Security Think Tank: Three ways to identify the best encryption use cases

Flex your risk management muscles

Deciding when and where to encrypt (and decrypt) is a true test of a company’s risk management processes and practices. From an IT security perspective, this means upping your game when it comes to threat modelling. A deep understanding of the overall IT and business environment is required in order to pinpoint the most critical targets for attackers or malicious insiders. Coupled with this is a need to understand the potential business impact of encryption, because if you’re encrypting end-to-end, there’s always a danger that you impact data transformations or downstream business processes. Some data types may be obvious candidates for encryption, some may not. Some may even end up with double encryption, where you encrypt both the network traffic and the individual data elements. But all this needs to be considered in light of the specific business process at hand, and the potential risks versus the need for system performance. There is often a delicate balance to be struck in identifying what will work best for the business.

Manage edge security

With encryption comes a need to pay greater attention to securing edge devices and services, principally corporate laptops and mobile devices. At most companies, this is likely to be part of a wider ongoing effort, triggered by the shift to remote work during the Covid-19 pandemic, where encryption has had an important role to play in securing a company’s most far flung edges.

Many companies are adopting managed corporate browser technologies for employee computing devices, enabling IT security teams to configure and manage browser policies, setting, apps and extensions from a centralised location, across multiple operating systems and devices.

Some are adopting SASE (single access service edge) technologies, a cloud architecture model that bundles together network and cloud-native security technologies, and typically includes inline traffic encryption and decryption capabilities to inspect traffic to and from a company’s edge. Regardless of the technology used, more encryption means more focus on end-user systems for security teams, which in turn can create performance impacts for end users.

Think differently

Above all, CISOs and their teams need to think differently about how they monitor and protect corporate systems where encryption has been deployed. It’s time to get creative, recognising there are often multiple ways to achieve the same objectives.

Creativity also comes into play when it comes to incorporating all of the requirements—risk, business and security requirements—and coming up with options that meet all of those. It takes a lot of experience, cross-functional knowledge and imagination to pull all that together. The onus is on security leaders to take their teams on this journey and ensure they have the skills they need to understand that, when encryption reduces visibility, there are usually other places to look in order to get the information they need about security issues and incidents.

They also have a role to play in helping guide in-house developers on where they should (and maybe shouldn’t) consider incorporating encryption into the apps and services on which they are working.

So when the issue of encryption raises its head (and it will), it’s time for the CISO to step up and take the lead on some pretty robust conversations that will help their businesses implement this technology as the precision tool it should be, and not a blunt instrument—or worse still, a double-edged sword.