In the News

August 22, 2019
Without it, data lays bare and vulnerable.

Encryption 101 and the trap of leaving data unprotected

Before Chris Davis traveled to China for work some years ago, he was warned officials would take his electronics and make hard drive copies after he landed. 

Expecting this, Davis, VP of product management for cybersecurity and compliance company Caveonix,encrypted the contents of his laptop. While the data was accessible, it was unreadable, safeguarding his privacy and digital records. 

Encryption protects data from unauthorized eyes if it is ever lost, stolen or breached. Without encryption, data lays bare and vulnerable.

Cybersecurity specialist Bruce Schneier compares encryption to placing a lock on the front door of a home.

It's unlikely burglars are willing to shuffle through keys until one unlocks the door, he said. "Most aren't even clever enough to pick the lock (a cryptographic attack against the algorithm)." 

Intruders don't always bother with locks when there are other methods of invasion. In Capital One's case, the intruder metaphorically "smashed the window," according to Davis, in an interview with CIO Dive.

A brief history of encryption

People have wanted to protect their secrets since the big bang, thus beginning the use of ciphers. 

A cipher is an algorithm for encryption and decryption. Early and uncomplicated methods, like Caesar, used a substitution method to encrypt by subbing a letter for the next letter down the alphabet.

For example, A would be replaced by B, C would replace B and the pattern continues. 

Simplistic encryption like Caesar prevents data from being a flat histogramsaid Davis. "I want it to be completely unreadable and untraceable. And that's what true encryption is, that's what it does." 

There are two primary reasons for encryption: 

  1. Control who has access to raw data,

  2. And maintain confidentiality of data if access is compromised

Some regulators across industries — including the International Organization for Standardization, Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act — require organizations to encrypt all data at rest and in motion.

Though standards exist for encryption, there are no federal laws that mandate data encryption, Gary LaFever, CEO of data risk management company Anonos, told CIO Dive. There are laws that encourage encryption with incentives, such as reduced liabilities if the company can prove the data was encrypted at the time of the breach. 

"More importantly, regulation can be spotty when it comes to what kind of encryption businesses are required to adopt," said LaFever. This means companies can be selective with what data maintains encryption while it's at rest.

While there are solutions that provide encryption for data in transit, those practices limit protection while it's in use or "processed through company algorithms, cloud storage applications, or by third-party vendors," said LaFever. 

Encryption's limitations

Encrypting and decrypting databases impact how companies access and process data, like performance or user experience. Encryption software is also expensive. 

"Countless chief information officers are simply willing to accept the financial risks of a breach given the expense of proper data stewardship," said LaFever.

However, even with limitations, encryption's value is unrivaled. 

No matter the perceived impact on performance or budgets, the "reality is today, the cost, the CPU cost of encryption has stayed the same or gone down a little bit," said Davis.

If a company has compliance it has to adhere to, variations of encryption is unavoidable. Solutions, like modern Pseudonymisation and anonymization, protect data in transit. It's also a requirement of the General Data Protection Regulation (GDPR). 

Before data can be used, it needs to be decrypted, which immediately makes data vulnerable. Pseudonymisation attempts to remove any attributable feature of a consumer, though GDPR still recognizes Pseudonymised data as personal data. 

If Pseudonymised data is "recombined," with its rightful owner, it negates the protection benefits, according to LaFever.  

Because of this loophole, Pseudonymised or anonymized data are not considered encrypted data because of differences in key holders.

In true encryption, the key belongs to the data generator. But an encryption key is only as strong as its algorithm. Because all security solutions have flaws, companies must put multiple protections in place.

Encryption is only a piece to the puzzle. If a company loses control of who has access to data, decryption keys, everything else is theoretically irrelevant, said Davis.


This article originally appeared in CIODIVE.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.