Organizations Need to Use More Than One Type of Encryption

Encryption has been talked about a lot lately.  I’ve gotten at least a couple dozen questions from my Compliance Helper clients in the past month.  They can pretty much be boiled down to this question:

What encryption solution should we use?

Many of the small and mid-size businesses I help, and many start-ups of any size, are under the assumption that if they get one encryption solution, it will be able to encrypt all their data in all places and in all situations.  Throughout this year I’ve also spoken to over 30 (yes, I kept track up to 30, then stopped updating the tally) business owners, CEOs and lawyers who were under the incorrect assumption that HTTPS encryption kept the data encrypted everywhere. Dangerous assumption!

Most organizations will each need to choose at least two, but usually more, types of encryption solutions to meet their full business needs. 

Overview of encryption solutions

It is important to understand that there are many different types of encryption solutions. Some for server storage, some for mobile storage devices, some for computer hard drives, some for data transmission. Some specific to email, some specific to texting, some specific to file transfer processes (FTP), and so on.

Before choosing the encryption solution best for your organization’s needs, you need to first realize that there are two basic data states where encryption will be used:

  • Data at rest.  This is data stored in a server, on a mainframe, on your computer hard drive, in a cloud server, on a USB storage device, on a DVD, and so on. Anywhere data is stored.
  • Data in transit. This is data being moved around, such as being sent by email, going through the Internet, going through the company network, sent using VoIP, and so on.

When considering how to encrypt your sensitive data, you need to think about what data items you have in each of these two states.  There is an abundance of examples showing the need to encrypt data during certain situations that occur throughout the lifecycle of sensitive data. If you store a lot of sensitive data on laptops and USB drives then device encryption is essential. If sending sensitive data in attachments is a potential issue, then you need to identify a feasible email encryption solution.

Here is an overview of some of the most common situations where encryption should be used for personal information, and any other type of sensitive information.

Encrypting Data at Rest (Stored Data)

Here are some of the common ways in which data can be encrypted in storage:

  • Full-disk encryption. This is used to encrypt all the data stored on desktops, laptops, and other computing devices.  It is often implemented in conjunction with boot disk encryption.
  • File and folder encryption. This is encrypting specific files, folders or databases of data, typically located on central servers, hard drives, or large storage capacity computers. This encrypts only those areas, and does not encrypt the entire storage device itself.
  • Removable media encryption.  Data on portable devices such as USB drives, CDs, removable hard drives and other types of external storage media.  Some of these devices come with settings to allow them to be fully encrypted, but that setting is typically not turned on as the default.
  • Cloud encryption. Data that is stored within a server that is accessed through the Internet. Just a few of the millions of potential services include Dropbox, Salesforce, Basecamp, Carbonite, and Amazon Cloud. If you use a cloud service to store protected health information (PHI), or any other type of personal or sensitive information, make sure the service uses strong encryption to protect it wherever they are storing it.

Encrypting Data in Transit

You need to use some type of encryption for the following types of data pipelines:

  • Data passing through private or public networks
  • All the communications passing through the network, including all data information associated with the specific data items
  • Accessing data on a network from a remote location
  • Sending data via a file transfer process (FTP)
  • Using a wireless network

The encryption solutions for these often make use of TLS/SSL (HTTPS), WPA2 for wireless network transmissions, Internet Protocol Security (IPsec) to encrypt all the IP packets transmitted during the communication sessions, or incorporated within a virtual private network (VPN) implementation.

Encrypting Messages

  • Email encryption. There are encryption solutions for encrypting the body of email messages, for email attachments, and for both.
  • Texting. Most organizations are sending sensitive data within text messages. I’ve seen this a lot within hospitals and clinics for doctors providing patient care. There are solutions specifically for these situations.
  • Instant messaging. These types of peer-to-peer (P2) messaging are being widely used within organizations to accommodate work team communications when they are geographically dispersed, for consultants communicating with remote clients, and so on. These messages are vulnerable for eavesdropping and interception. If sensitive information is being sent, those communications need to be encrypted.
  • Social media messaging. There are no, or very few, tools that can be used to encrypt messages sent using Linkedin, Facebook, and other types of social media site email capabilities. Never send sensitive business information through these types of email tools without encrypting it. If you can’t feasibly implement social network messaging encryption, then simply do not use it for business.

Encrypting Data Collected from Website

Sensitive information collected on websites for retail sales transactions, and other types of activities involving sensitive information, needs to be encrypted. The most common way is through the use of TLS/SSL (HTTPS) to protect it at the point of collection, and then as it is subsequently passed on to the destination server where it is then unencrypted in storage (unless you implement another solution to encrypt it at rest).

Other sources of encryption information

Here are some good resources from the U.S. National Institute of Standards and Technology (NIST):

I’ve written many encryption articles over the years. Here are a few you may find useful:

IBM also has some helpful papers for anyone looking into choosing encryption solutions:

Bottom line for organizations of all sizes…

Every organization, in all industries, of all sizes, in all locations, needs to encrypt most personal data, and a wide range of other types of sensitive and confidential data, at one or more times throughout the full data lifecycle. Organizations need to identify the riskiest points throughout the lifecycles, and then determine the best type of encryption solutions to meet their own organization’s business environment.

 

This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

IBM 

 



tumblr visitor

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply