Take the necessary security measures. Starting from the inside-out.
In this post we talk about the increasing promotion for encrypting data at rest. It has become a necessity to encrypt not only your active data but your data at rest. Not encrypting data at rest is putting your business at greater risk than ever before. The difference between data at rest and active data are as follows:
- Data at rest: inactive data stored physically in any digital format in persistent storage such as disk or tape. Example: databases, files, backup tapes, offsite backup copies, mobile devices etc.
- Data in transit: it is active data traveling between devices, either through private networks or over public or untrusted networks such as the internet. Example: credit card information used for online shopping, emails, and chat data.
This information is for both technical and business like-minded people to bridge the gap on the subject. Both sides of your company should understand the importance of data encryption and work together to ensure your data is secure. Data is arguably the most valuable asset to your company and everyone in your company has the duty to ensure it is safeguarded.
You’d be surprised how many companies aren’t encrypting data at rest. The reason may simply be because they do not fully understand the information, purpose, value, or risk of the data. Sadly, they will be the ones to blame if/when a breach occurs.
Encryption is our first stop on the way to fully protecting your data from the inside out.
To put it simply, encryption is a mathematical algorithm broken down into two Key Pairs – Public and Private. The Public Keys are used to encrypt data and the Private Keys are used to decrypt it. Simple. Breaking it down even further, below are the different types of Keys used as either a Private or Public to encrypt/decrypt.
- Encryption Key: A piece of information generated by cryptographic algorithm. Specifies the process of transforming plaintext to ciphertext and vice versa.
- Data Encryption Key: encrypts data objects, the purpose of the key is to differentiate it from other encryption keys.
- Key Encryption Key: an encryption key to encrypt Data Encryption Key or other special purpose cryptographic keys.
- Master Key Encryption Key: an encryption key that is specifically in-use to encrypt all other special purpose cryptographic keys, such as Data Encryption Key and Key Encryption Key. It is also in-use as the primary key on most sophisticated cryptographic systems and would require top secrecy handling.
- Cryptographic System: it is a software in computer or a special purpose hardware appliance, used to generate, store, distribute, process and manage cryptographic keys.
- Key Vault: a storage environment specifically designed to store encryption keys within cryptographic system or as an independent component tight closely with the cryptographic system.
- Encryption Key part: single piece of an encryption key split into two parts or more.
- Key ceremony: a process of storing cryptographic keys in a key vault by two people or more based on the number of cryptographic key parts.
Similar to Encryption we have Tokenization. Tokenization is the process of substituting sensitive data with a non-sensitive equivalent. For example, your credit card number is sensitive data and say it reads 1523 1235 6584 6484. Tokenization will take that number and create a substitute for it, spitting it back out to an online store as 1234 5678 9112 1314 so that they can never really store your actual information. Making it still appear as a credit card number but removing the sensitivity of the data.
This simple security measure can be customized in its complexity to protect different levels of your sensitive data. You may want to put a little extra padding on data that could bring your company to its knees, if stolen. This sort of thinking can protect your company, clients, and employees from any sort of disaster that you hear about in the news. Don’t let it be you.
As your company grows, so does your data. As your data grows so do your encryption efforts. The more encrypted data on your local enterprise storage, cloud, or backup the larger storage is required.
Disk and O/s Level Encryption:
The types of encryption that have been discussed thus far is only adding value to portable devices such as laptops or external hard drives. However, disk and O/S level encryption is at risk of being hacked remotely because it would be highly unlikely to be physically stolen out of a data warehouse.
Full disk encryption is a cryptographic method that applies encryption to the entire hard drive including data, files, the operating system and software programs. This form of encryption is comparable to the protection of your home. Just as locking all exterior entrances is an efficient way of ensuring that no unwanted visitors enter the interior living spaces of your home, full disk encryption places an exterior guard on the internal contents of the device.
With HIPAA, PCI and GDPR accountability is king.
You must have proof that demonstrates you have taken reasonable measures to protect your data. Data protection measures might include without limitations:
- Data management practices, encryption measures, policies, procedures, and audit processes.
- The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
- A process in-place for testing, assessing, and evaluating the effectiveness of technical and organizational measures ensuring the security of the processing.
Proving that it is a worth-while effort, especially when you compare the cost of encryption to the cost of the ramifications after a breach or an audit.