State-level momentum for new privacy legislation is at an all-time high. Over the past 18 months, multiple states have proposed bills inspired by the GDPR or CCPA in attempts to protect consumers from data abuses in their jurisdiction.
New data protection laws are likely to draw heavily from these landmark bills, both of which reference encryption as an exemplary method of ensuring personal data is processed securely. In fact, encryption and pseudonymisation are the only technological measures explicitly mentioned in the entire GDPR document.
It seems likely that encryption will be an important factor in the evolution of data protection regulations in the EU and the US. Even if not explicitly required, it is sure to play into key penalty decisions with regards to breaches and non-compliance.
As stricter regulations loom on the horizon, it’s important to be aware of where and why encryption is advised in order to accelerate compliance with other legislation – passed or prospective, domestic or foreign.
What is encryption?
At a very basic level, encryption is a mathematical function that encodes data so that only authorised parties can access it. This is achieved through powerful algorithms called ciphers which perform the process of encryption and decryption through a series of repeatable steps.
The operation of a cipher usually depends on a piece of auxiliary information called a key; without knowledge of the key, it is extremely difficult – if not impossible – to decrypt the resulting data.
In practical terms, encrypting the sensitive data you process means there will be little to no risk to the rights of data subjects even if you were to suffer a breach, as the encrypted data will be illegible and therefore worthless to any unauthorised individuals without the corresponding key.
There is no single standard for how and when personal data should be encrypted. Successful approaches depend on your organisation’s risk level, the sensitivity of your its data as well as its storage methods. The first step is understanding the different types of encryption and what it is capable of achieving.
What types of encryption are there?
Commercial encryption exists in two forms: symmetric and asymmetric. The former uses the same key for both encryption and decryption. By contrast, asymmetric or ‘public-key’ encryption uses different keys for each process.
It’s important to consider encryption in terms of the data you’re trying to secure -- that is, whether it’s in transit or at rest. Both present unique challenges, and both have different requirements for protection.
Data at rest
Encrypting stored data provides a level of protection against unauthorised processing. Most modern operating systems have full disk encryption built-in, but you can also encrypt individual files or create encrypted containers. Similarly, some applications and databases can be configured to store data in encrypted form.
Encryption types for data at rest include:
- Full Disk Encryption with Pre-Boot Authentication (FDE w/ PBA)
- Encrypting File System (EFS)
- Hardware Security Module (HSM)
- Database Encryption
- Folder and File Encryption (FFE)
Data in transit
Encrypting personal data during transmission provides protection against interception.
The most popular method of protecting data in transit is through an SSL VPN. Often used for remote access, technologies like this are crucial in protecting against man-in-the-middle attacks (MitM) and packet analysers.
While you can encrypt data prior to transmission, a secure channel provides assurance that the content cannot be understood if it is intercepted.
Encryption types for data in transit include:
- Wi-Fi Protected Access (WPA2/WPA3)
- Secure Sockets Layer/Transport Layer Security (SSL/TLS)
- Virtual Private Network (VPN)
- Secure Shell (SSH)
How can I implement encryption effectively?
Developing an encryption program should be part of a holistic risk management and data governance planning process. In addition to consideration of data states and specific techniques, there are several key elements that can help you create an effective end-to-end encryption program:
1. Multi-Stakeholder Approach
Building an encryption strategy is a collaborative task. Begin by bringing together key stakeholders that can collectively identify the laws, regulations, and guidelines that will affect purchasing and implementation decisions.
2. Data classification
Companies without an effective data classification program typically struggle to implement encryption efficiently.
Data should be divided into predefined groups that share a common risk. You can then prioritise each classification and detail the corresponding controls required to safeguard each group.
3. Access Controls
Ensuring that only privileged and authorised users can access data is vital in avoiding interception by third parties. Be sure to define strong access control mechanisms, including an adequate combination of strong passwords, file permissions, and two-factor authentication.
4. Centralised Key Management
If certificates and keys are not effectively secured then the business is vulnerable, regardless of what measures are in place. Some companies have thousands of keys and certificates with no clear understanding of their inventory, how they are being implemented, what systems they give access to, or who is controlling them.
The first step in collecting this information is gaining a clear understanding of your organisation’s inventory by centrally managing certificates and keys. This will allow you to spot any anomalous behaviour.
Consider a centralised key management platform that allows every key to be administered from the same location, in the same way. This allows for a finer understanding of how they’re being used and whether they are being accessed improperly.
5. Choosing an Encryption Solution
With an effective key management process in place you can begin to evaluate potential encryption solutions. There are multiple aspects to consider here, but the most appropriate solution will depend on the needs of the business in question.
It’s sensible to begin by partnering with an independent organisation that isn’t affiliated with any specific vendors. This partner can help vet and test potential options to find the best fit for your environment and risk level.
Make sure that any tool you implement meets contemporary standards like FIPS 197 and FIPS 140-2, and regularly evaluate whether your methodology is capable of withstanding the latest vulnerabilities.
Taking meaningful steps
There are no immediate solutions in security, and encryption is no exception. Sophisticated attacks have compromised even the most secure systems in recent years; in some cases, they are practically impossible to prevent or counter.
Encryption can make any data gathered worthless in the event of a breach, but only as part of a larger strategy that incorporates strong access controls, key management, and multi-channel security.
Effectively encrypting sensitive data demonstrates an organisation’s commitment to pursuing meaningful steps towards compliance. With strict planning and similar investments in staff, operations, and technology, you can navigate the range of encryption solutions on the market and secure your organisation while reducing the compliance costs of future legislation.
Callum Tennent, Editor, Top10VPN.com