The science of “cryptology”
Most people had not heard of Alan Turing before the movie, “The Imitation Game”, came out in 2014. In the movie, a young Turing wrote secret messages to his school friend using a simple code that only they could understand as they had the “key” to unlock the meaning.
Later, during World War II, Turing went on to become a vital player in the British code-breaking team at Bletchley that cracked the German’s Enigma machine codes. He built an electromechanical machine, “The Bombe”, that helped to crack the key to the German’s encoded messages and thus changed the course of the war.
This is an early example of machines being used to code and decode privileged messages. Today, advanced computing has allowed for intricate and highly secure data encryption, which forms a vital part of any organisation’s data security arsenal.
There is no single “silver bullet” that can keep hostile intruders from looting your data. Keeping an organisation’s data safe is more than just backing up and archiving, but encompasses protection against data breaches, hackers and malicious virus attacks.
For the average software user, data security is not top of their minds as they go about their day-to-day business and most employees assume the IT department is taking care of things and is keeping the company’s data safe – and most IT departments are doing that and have put safeguards in place. Cybersecurity is multifaceted and includes: Patches, Passwords, Firewalls, Anti-virus, user authentication, tracking, etc.
Here we will just cover “data encryption” as one of the weapons used in defending your data.
Data is a company’s life-force
Data is at the core of any organisation. It records the history, reflects the daily activity and is the very life-force of the company. It empowers decisions, reveals plans, opens understanding; it covers all areas from finances to sensitive personnel data, from negotiations to contracts.
So, it is easy to see why you need to keep your data safe and protected from unauthorised access.
In security terms, C-I-A is used to describe data security: Confidentiality, Integrity, and Availability. Organisations use this approach to reduce risk by covering all known bases with the available technology and practices.
Confidentially – the message is private.
Integrity – the message has not been tampered with or changed.
Availability – it is easily accessible to those with permissions to view it.
You can add to that nonrepudiation which ensures that a sender cannot deny that they sent a particular message. All these come into play when dealing with data encryption.
What is data encryption?
Data encryption is the encoding of “plaintext’ into “ciphertext” using an algorithm. The ciphertext – the encrypted data – can only be read with the correct decryption key. The process changes the data from one form to another and without the key, the data is scrambled and nonsensical.
The “key” is a variable within the encryption algorithm which gives it a unique value and it is used to initially lock the text and then again to unlock the code and transform the scrambled data back to understandable data.
Like water, data exists in three phases: at rest, in motion and in transit.
Data at rest – inactive data that is stored in a database, file, etc.
Data in motion – active data that is used most often or is currently being used.
Data in transit – data that is moving from one device to another.
In order to be as safe as possible, data is encrypted both in transit and at rest.
What is encryption in transit?
During the average working day, data is often transferred from one device to another or across networks. This is when data is in transit and it can be a vulnerable to attack during this process.
Data can be encrypted before it is sent with client-side encryption, or it can be encrypted on a transport-level.
Wire Encryption protects data using various protocols as it moves, e.g. RPC (Remote Procedure Call) which protects remote procedures with authentication; HTTPS (hypertext transfer protocol secure, using SSL encryption); DTP (Data Transfer Protocol); JDBC (a database connection protocol) and Transport Layer Security (TLS) which is a protocol used to establish an encrypted connection between two parties.
What is encryption at rest?
Once the data has been archived or stored in a database or file, it is considered to be “at rest”. Encrypting data at rest adds an important layer of extra security. It also aids compliance and data sovereignty.
In a cloud storage set-up, this function is provided by the host. For example, this is how Microsoft Azure offers encryption at rest:
“Storage Service Encryption allows you to request that the storage service automatically encrypt data when writing it to Azure Storage.
Client-side Encryption also provides the feature of encryption at rest. Azure Disk Encryption allows you to encrypt the OS disks and data disks used by an IaaS virtual machine.”
How secure is data encryption?
Hackers can use sophisticated code breaking tools to try break an encryption key, but these keys are now extremely long: from 128 bits up to 256 bits long which would take even the most powerful computer billions of years to run through, which should give IT managers some peace of mind.
But if the key codes are tight, what about securely storing the keys to keep hackers from finding and using them? This is Key Management. Keys are usually stored separately from the data and are backed up in a different place. Or you can use key wrapping and unwrapping which is when the keys themselves are encrypted.
How do you encrypt data?
There are a number of highly respected encryption tools on the markets that can be used. Also, cloud-based servers like Microsoft Azure, provide encryption as part of their service.
Symmetric and asymmetric encryption
You can encrypt data with a symmetric key or an asymmetric key.
Symmetric (Secret Key Cryptography) – one key for both encoding and decoding.
Asymmetric (Public Key Cryptography) – two linked keys with a public key to encrypt and a private key to decrypt.
Hash Functions can also be used in encrypting.
The most commonly used types of encryption algorthims are:
3DES – This uses three 56 bit keys to encrypt the data. It is an older type that is not used very often anymore.
Advanced Encryption Standard (AES) – This uses a symmetric key to encrypt data in a single block of 128 bits – 256 bits and is a popular method.
Rivest-Shamir-Adleman (RSA) – This uses an asymmetrical key. It is often used for data travelling online, e.g. with digital signatures for verification, but it is not practical for large amounts of data.
Looking to the future, developments in biometrics and voice recognition provide a new avenue for encryption keys. On a mobile level, Android phones come with encryption capabilities and iPhones encrypt your data by default.
Why encrypt your data?
Organisation’s use encryption as a defence against data breaches, especially if the data is sensitive and could cause damage if it fell into the wrong hands.
Compliance and standards
Not only can stolen data be a threat to a company, but compliance regulations compel companies to have proven data security in place. They will be held accountable by the authorities for private data not being secured and will have to face the music if it is hacked and stolen.
Companies need to protect not only against malicious data breaches but also unintentional negligence or human error.
For companies to be able to pass an audit, they will need to comply with the Government standards. In Australia, there are the Privacy Act and the ISO/IEC 2700 series, among others.
Whatever cybersecurity defence plan a company decides to implement, data encryption should be on the must-have list.
By Jeannie De Vynck