As businesses are becoming increasingly reliant on data, it is vital that information is secure.
Data security is not just important for business reasons but also to comply with new legislations such as the General Data Protection Regulation.
There is a vast array of data security measures available, but when it comes to guarding your data one of the best options is to use encryption so that should files ever fall into the wrong hands, the data cannot be read. But just what is it and how does encryption keep data secure?
When you start to look into encryption you will come across a number of different, and possibly unfamiliar, terms. Before we go on, we need to look at some of these and understand what they mean and how they affect you.
Let’s explore some of the ways in which encryption works.
One of the most common approaches to encrypting files or web communications is via the use of a certificate; a binary file that is used for encrypting information. The certificate contains details about the subject, together with a public key that is used for encryption purposes.
Such certificates can be generated by yourself or they can be issued by a certificate authority. Those that are issued by an authority are generally used to protect websites and a verification process is used to ensure that the company using the certificate is legitimate and is who it says it is.
The other thing that you will come across is keys. These are divided into public and private. A private key is used to digitally sign communications in order to prove their authenticity or it can be used to decrypt data that has been encrypted using the corresponding public key. Your private key should always be kept private; in many cases they are protected with a password or PIN to prevent unauthorised use. The other side of the coin is the public key. This is used to verify a digital signature, or to encrypt data being sent to the owner of the public key. You can share your public key with others, or publish it in online directories or in certificates to allow people to send you encrypted messages.
In the world of encryption you may also come across hashes. These are one-way mathematical functions that create a unique value that is used to verify the integrity of data, although not to secure it. Hashes are often combined with salts (don’t panic, you haven’t stumbled onto a recipe site) to make encryption more secure by making the encryption scheme unique. They can, therefore, make a weak encryption scheme stronger.
When you’re using the internet and you see the padlock symbol to indicate that a site is secure, it’s showing that the site is encrypting the data in transit. This is usually done by using Secure Socket Layer (SSL), although more recently there’s been a switch to Transport Layer Security (TLS) which uses stronger algorithms for more effective encryption.
So, how does encryption protect data when it’s sitting on your servers? Data stored on a disk, so-called data at rest, is at risk should the disk be stolen or the system accessed by an unauthorised party. Encryption can be used to make sure that the data remains secure even if the system is physically accessed. If the hacker doesn’t have the key to decrypt it, the data in the files is useless. It’s therefore important that the key is stored elsewhere or protected by a strong PIN, password, or hardware authentication system.
In most cases, encryption at rest uses what’s called a symmetric algorithm so that data can be quickly encrypted and decrypted as required. The last thing you want is for encryption to slow down the performance of your systems. The key itself needs to be protected, however. For this, you can use a PIN, or a password, or a more sophisticated system such as a certificate held on a smart card. If the key is properly protected, it becomes almost impossible for an attacker to gain access to the files.
A further way to protect files at rest is by hashing algorithms to calculate their value and compare it later to detect any changes that have been made to the data. These checksums or hashes are often used to validate files that have been downloaded from the internet, thereby ensuring that they are the correct version. Increasingly, hashes are used in forensic investigations to ensure that copies made of hard drives are an exact facsimile of the original.
If you have media that leaves the office, for example off-site backups, laptops or USB flash drives, then encryption on these devices should be made mandatory as a means of keeping data secure. There are external drives available that have a built-in keypads or fingerprint readers that make enforcing encryption straightforward. For maximum security, you should encrypt data on your servers too. This protects it from the activities of malicious insiders and has the added advantage that if you need to replace a drive you don’t need to worry about the possibility of data being recovered from the old one.
Data on the move
So, how does encryption keep data secure when it’s in transit? First, it’s important to define what we mean by data in transit. Essentially, this is any data that is being accessed via a network and therefore has the potential to be intercepted by someone else accessing that same network. This can be an internal network or the internet.
On wireless networks, you can protect against unauthorised access by encrypting all traffic over the network. Most routers now have WiFi protected access (WPA) encryption enabled out of the box, but business networks can be protected further by using WPA2 Enterprise. Public networks like those found in coffee shops or hotels are not protected so you should be wary of using them to access confidential information.
Protection levels can be further improved by adopting more secure communications protocols. Standard internet protocols such as HTML, FTP and POP are unsecured and traffic can easily be read if intercepted. You can protect information by using SSL or TLS, as described above, or protocols including secure file transfer protocol FTP (SFTP). When data is encrypted in transit in this way, it is only at risk if the key is compromised.
Encrypting data in transit works in different ways. In some cases, it uses symmetric encryption which requires a fixed session key, but most modern systems use a certificate and asymmetric encryption. This means that a session key is securely exchanged at the start of the session and then used to provide the fastest encryption and decryption. With SSL or TLS, for example, certificates are used to exchange the public keys at the start of the session. The public keys are then used to securely exchange the private keys. This makes the traffic almost impossible for hackers to read.
Many encrypted protocols also include a hashing algorithm to verify that the data hasn’t been altered in transit. This can help defeat so-called Man-in-the-Middle (MitM) attacks, because if a hacker decrypts and re-encrypts data, the signature will have changed even if the data hasn’t.
MiTM attacks involve attackers fooling you into using them as your proxy, or getting you to ignore a certificate warning so that you trust their certificate rather than a real one. That is one of the reasons why using certificates from a third-party authority is important and why when your software warns you a certificate is not trusted you should not accept.
Ideally, encryption in transit should be compulsory for any network traffic that carries private data. Many companies now choose to encrypt their public-facing websites and you’ll increasingly see HTTPS appearing in web addresses. By using encryption for data – both at rest and in transit – you can ensure that your information is kept safe and that your staff and customers will be confident that all their details are protected.