointed out. The encryption method utilized for your wireless network may not be appropriate for your database.
“Being informed about the encryption options for your platform and the pros and cons of the available choices is what is important,” he said. “Merely having an encryption solution in place is not enough, since modern hardware can break many of them in fractions of a second.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba