[BreachExchange] Is encryption the key to your data security?

[Audrey McNeil]

http://www.jdsupra.com/legalnews/is-encryption-the-key-to-your-data-31923/

With the increased rate of data breaches targeting personal information, an
increased public awareness of online privacy, and an increasingly demanding
regulatory landscape, large and small businesses are looking to additional
forms of security to protect themselves and their customers from
unauthorized access. These efforts have largely targeted preventing
unauthorized access via different types of access control, like firewalls,
strong passwords, anti-malware, two-factor authentication and data
sandboxing. However, businesses must also plan for the failure of these
technologies. In the event that unauthorized individuals gain access to
sensitive data, businesses are increasingly turning to data encryption to
safeguard the data itself.

What is Encryption?

Encryption is a way of “scrambling” data in such a way that without a key
to “unscramble” it (or decrypt it), the data is unreadable. There are
various forms of encryption, each with its own benefits and drawbacks, but
generally, they all serve the same purpose: to reversibly randomize the
data to make it unreadable to unauthorized individuals.

The strength of an encryption key is measured in “bits.” The number of bits
represents the number of characters (1’s and 0’s) in the encryption key.
Thus, the commonly used standard AES 128-bit encryption is composed of a
string of 128 1’s and 0’s used to encrypt and decrypt the data. Because
each bit can be either a 1 or a 0, to attack such a password by attempting
to guess the key, one would have to guess that key out of the 2128
possibilities. This puts attacks using raw computing power to guess the key
— known as brute force attacks — out of the reach of most common modern
computer systems. That said, the march of technology continues and computer
systems are continually growing in strength and power. As a result, 192-
and 256-bit encryption systems are becoming more common, making brute force
attacks on these keys exponentially more difficult.

When is Encryption Important?

With the rise in data breaches (and the expense associated with such
breaches), all businesses should consider encrypting any private,
confidential or sensitive information, but particularly those industries
where sensitive data protection is of a legal consequence. Attorneys, for
example, handle confidential and privileged client data on a regular basis.
Of additional concern is ABA Model Rule 1.1 which has recently been amended
to include the requirement that an attorney has the duty “to stay abreast
of changes in the law and practice includes understanding the benefits and
risks of relevant technology.” With the rise of encryption as a standard
form of data protection in many industries, it is important for attorneys
to not just understand encryption.  Someday soon, attorneys may be expected
to encrypt privileged client data to comply with their professional
responsibilities.

In addition to the legal field, healthcare has an affirmative requirement
to protect “personal health information” under federal and state HIPAA
statutes. In 2013, the Department of Health and Human Services published a
Final Rule modifying the Federal HIPAA rules that explicitly anticipates
that covered entities will employ encryption systems to protect patient
data.

Outside of those industries where data protection is required by
professional standards or the law, encrypting key data should also be a
concern for those industries where data protection is critical to the
success of the business.  For those industries heavily involved in
technology, research and development efforts are often a large portion of
business spend.  In such industries, protecting key technological data is
increasingly important to protect business advantages.  Businesses and even
sovereign states are actively involved in technological espionage.  One way
to prevent your company’s key technology from falling into the hands of
your competitors is to encrypt that information.  It may also be a good
idea to extend such encryption protection to information about who in your
company is responsible for developing your technology to prevent key
employees from being poached by competitors.

Encryption is also increasingly important because of the prevalence of
entry points to a business’ networks. More recently, manufacturers of
connected devices around the home, increasingly referred to as “the
internet of things” or “IoT,” are being scrutinized and found to lack
encryption or sufficiently secure connections. As a result, devices that
may be as simple as a connected light bulb, which can change color or be
operated by a cell phone app, can provide intruders with unlimited access
to a wireless network. While this may not be a serious issue in the home,
should these devices be deployed in a business environment, they can
represent real threats to the integrity of a business’ network security.

Encryption Considerations

Encryption, despite its benefits in protecting sensitive data, is not
without its pitfalls and considerations. First and foremost, it is not a
“free” technology. Whenever data is encrypted and decrypted, it takes
significantly more computer power than when unencrypted. When entire
databases are encrypted, and large files are regularly read, this
encryption can add up in terms of computational and electrical requirements
for servers and personal systems, and, on older hardware, may degrade
overall performance.

Encryption systems are also vulnerable to inconsistent application. When
encrypted data is sent between systems, it may be encrypted when created
and when transmitted, but once it reaches its destination, it may be stored
in an unencrypted format, unbeknownst to the sender. When employing an
encryption system to protect data that is shared with or received from
other entities, it is important to understand where the encryption begins
and where it ends.

Finally, as with any digital security system, the weakest link is often the
human user. Data encryption usually relies on a password. This password is
used to initiate the use of the key in decrypting the data. Weak passwords
are as much a vulnerability to an encrypted set of data as they are to user
accounts, email accounts, servers, and any other computer system. Such weak
passwords are the most common reason that encrypted data may be
compromised. Ensuring that strong passwords are used (i.e., passwords that
are of sufficient length and complexity) in conjunction with encryption
technology can greatly increase the effectiveness over using encryption
alone. Thus, it is important to remember that encryption can only be a
single part of a more comprehensive and multi-part security system employed
to protect data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160728/00609913/attachment.html>