There’s been a lot of talk about encryption in the media lately.
You hear about who uses encryption, and who doesn’t (lots of companies don’t, to their own detriment).
The encryption debate is important, but unfortunately, encryption is complex and the discussion can be hard to follow for people outside of the security community.
Businesses often don’t realise why encryption is important, and how they can use it to protect their data.
In this article I will seek to answer some common questions about encryption by covering two areas: 1) a very brief explanation of encryption, and 2) a couple of the most common use-cases which business needs to be aware of.
What is encryption?
Encryption is a method of scrambling messages in a format that is unreadable by unauthorised users – it is, simply put, the best way to keep data secure from spies, thieves or accidental exposure. (Not to be confused with steganography, which is all about hiding messages, rather than making them unreadable).
Cryptography – the art and science behind encryption – uses algorithms to turn readable data (plaintext) into unreadable format (ciphertext).
Without getting too deep into the details, it’s helpful to think about it like this: when you encrypt data you are storing it like you would money in a safe – you need a key to unlock the safe to get the money out (my apologies to any cryptographers reading this for the gross over-simplification!).
(If you want to learn more, I recommend my fellow Naked Security writer Paul Ducklin’s great explanation of public-private key encryption.)
There are loads of ways to use encryption, but for organisations concerned about data loss, two very important areas to understand are full-disk encryption and file-level encryption.
Full-disk encryption vs. file-level encryption
Encryption can be used in many different ways.
The physical kit can be replaced, but the data on them could end up in the wrong hands and cause considerable harm – you might face financial penalties (depending on your local laws and industry regulations).
Or you might lose customers when word gets out that their personal data was leaked. You may very well be legally obliged to tell them. Of course, morally, telling them is always the right thing to do, regardless of legality.
However, if the laptop or USB drive was strongly encrypted, the data is unreadable to someone without they key and you likely won’t have legal issues to worry about.
Laptops, USB drives, and even smartphones can be encrypted using what is known as full-disk encryption. That means the entire hard drive of the device and everything on it is protected by encryption – from the operating system to program files all the way down to temporary files.
Full-disk encryption is also relatively simple to implement – laptops and smartphones now come with the capability built in, what’s called native encryption.
However, full-disk encryption can only keep your stuff secure when it’s on the device. The second anything leaves the encrypted device, it is “magically” decrypted and readable by all. This has important implications for your backups or files you’ve uploaded to a cloud service or attached to an email.
If you think about the analogy of money in a safe, the encrypted disk is the safe, and the money is your data. Once you take your money out of the safe it is no longer protected.
Conversely, if you have file-level encryption, every file has a “padlock.”
With file-level encryption, your data is protected when it is in transit, or stored somewhere in the cloud.
But there is a downside – file-level encryption is harder to manage than full-disk encryption, because whenever you want to access the data, you need the key. As you may want access from many devices and many places, this requires careful key management.
When and how should you use encryption?
Full-disk encryption barely affects system performance at all, but if you try to encrypt everything at the file level, it will quickly become unmanageable.
You need to think a bit more about what data you want to encrypt and why. You’ll likely want to focus on file-level encryption for sensitive data and/or data that you copy to other places – for example, documents you want to access on your phone as well as your desktop, or from a service like Dropbox.
It’s important to understand that file-level encryption doesn’t replace full-disk encryption. They complement each other. If you only encrypt your own files and not the full disk then it’s very easy to miss something. Chances are your computer stores copies of your data in all sorts of places you didn’t think about.
Most companies will also want the IT department to carefully manage the encryption keys across various devices. Without this central management, data could easily be lost if a person leaves the company or loses their decryption password. Unlike passwords used for access, passwords used for encryption can’t simply be reset by a sysadmin if they’re forgotten.
A smart company will make sure the master decryption keys are very well protected. Even smarter companies will ensure that no single person has full access to the powerful key. One way of doing this is designing a system such that two or more people need to contribute towards the decryption process (segregation of duties).
Good encryption software will have capabilities to make key management and segregation of duties relatively simple.
7 Deadly IT Sins
Unencrypted files is one of Sophos’s 7 Deadly IT Sins.
Find resources – including videos and whitepapers – about these common security sins on the Sophos website.