Is Encryption Really That Hard?

Is Encryption Really That Hard?The problem today is sensitive information is leaking from organizations like a dripping faucet.  The recent Equifax data breach is just the latest example of a constant barrage of leaks in the news.  All the experts say the best way to stop data leaks is by encrypting sensitive data.

So why isn’t everyone doing it?   What’s the problem?  New regulations are now in place that mandate encrypting sensitive data, NYDFS part 500 and GDPR being two of the most visible.

It’s not like using an Enigma machine to manually encrypt a message.  Today’s encryption mechanisms are easy to use and fit into the daily work of employees everywhere.

Let’s break the world into structured data which sits in a database and unstructured data which lives in documents.  I’ll start with data in databases.  All major database systems allow you to encrypt the database files or encrypt data inside the database.  Transparent Data Encryption (TDE), column-level and field-level encryption are all examples of methods of protecting the data.  Other methods including hashing are common with passwords, but could be used with other information.

Even though most of us think that all stolen or leaked data is in a database, the reality is that about 80% of the information we use is in documents.  Methods for encrypting documents run from a simple password you can use inside an application like Adobe Acrobat to Enterprise Digital Rights Management (EDRM).  In between are endpoint encryption to encrypt files at rest on a hard drive, encrypting file systems that can assign access rights to files while they are in a particular location or transport security like SSL/TLS.

On the database side, many of the reasons for not using encryption are because applications may have to be rewritten or there might be some performance issues.  Realities for not doing it are more likely that developers and administrators haven’t thought it was necessary.  Many organizations assume there is enough protection at the perimeter or on devices, so they don’t bother with the data.

The same thinking frequently applies to documents.  People assume with all the perimeter controls and endpoint encryption that things are covered.  This works sometimes, but if someone can get to your documents, they can copy them elsewhere and have complete access to what’s inside.

Implementing EDRM that provides document encryption with access and permission controls is the only real way to protect the content inside documents at all times.  All a user has to do is save the document they work on and a security policy can automatically encrypt it and apply granular permission controls.  Impact to productivity is minimal, since you can let everyone in your organization do everything they already do with their documents, but ensure that if a document got into the wrong hands, it is inaccessible.  Users go about their daily activities and most don’t even realize the encryption is there.  You don’t think about it, it just does it’s job.

It’s the same as shopping securely online.  It just happens in the background and you don’t think much about it.

Encrypting data should be the rule, not the exception.  Just like you lock your house when you leave, lock your data.  It’s easy and keeps you safe and out of the headlines.

Leave a Reply