How do you encrypt data in an era of global digital uncertainty?
(Column by Sachin Shenoy, CTO and co-founder of Healthifyme)
With winds of change sweeping across the world and stronger tornadoes of change sweeping across the technology landscape, it is time for both organisations and individuals to step and make sure that their data stays safe by use of encryption.
This is a question that must be on top of the mind for most CTOs and business owners today. Before we delve into the “how”, let’s first understand the “why”.
Encryption - Why?
In India, we have a tradition of “warding off the evil eye” by using an ugly looking face at the entrance of our home/ office to make sure that our precious assets are safe, away from the glare of the external world. However, such superstitions do not work in the world of science & technology.
Enter encryption, which replaces the ugly-looking rakshasa’s head with the sophisticated science of encryption algorithms, and voila.
Encryption essentially provides a level of “layered security” that increases the “protection odds” for any sensitive data. Regardless of the strength of their data security protocols, organisations today need to invest in keeping their data safe by upgrading their technology stacks. They should always be prepared for a security breach since nothing is impenetrable. A security breach might happen due to a new vulnerability in one of the systems softwares, or perhaps due to an accidental misconfiguration or, in the worst case, a disgruntled employee exposing data. So, in a sense, you can think of data breach as almost an inevitable outcome, and companies need to prepare for the “when” and not the “if”.
Whatever the reason, when it does happen, the only way to protect data, which might include IP data and user-sensitive data, is by having it encrypted.
Encryption - Where?
The short answer is, encryption needs to be omnipotent and is relevant across all “points of residence” and “points of transit” of data. We need to look at all points where data lives and breathes and make sure it is encrypted. This would constitute “data at rest”. “Data in transit”, i.e data moving from point A to point B, and “data in use” i.e data being fetched for a job also need to be encrypted.
Let’s now look at each of these use cases in detail -
Data at rest
This refers to data that is not actively moving between systems over a network. This includes data stored in a hard disk, flash drive or any other storage solution. Even though data at rest might feel safe, since usually it will be physically secure and/or might be behind a firewall, data breaches regularly happen on data while at rest. For this reason, it is very important to keep them encrypted. If it is on the server, a strong encryption algorithm needs to be used and the encryption key that can help decrypt the data would need to be stashed away safely.
In cases of cloud storage, most providers today provide out-of-the-box Server Side Encryption with secure key management. If the data, however, is being stored on the client side, like on mobile for example, one should use a platform-specific encryption strategy.
For example, Apple has iOS Encryption and Data Protection, which allows for data to be not only wiped clean if the device is lost, but also has strong hardware/firmware-level encryption built in for the stored data, making it hard for one to steal the data even if they get physical access to the device. Similar encryption technology exists for Android too.
Think ‘data encryption’ is a fancy term used by highly paid CTOs in blue chip companies only? Think again.
Data encryption is applicable for regular users too. Individuals might be tempted into thinking they don’t have any sensitive information on their phone, but in a new era of online payments, wallets and other sensitive services that are accessible via OTP, with data within the phone including email, contacts, home addresses etc., individuals should be prudent and switch on encryption on their device.
Overall, as a user or as a service provider, leave no stone unturned to make sure data at rest is encrypted and the keys are kept as safe as possible.
Data in transit
Data in transit is when data is being moved from one place to another, such as over the internet or private networks. This could be between client and server, or between one server and another. It is important to note that any data sent unencrypted over the internet is not secure.
So any resources accessed through the web will need to be done over an encrypted channel. One should use the secure HTTPS protocol instead of HTTP for any such communication. Similarly, any access to a system holding the data, like remote Shell, remote desktop or use of file transfer should all be done using a system that uses strong encryption. So, use SSH2, SCP, FTPS, VPN, RDP etc., for the above. In a cloud deployment, one should always put their resources in VPC (Virtual Private Cloud), so that it provides a secure private cloud that ensures data transmission is private.
Data in use
This is when the data is either being processed by the CPU (crunching the data), or when the data is being displayed to the user. The latter is the place where it is at its most vulnerable as, by definition, while in use we have to provide access to unencrypted data to users. So the data at this point is literally and figuratively exposed.
The only way to reduce the risk is by having stricter control on who has access to what data by using role-based access control and by limiting the time the data is made available to anyone. Implementing a good Data Loss Prevention (DLP) solution will go a long way to stop leaks. These tools can scan and detect attempts to leak sensitive data and stop them from happening at source. Even with all these, during data in use, it is a must to have audit logs on all data access and do regular audit logs review to find any unwanted/unauthorised access.