Data Encryption Q&A with Thales eSecurity
Data encryption, put simply, is the act of translating readable information into an encoded format, which can only be decoded by those possessing the decryption key. Data encryption is apparent in our every day lives, from secured messaging apps and online banking, to shopping on Hypertext Transfer Protocol Secure (HTTPS) sites. However, for consumers using popular internet connected devices, security is often sacrificed in favour of convenience.
In the corporate world, data encryption is one of the most effective forms of data security but despite this, majority of data breaches involve unsecured data. 2018 saw the launch of the new General Data Protection Act 2018 (GDPR) which represents a significant challenge for organisations that process the personal data of EU citizens – regardless of where the organisation is headquartered. Failing to protect this data with appropriate safeguards – such as encryption – can lead to significant fines. The Information Commissioner’s Office (ICO), who is responsible for policing GDPR in the UK, named encryption as a cost effective and accessible tool to reduce the risk of data breaches. Looking for more guidance on Data Encryption best practices that are specific to your organisation’s needs?
In addition, should there be a breach of encrypted data, the ICO or respective supervisory authority, would consider this in their investigation and considerations of administrative fines.
With high profile data breaches happening at an alarming frequency, encryption has become a key building block for information security. In our latest Q&A, we spoke to Lee Davis, Regional Sales Manager from Thales eSecurity, to clarify key terms and talk best practice for securing your data.
Q&A with Lee Davis from Thales eSecurity
1. We introduced overall encryption in the introduction, can you explain other types of encryption?
“Encryption is a process that uses algorithms to encode data as cyphertext. This cyphertext can only be made meaningful again, if the person or application accessing the data has the tools (encryption keys) to decode the cyphertext. So, if the data is stolen or accidentally shared, it is protected because it is indecipherable. While the meaning of “transparent” may differ from provider to provider, it essentially means that the encryption method is transparent to the user. This means the credentialed data user isn’t even aware the data was encrypted before he or she retrieved it from storage or that it is encrypted again when returned to storage.
Storage encryption involves encrypting data while it passes to storage devices, such as individual hard disks, tape drives, or the libraries and arrays that contain them. Using storage level encryption along with database and file encryption goes a long way toward offsetting the risk of losing your data. Like network encryption, storage encryption is a relatively blunt instrument, typically protecting all the data on each tape or disk regardless of the type or sensitivity of the data. Although using storage encryption is a good way to ensure your data is safe by default in case it is lost, adopting a more granular approach and encrypting at the level of individual files, volumes, or columns in a database may be necessary, particularly if data is shared with other users or is subject to specific audit requirements.
Network encryption protects data moving over communications networks. The SSL standard (the technology behind the padlock symbol in the browser and more properly referred to as TLS) is the default form of network data protection for Internet communications that provides customers with peace of mind through its familiar icon. Many security-conscious companies go one stage further and protect not only their Internet traffic but also their internal networks, corporate backbone networks, and virtual private networks (VPNs) with network level encryption.
As with any low-level security technique however, network-level data encryption is a fairly blunt instrument. The network is almost completely blind to the value of the data flowing over it and lacking this context is usually configured to protect either everything or nothing. And even when the “protect everything” approach is taken, a potential attacker can glean valuable information from network traffic patterns.
Encrypting data as it moves over a network is only part of a comprehensive network data encryption strategy. Organisations must also consider risks to information at its origin — before it moves — and at its final destination. Stealing a car in a parking lot or private garage is much easier than on the Motorway while traveling at high speed!
2. How does tokenisation differ from encryption?
Encryption mathematically changes data but keeps the original pattern allowing for decryption. Tokenisation protects sensitive data by substituting it with an undecipherable token which maintains the format of the source data. For example, a credit card number (1234-5678-1234-5678) when tokenised (2754-7529-6654-1987) looks similar to the original number and can be used in many operations that call for data in that format without the risk of linking it to the cardholder’s personal information. The tokenised data can also be stored in the same size and format as the original data, storing the tokenised data requires no changes in database schema or process.
If the type of data being stored does not have this kind of structure – for example text files, PDFs, MP3s, etc., tokenisation is not an appropriate form of pseudonymisation. Instead, file-system level encryption would be appropriate. It would change the original block of data into an encrypted version of the data.
3. Why is Encryption Key Management so important?
The secure management of encryption keys are vital in ensuring only authorised individuals can decode and access information. If encrypted data is stolen or accidentally shared, it is protected because it is indecipherable. However, if the keys themselves are stolen, a cybercriminal can easily return the data to its original unencrypted form.
An encryption key management system includes generation, exchange, storage, use, destruction and replacement of keys.
4. What are the benefits of a Centralised Key Management System?
As organisations deploy ever-increasing numbers of encryption solutions, they find themselves managing inconsistent policies, different levels of protection, and experience escalating costs. The best way through this maze is often to transition into a centralised key management model. In this key management case, and in contrast to the use of HSMs, the key management system performs only key management tasks, acting on behalf of other systems that perform cryptographic operations using those keys.
The benefits of a centralised key management system include:
- Unified key management and encryption policies
- System-wide key revocation
- A single point to protect
- Cost reduction through automation
- Consolidated audit information
- A single point for recovery
- Convenient separation of duty
- Key mobility
5. What is Public Key Infrastructure?”
The Public key infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public-keys. The PKI is the foundation that enables the use of technologies, such as digital signatures and encryption, across large user populations. PKIs deliver the elements essential for a secure and trusted business environment for e-commerce and the growing Internet of Things (IoT).
PKIs help establish the identity of people, devices, and services – enabling controlled access to systems and resources, protection of data, and accountability in transactions. Next generation business applications are becoming more reliant on public key infrastructure (PKI) technology to guarantee high assurance as evolving business models are becoming more dependent on electronic interaction requiring online authentication and compliance with stricter data security regulations.
6. Why Does PCI DSS Matter?”
PCI DSS stands for Payment Card Industry Data Security Standard. Protecting payment-related data is certainly important, but similar concerns about a much wider range of sensitive personal information — such as medical records, criminal backgrounds, and employment information — have elevated the issue of data protection, triggering numerous privacy laws and data-breach- disclosure obligations.
Compliance, of course, is mandatory. Failure to take the appropriate steps would at the very least damage your organiSation’s reputation and put the enterprise at a competitive disadvantage. Worse, if you experienced a data breach, you’d be hit by fines and accusations of negligence would come thick and fast. Those fines might be levied by the card brands themselves and/or your acquirer (the organisation that processes transactions on your behalf and that might be responsible for vouching for your PCI DSS compliance to the payment card brands). You’d also face increased transaction fees and potential litigation.
Avoiding all this trouble makes it easy to see why complying with the PCI DSS is in your organisation’s best interest. There’s another benefit: You can use many of the same technologies and processes you use to achieve PCI DSS compliance to protect a wide variety of data across your enterprise.
7. How Do I Ensure the Cloud Provider Does Not Access my Data?
Most cloud providers are just as fearful of rogue administrators accessing your data as you are, as this type of ‘Black Swan’ event could severely affect their reputations and valuations. As such they go to great lengths to ensure their administrators cannot access customer data, encryption keys and systems without prior approval and full audit controls. But it remains a risk, however small.
More probable is the risk that the cloud vendor be compelled to provide access under court order described in Domain 3: Legal Issues, Contracts and Electronic Discovery of CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Your Risk Management (Domain 2) and Information Governance (Domain 5) plans will need to account for these risks.
For extreme cases where you must minimise or exclude all access to your data by the cloud provider or hostile external parties, combinations of cloud services, bring your own encryption, and data management controls such as tokenisation with data masking as a form of data redaction, can provide full segregation and protection.
8. Can I Use my own Encryption Keys in the Cloud?
Yes, you can.
Many major SaaS, PaaS and IaaS vendors offer the ability to import keys from your on-premises HSM into a key vault or cloud HSM, fully described in Domain 11 of CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. The level of integration varies depending on cloud vendors and whether or not you opt for on premises or cloud HSMs. You may need to manually perform the import, but you are provided up to FIPS 140-2 Level 3 security. From there the cloud provider derives keys from the master key you imported to encrypt data contained in various services (e.g., object, volume, database).
9. Is IoT Security be something that my organisation should be concerned about?
Forbes predict that the number of IoT devices are expected to grow to 80 Billion by 2025.
Security solution requirements to consider for your IoT devices:
- Device and data security, including authentication of devices and confidentiality and integrity of data
- Implementing and running security operations at IoT scale
- Meeting compliance requirements and requests
- Meeting performance requirements as per the use case
Key Functional Blocks
- IoT security solutions need to implement the functional blocks listed below as interconnected modules, not in isolation, to meet the IoT scale, data security, device trust and compliance requirements.
- Device Trust: Establishing and managing Device Identity and Integrity
- Data Trust: Policy driven end-to-end data security, privacy from creation to consumption
- Operationalising the Trust: Automating and interfacing to the standards based, proven technologies/products. E.g. PKI products.
10. What is General Data Protection Regulation (GDPR) and how does Encryption help meet GDPR Compliance?
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens – regardless of where the organisation is headquartered.
The GDPR is designed to improve personal data protections and increase organisational accountability for data breaches. Fines for non-compliance can reach up to four percent of an organisation’s global revenues or 20 million EUR (whichever is higher). No matter where your organisation is located, if it processes or controls the personal data of EU residents, you need to be aware and prepared.
Following are key provisions of the GDPR with which Encryption can help you comply:
- Implement technical and organisational measures to ensure data security is appropriate to the level of risk, including “pseudonymisation and encryption of personal data.” (Article 32)
- Have in place “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” (Article 32)
- Communicate “without undue delay” personal data breaches to the subjects of such breaches “when the breach is likely to result in a high risk to the rights and freedoms” of these individuals. (Article 34). If all the data is encrypted, an organisation can’t have a data breach.
- Safeguard against the “unauthorised disclosure of, or access to, personal data.” (Article 32)