Blog

To Encrypt or Not To Encrypt

To Encrypt or Not To EncryptIs this even a legitimate question anymore?  With all the data breaches happening all over the world, you would think that everyone would encrypt all electronic information and communication by default.  Many do, but many don’t.  Is it a lack of interest?  Not knowing what to do?  Not understanding what encryption is?

A lot of people talk about encryption, but not many really understand what it does or how to do it.  At its basic level encryption is a way to transform information into something that an unintended recipient can’t understand.  The concept of encryption is nothing new.  It started thousands of years ago when people wanted to keep secrets from each other.  Someone would encode a message with a special key and then pass the encrypted message to the intended recipient.  If you didn’t have the key, the message was gibberish.  The key could be anything from substituting letters in a pattern to a special decoder ring kids used to get in cereal boxes (my personal favorite).

The issue with encryption is making sure no one breaks it.  The first codes were easy to break, so people kept creating more complex ones.  This was very common in World War II with whole divisions of the military focused on breaking codes.  When computers were developed, more complex codes were needed since a computer could break them quickly.  The best encryption today is created by mathematicians using complex algorithms.

Many people get confused by encryption, since it’s a bit of an alphabet soup.  There is SSL, TLS, AES, DES, RC5, Blowfish, IDEA, Twofish, NewDES, SAFER, CAST5 and FEAL just to name a few.  Understanding their details is not necessary to using them, since there are many commercial implementations that are easy to use.  But how do you distinguish between them?

Encryption is generally divided between data at rest or stored data, and data in transit.  Most of the issues with data breaches are because someone stole data stored on a hard drive or removable media, like a USB flash drive.  You also need to worry about your data stored in the cloud, since ultimately that’s sitting on a hard drive.  Currently Advanced Encryption Standard (AES) is considered to be one of the best encryption algorithms for stored data.  It was selected after a 5-year standardization process by the National Institute of Standards and Technology (NIST).  It was adopted by the US government for top secret information and is used in many commercial products and services.

A lot of the breaches you read about involve databases that didn’t encrypt their data.  The recent Sony PlayStation network breach illustrates this.  All modern database systems can encrypt their data using AES, hashing or similar algorithms, so there is no excuse not to do it.  You can also encrypt the volume the database sits on.  Some see this as complicated, because you need to develop a system with security in mind.  Well in today’s world, this needs to be built in.

The other issue is dealing with data in transit.  Every time you hit a website you are moving data in plain text over a network.  SSL (secure sockets layer) and TLS (transport layer security) are the common encryption protocols used to securely move information over networks.  They are used with HTTP and email protocols, like POP and IMAP, to encrypt data in transit.  If you go to a website and type in any sensitive information, like a password, credit card or social security number, make sure you see HTTPS in your browser address bar.  If you use an app on a PC or mobile device, make sure they are using a secure transmission protocol when you move your data.

Here are a few tips to make sure your sensitive information is encrypted:

  • Make sure any website that asks for personal information, including a password, uses HTTPS
  • Only store sensitive data with a cloud provider that uses AES or a similar encryption algorithm; this includes backup services and file sharing sites.
  • Use SSL or TLS for all email communication.  Ask your email provider how to do this.
  • Encrypt sensitive data on your hard drive or removable media.

 

There are lots of free, open source and commercial solutions for local encryption.  Some systems have it built in.  Apple’s OSX has FileVault to encrypt your home folder.  Microsoft Windows has BitLocker or EFS.  Many third parties offer more complex end point security which does full disk encryption.  Fasoo encrypts your files, so that even if they leave your control, they are protected.  One of the arguments for not encrypting data is that it slows down computers and communications.  With today’s processors, this is no longer the case.  It happens in the background without you even knowing about it.  The other issue is that you lose your key or password and the data is gone.  This is a legitimate concern, but there are lots of ways to resolve it.

If more people and businesses encrypted data as a routine, data breach headlines would almost vanish.  Computer and device manufacturers need to implement this by default.  That way we wouldn’t have to worry about it.  But it just might bring back secret decoder rings.

Tags
Book a meeting