Without it, data lays bare and vulnerable.

Encryption 101 and the trap of leaving data unprotected

Before Chris Davis traveled to China for work some years ago, he was warned officials would take his electronics and make hard drive copies after he landed. 

Expecting this, Davis, VP of product management for cybersecurity and compliance company Caveonix,encrypted the contents of his laptop. While the data was accessible, it was unreadable, safeguarding his privacy and digital records. 

Encryption protects data from unauthorized eyes if it is ever lost, stolen or breached. Without encryption, data lays bare and vulnerable.

Cybersecurity specialist Bruce Schneier compares encryption to placing a lock on the front door of a home.

It's unlikely burglars are willing to shuffle through keys until one unlocks the door, he said. "Most aren't even clever enough to pick the lock (a cryptographic attack against the algorithm)." 

Intruders don't always bother with locks when there are other methods of invasion. In Capital One's case, the intruder metaphorically "smashed the window," according to Davis, in an interview with CIO Dive.

A brief history of encryption

People have wanted to protect their secrets since the big bang, thus beginning the use of ciphers. 

A cipher is an algorithm for encryption and decryption. Early and uncomplicated methods, like Caesar, used a substitution method to encrypt by subbing a letter for the next letter down the alphabet.

For example, A would be replaced by B, C would replace B and the pattern continues. 

Simplistic encryption like Caesar prevents data from being a flat histogramsaid Davis. "I want it to be completely unreadable and untraceable. And that's what true encryption is, that's what it does." 

There are two primary reasons for encryption: 

  1. Control who has access to raw data,

  2. And maintain confidentiality of data if access is compromised

Some regulators across industries — including the International Organization for Standardization, Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act — require organizations to encrypt all data at rest and in motion.

Though standards exist for encryption, there are no federal laws that mandate data encryption, Gary LaFever, CEO of data risk management company Anonos, told CIO Dive. There are laws that encourage encryption with incentives, such as reduced liabilities if the company can prove the data was encrypted at the time of the breach. 

"More importantly, regulation can be spotty when it comes to what kind of encryption businesses are required to adopt," said LaFever. This means companies can be selective with what data maintains encryption while it's at rest.

While there are solutions that provide encryption for data in transit, those practices limit protection while it's in use or "processed through company algorithms, cloud storage applications, or by third-party vendors," said LaFever. 

Encryption's limitations

Encrypting and decrypting databases impact how companies access and process data, like performance or user experience. Encryption software is also expensive. 

"Countless chief information officers are simply willing to accept the financial risks of a breach given the expense of proper data stewardship," said LaFever.

However, even with limitations, encryption's value is unrivaled. 

No matter the perceived impact on performance or budgets, the "reality is today, the cost, the CPU cost of encryption has stayed the same or gone down a little bit," said Davis.

If a company has compliance it has to adhere to, variations of encryption is unavoidable. Solutions, like modern Pseudonymisation and anonymization, protect data in transit. It's also a requirement of the General Data Protection Regulation (GDPR). 

Before data can be used, it needs to be decrypted, which immediately makes data vulnerable. Pseudonymisation attempts to remove any attributable feature of a consumer, though GDPR still recognizes Pseudonymised data as personal data. 

If Pseudonymised data is "recombined," with its rightful owner, it negates the protection benefits, according to LaFever.  

Because of this loophole, Pseudonymised or anonymized data are not considered encrypted data because of differences in key holders.

In true encryption, the key belongs to the data generator. But an encryption key is only as strong as its algorithm. Because all security solutions have flaws, companies must put multiple protections in place.

Encryption is only a piece to the puzzle. If a company loses control of who has access to data, decryption keys, everything else is theoretically irrelevant, said Davis.


This article originally appeared in CIODIVE.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.


Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.