In the age of information, data is valuable. It can and usually does carry a legal liability with it hence it needs to be kept safe and protected. To use the data, it has to be processed through various systems and transmitted to and from partners thereby creating a risk of breach. Once it is on the network, hackers can quietly ‘listen in’ on the connection and get a copy of data that is in motion. To make matters worse, the hackers can keep getting data by tapping a remote part of the network, without the knowledge of the legitimate data owner. There have been many real-world instances of similar situation.
In 2014, a hacker broke into servers of Sony Pictures and posted the hacked data on the web. In the same year, the Penn State hospital suffered a breach when one of its own employees sent the confidential data of patients in plain text, over a public email system. In another instance, an intelligence agency ‘Stratfor’ was hacked and more than a million emails were released on the web. Look at the irony that the intelligence agency itself got breached! In all these cases, a simple step could have prevented the losses and embarrassment suffered by the companies. If these organizations had encrypted their data, it would have been virtually impossible for the hackers to use any of the hacked information. The hackers would have got encrypted data that would make no sense at all.
There is nothing new about encryption. It has been used successfully even during World War II when Germans used a cipher machine called ‘Enigma’ to encrypt their messages to hide them from the allied forces. Their communication stayed secret for many years until the allied forces finally got hold of the Enigma machine, at a great cost. Encryption is literally the last line of defense against theft of information.
How does encryption work?
The basic premise of encryption is simple. Every character in the data string is substituted with another predefined character. The resultant data string is garbage and cannot be used to derive any meaning out of it unless decrypted. To decrypt, the substituted character is replaced with the original character using the reverse look up logic giving back the original data. The important consideration is which character substitutes which character. This is decided at runtime using a complex algorithm and a control string called ‘encryption key’. The more complex the algorithm and longer the key, the better is the strength of encryption achieved. To decrypt the data, the encrypted data is run through decryption algorithm that reverses the logic of encryption using the same encryption key that was initially used to encrypt the data.
The important thing to understand is that without the encryption key, data cannot be decrypted even if the encryption/decryption algorithm is known. The encrypted data is useless in the hands of the criminal, unless he has the encryption key. Hence the focus now shifts to the security of the encryption key which is much simpler than managing the security of the whole of the data.
Who needs it?
Everyone should be using encryption. The general misconception is that only secret data should be stored and communicated using encryption, however, this is far from the truth. All valuable information that needs to be protected must be encrypted. However, what information is valuable varies from industry to industry, organization to organization and person to person. We live in an age of information where every bit of it is valuable. Any industry or organization that stores and uses customer data, proprietary data, intellectual property in digital format or financial information needs to use encryption. Further, any organization that needs to transmit any data over a network, even via a secure channel, needs to encrypt it before it is transmitted. This is true for all industries, be it pharma, telecom, retail or financial. Even manufacturing industry needs to protect the data in its supply chain systems to ensure its smooth operation. On the consumer side, people store their personal files, pictures, credit card details, bank details on their computer and smartphones. All this information can be very damaging if it gets in wrong hands. Individuals should also encrypt all their personal data to protect themselves in case of data theft.
What needs to be encrypted?
The information that needs protection due to business or regulatory reasons may vary but it is generally wise to encrypt all information, stored anywhere in the organization. This means any hardware where data is saved and stored, even if temporarily, should be encrypted. To give a quick run-down, as a bare minimum, following device should be encrypted:
- All hard disks on servers.
- All mobile devices (such as smart phones and tablets).
- All laptops.
- All USB drives.
- If a desktop is shared or if it is not protected, then all such desktops should also be encrypted.
Essentially any end-point that can be a potential source of information leak should be encrypted. To keep it simple, follow the golden rule: ‘if it stores any data, encrypt it’.
People consider encryption to be resource intensive process. It slows the computing processes and adds to the overheads. This is true, but the benefits provided by encryption far outweigh the cost associated with it. With faster and cheaper computing technologies becoming easily available, the performance of systems that use encryption is hardly an issue anymore.