There’s been a lot of talk about encryption in the media lately.
You hear about who uses encryption, and who doesn’t (lots of companies don’t, to their own detriment).
And you hear about who wants to be able to bypass encryption (some law enforcement and national security agencies), and who doesn’t (Google, Apple, privacy advocates, etc.).
The encryption debate is important, but unfortunately, encryption is complex and the discussion can be hard to follow for people outside of the security community.
Businesses often don’t realise why encryption is important, and how they can use it to protect their data.
In this article I will seek to answer some common questions about encryption by covering two areas: 1) a very brief explanation of encryption, and 2) a couple of the most common use-cases which business needs to be aware of.
What is encryption?
Encryption is a method of scrambling messages in a format that is unreadable by unauthorised users – it is, simply put, the best way to keep data secure from spies, thieves or accidental exposure. (Not to be confused with steganography, which is all about hiding messages, rather than making them unreadable).
Cryptography – the art and science behind encryption – uses algorithms to turn readable data (plaintext) into unreadable format (ciphertext).
Without getting too deep into the details, it’s helpful to think about it like this: when you encrypt data you are storing it like you would money in a safe – you need a key to unlock the safe to get the money out (my apologies to any cryptographers reading this for the gross over-simplification!).
(If you want to learn more, I recommend my fellow Naked Security writer Paul Ducklin’s great explanation of public-private key encryption.)
There are loads of ways to use encryption, but for organisations concerned about data loss, two very important areas to understand are full-disk encryption and file-level encryption.
Full-disk encryption vs. file-level encryption
Encryption can be used in many different ways.
Say your employee accidentally loses a USB drive with valuable data on a train, or their laptop gets stolen when they leave it alone in a coffee shop while they go to the bathroom (it happens).
The physical kit can be replaced, but the data on them could end up in the wrong hands and cause considerable harm – you might face financial penalties (depending on your local laws and industry regulations).
Or you might lose customers when word gets out that their personal data was leaked. You may very well be legally obliged to tell them. Of course, morally, telling them is always the right thing to do, regardless of legality.
However, if the laptop or USB drive was strongly encrypted, the data is unreadable to someone without they key and you likely won’t have legal issues to worry about.
Laptops, USB drives, and even smartphones can be encrypted using what is known as full-disk encryption. That means the entire hard drive of the device and everything on it is protected by encryption – from the operating system to program files all the way down to temporary files.
Full-disk encryption is also relatively simple to implement – laptops and smartphones now come with the capability built in, what’s called native encryption.
However, full-disk encryption can only keep your stuff secure when it’s on the device. The second anything leaves the encrypted device, it is “magically” decrypted and readable by all. This has important implications for your backups or files you’ve uploaded to a cloud service or attached to an email.
If you think about the analogy of money in a safe, the encrypted disk is the safe, and the money is your data. Once you take your money out of the safe it is no longer protected.
Conversely, if you have file-level encryption, every file has a “padlock.”
With file-level encryption, your data is protected when it is in transit, or stored somewhere in the cloud.
But there is a downside – file-level encryption is harder to manage than full-disk encryption, because whenever you want to access the data, you need the key. As you may want access from many devices and many places, this requires careful key management.
When and how should you use encryption?
Full-disk encryption barely affects system performance at all, but if you try to encrypt everything at the file level, it will quickly become unmanageable.
You need to think a bit more about what data you want to encrypt and why. You’ll likely want to focus on file-level encryption for sensitive data and/or data that you copy to other places – for example, documents you want to access on your phone as well as your desktop, or from a service like Dropbox.
It’s important to understand that file-level encryption doesn’t replace full-disk encryption. They complement each other. If you only encrypt your own files and not the full disk then it’s very easy to miss something. Chances are your computer stores copies of your data in all sorts of places you didn’t think about.
Most companies will also want the IT department to carefully manage the encryption keys across various devices. Without this central management, data could easily be lost if a person leaves the company or loses their decryption password. Unlike passwords used for access, passwords used for encryption can’t simply be reset by a sysadmin if they’re forgotten.
A smart company will make sure the master decryption keys are very well protected. Even smarter companies will ensure that no single person has full access to the powerful key. One way of doing this is designing a system such that two or more people need to contribute towards the decryption process (segregation of duties).
Good encryption software will have capabilities to make key management and segregation of duties relatively simple.
7 Deadly IT Sins
Unencrypted files is one of Sophos’s 7 Deadly IT Sins.
Find resources – including videos and whitepapers – about these common security sins on the Sophos website.
Image of 3D lock, key and chain courtesy of Shutterstock.
3 comments on “Practical IT: What is encryption and how can I use it to protect my corporate data?”
If either of these two methods of encryption is used can Cryptolocker etc still re-encrypt the already encrypted data files?
Full disk encryption/decryption, once you’ve booted and put in the password, happens automatically and on-the-fly – under the bonnet, as it were.
So a logged-in user (or active malware running as the user) can read and write all files just as if they weren’t encrypted. So the answer in this case is a very big, “Yes.”
If individual files are encrypted, the answer to whether ransomware will encrypt them again is, “Assume it will.”
That’s because most ransomware chooses files by extension, not by peeking at the contents. So a file called .DOC, even if it’s already scrambled, will be scrambled again. Technically, this means you could probably confuse a lot of ransomware by renaming your .DOCs to .XYZs, and so on, although you’d confuse yourself and other utility programs at the same time.
OTOH, ransomware could look inside your files (though I don’t know of any strains that do) and decide whether to scramble them by guessing their type. For example, DOC files start with the bytes D0 CF 1E E0, and JPEGs have “JFIF” in the header. This would stop the malware being tricked by extension changes, but would ironically stop it from encrypting already-scrambled files, because it wouldn’t recognise them.
Either way, its best to assume that if you get ransomware, it will overwrite any file it feels like, whether that file is encrypted, or mis-named, or both. Any file you can edit or delete…so can malware!
Wow, that full-disk encryption seems really awesome! I imagine that any company that regularly handles sensitive information(like lawyers or accountants) should probably have both types of encryption available on all of their devices. It would be like a two-level security system; the full-disk type is a general barrier, while the file-level encryption acts as an extra safeguard.