Security Think Tank: A user’s guide to encryption

The basics

Encryption minimises the plain text communications between systems and servers; should a threat actor access an organisation’s systems, encrypted traffic makes it much harder for data on the network to be read, or for malware – which could cripple an organisation’s data – to be injected.

Encryption can be undertaken using encryption software, encryption-enabled storage devices, or encryption-enabled networks to secure sensitive data. It can be used to protect data both in transit and at rest (being stored) and requires ‘keys’ to both ‘lock’ (encrypt) and ‘unlock’ (decrypt) the information being guarded. Symmetric encryption means both the sender and receiver of the information must use the same key to encrypt and decrypt, while two different keys are required for asymmetric encryption.

The cryptographic algorithm – an amalgamation of mathematical ingenuity and digital resilience - at the heart of the encryption being utilised determines how robust the encryption is in practice. From venerable algorithms such as RSA (Rivest-Shamir-Adleman) and AES (Advanced Encryption Standard) to contemporary innovations like quantum-resistant encryption, these constitute the bedrock of digital protection.

Challenges to consider

But encryption works both ways – malicious actors can also encrypt data. At-rest data stored as plain text can be encrypted to initiate a ransomware attack in which the key needed to decrypt the data will only be provided if a ransom is paid (and even this is far from a given). Data backups can be a solution but work only if that data is sufficiently protected to stop it being encrypted by a malicious actor.

The lower cost and ease of implementation of cloud-based solutions such as SaaS applications also adds complexity; managed by third-party vendors, they introduce ambiguity around where the organisation’s ‘network’ ends, while data is only as secure as the external service; enterprises need to ensure that the provider uses encryption for the data at-rest and in-transit.

The emergence of quantum computing also poses major questions, as the sheer power of this technology will potentially reduce the time for traditional encryption methods to be successfully attacked from years to seconds. Post-quantum cryptography is a highly specialised area of research focused on developing algorithms that can withstand quantum attacks; time will tell whether this is robust enough for encryption to be a viable option in the future.

The risk of ‘backdoor’ access

End-to-end encryption is the equivalent of having secret conversations in a super-secure room that only specific people can enter. However, on occasion, the rules around this type of security can clash with law enforcement requirements, with much of this having its roots in anti-terrorism measures as governments call for the right to incept end-to-end messaging.

The problem is that government and law enforcement cannot have ‘backdoor’ access to encrypted data without that same backdoor being exploited by malicious actors. It will require companies to use a state-recommended supplier for encryption, with anything else deemed non-compliant.

Equally, an outright ban on secure communications has significant ethical and practical ramifications, both for the individual and the enterprise; quite apart from peoples’ fundamental right to personal privacy, referring to the opening paragraphs, encryption is the behind-the-scenes security enabler of countless online activities. Restricting or severely compromising encryption would render many of these insecure – from online shopping to secure connections into networks; it would also make it impossible to transfer data or protect personally identifiable information (PII), meaning many businesses would be unable to operate.

The incompatibility of secure communications and back door rights is marked by the threats of many messaging companies to withdraw from countries where access to their systems is demanded by those in power; should their services no longer be available, it would further exacerbate the ability of many organisations to do business in these territories.

One of the biggest challenges for encryption therefore is intelligently navigating the delicate balance between privacy and legal regulations which many governments are looking to address.

Key management and password managers

While encryption is a great tool for protecting data, it is only as strong as an organisation’s key management processes.

For example, an inventory of all encryption keys ensures a central and holistic view of all the keys relied on to keep data safe, making losing track of a key less likely and providing a record of the information that is encrypted. Keys need to be stored securely and an appropriate disaster recovery plan put in place to minimise impact in the event of a breach. Monitoring the usage and frequency of keys is also important, while access control manages who can use keys and what they can do with them.

Effective key management also covers revocation, in which encryption keys are removed and replaced in the event of a (key) loss or compromise.

There are additional activities that organisations can undertake to reinforce their encryption activities. Training people to use encrypted password managers reduces the risk of usernames and passwords being exposed (written on notepads or saved on shared drives, for example), while controls can be put in place to ensure everyone is adopting this practice. And patching vulnerabilities on hardware and software that uses encryption, and checking for regular updates, is essential. 

Encryption: one part of the protection puzzle

While encryption is highly effective, organisations should adopt a ‘defence-in-depth’ approach. Maintaining multiple levels of security measures, including network segmentation, firewalls, and intrusion detection systems, alongside encryption of key assets and communications helps to protect their vital data assets from those who should not have access to them.