Five things you should know about encryption… for non geeks!

March 3, 2010

When most people wake up in the morning, somehow, encryption is not the premier thought on their mind. I know, I know, this statement may come as a shock to you.

Most people probably even believe that they could go an entire lifetime without ever thinking once about what encryption is, and what it can do for them.

Some people, I tell you.

The truth is simple: if you are in business, you don’t have to be an encryption expert, but there are 5 things that you should know about encryption.

Before we proceed, here’s a quick primer on how to think about your data.

Understanding data states.

Data resides in different states, including at rest, in transit, or in use.

An example of data “at rest” is a Word document not currently open, but saved to the hard drive on your laptop.

An example of data in transit is that same Word document, attached to an email, on its way to your sister-in-law’s email inbox after you clicked on “send”.

An example of data in use is a computer program that processes information that resides in a backend database.

Understanding threats to the data.

Each state includes inherent risk to the data being used:

That data could be pilfered by an unauthorized third-party (a loss of data confidentiality.)

The data could be corrupted by a virus (a loss of data integrity.)

This data could be erased by malware or a malicious internal user (loss of data availability.)

Protecting the confidentiality, integrity and availability of data assets is what information security is all about.

Understanding data classification.

Data classification is the concept of assigning a confidentiality rating to all data assets. This is the concept to which all the “TOP SECRET” stuff you see in movies is linked. The idea is simple:

Look at each data asset your organization owns, and then decide:

1. “I don’t care who or what sees this information.” It’s safe to say that this data asset can be classified as “Public” as no harm will come to you or your organization if this information were to be read by a third-party.

2. “I want some of my business partners and some of my internal resources to see this information, but not everybody out there.” In this case, the data asset can be classified as “Confidential – Third Party”.

3. “I don’t want anyone but my internal resources to see this information.” This calls for a data classification level of “Confidential”.

Why bother with doing all this work? Tagging each data asset with a classification rating allows you to simply decide during the course of doing business whether an asset should be shared or not – and with whom. For example, you could decide that all Word document titles will from now on be assigned a suffix of C, C3 or P. If a document used to be called 2010_financial_statements.doxc, you could rename it to C_2010_financial_statements.doxc. That way, even if you do not directly know the contents of this document, you will be able to tell, just by seeing the file name, whether it should be shared freely or not. This is a simple and effective control to protect you against inadvertent data breaches.

Five things you should know about encryption:

1. Confidential and Confidential/3rd-Party data should be protected – i.e. encrypted – regardless of the state in which it currently finds itself. Hackers are equal-opportunity criminals. If your data is encrypted at rest, but not in transit, they will go after it while in transit.

2. Rule of thumb: encryption strength is related to the amount of bits. Therefore, 256-bit encryption is stronger and more difficult to defeat than 128-bit encryption. You never want to use an encryption solution with a strength lower than 128 bits.

3. You should have a clear, realistic, enforced and published corporate encryption policy – and supporting procedures – that dictate how data is to be protected. Then you should train your users and make sure that the policy reinforces your business processes – as opposed to hinder them – so as to maximize employee adoption.

4. When in doubt, ENCRYPT! Many encryption solutions are free, there is no reason NOT to encrypt.

5. Confidential data should never be placed on a mobile device – laptop, phone, PDA, etc… But if the organization has a legitimate business needs that requires that this would happen, then said confidential data MUST be encrypted.

In conclusion…

Data should be classified in terms of its criticality/confidentiality status. Confidential should be encrypted regardless of which state it finds itself into. Understand that the state of the same data item may change over time!

Encryption should not be seen as a security control that is “nice to have”, but as a “must have.” This is a perfect example of a control that reinforces your business goals. It is a simple, best-practice control that is required by many regulatory mandates such as HITECH, the Massachusetts Data Breach Notification Law, the PCI standards, etc… so, when’s the last time your organization reviewed its encryption policy and its effectiveness?

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: