Cyber Security

Data Encryption 101: A Guide to Data Security Best Practices

What is Data Encryption

Data encryption is the process of hiding information from malicious actors or anyone else with prying eyes.

 Data is information. It can be an email message, the contents of a database or a file stored on a laptop.

We encrypt data to keep it confidential. Data encryption is part of a broader class of cybersecurity countermeasures known as data security. Data security is all about keeping our data safe from unauthorized access, ransomware lockup (which is a malicious form of encryption), breach or malicious corruption, i.e. changing data to make it useless.

How Does Data Encryption Work?

Modern data encryption is a form of cryptography, an ancient technique of hiding information by substituting one character for another. The word ‘encryption’ is a blend of English and Greek that means “in hidden” or, more loosely, “in hiding.”. Encryption works by means of a complex mathematical algorithm known as a data encryption cipher. Like the secret decoder ring found in your child’s cereal box, the cipher algorithm transforms normalized data (i.e. plaintext) into a sequence of ostensibly random, unrecognizable characters known as “ciphertext.” 

The ciphertext is unreadable. The phrase, “Hi, how are you?” might encrypt into a ciphertext that reads, “8363, 5017, 11884, 9546.” To get back to “Hi, how are you” requires a process of decryption. 

Decoding information from ciphertext to plaintext is called decryption and involves the same algorithmic “key” that was used to encrypt the data.  

What is Data Encryption? Infographic

Data Encryption Solutions

There are two basic kinds of encryption solutions: Those for data at rest and for data in transit.

At rest data is information that is stored such as on servers or  in a computer harddrive. Data in transit means that it is being transmitted whether email or internal system-to-system messages that carry data around your network.   The messages might be email, but they could also be internal, system-to-system messages that carry data around your network. 

Separate solutions are available for data at rest versus data in transit. Systemically, each has its own impact. For data at rest, you have to configure any application that needs access to encrypted data with the means to decrypt it. There are quite a few data security solutions for this such as Bitlocker (for Windows) or Firevault (for MACos). 

For data in transit, you have to arrange for both the sender and receiver to have encrypt/decrypt capabilities. This type of encryption is known as end-to-end encryption or E2EE. These requirements create administrative burdens, and things can quickly become quite complex when you’re sending encrypted messages outside of your organization and so forth.

Who Needs to Use Data Encryption?

 The answer is just about anyone. You don’t have to be a secret agent to want to keep your data confidential. In fact, you might be using encryption without even knowing it. Many technology services encrypt and decrypt your data so it will be safe when they use it. Businesses should encrypt data that could damage their financial results if it were breached. Individuals should encrypt sensitive personal data like their medical histories and social security numbers.

Common Data Encryption Methods

How to encrypt your data

 Let’s go over the most common data encryption methods and algorithms. The two most widely used methods for data encryption are public key, also known as asymmetric encryption and private key, or symmetric encryption. Both rely on key pairs, but they differ in the way the sending and receiving parties share the keys and handle the encrypt/decrypt process.

Public Key Encryption 

With public key/asymmetric encryption, the sender uses a publicly known key to encrypt the data. The receiver has the private key that forms the other half of the public/private key pair. Using the private key, in combination with the public key, the receiver can decrypt the data. 

Private Key Encryption

In Private key/symmetric encryption, both sender and receiver have the same, secret key. As you might imagine, there’s a lot of management overhead involved in storing and transmitting secret keys.

Companies, encryption products, and government agencies make use of a number of different encryption algorithms today. These include:

  • Triple DES (3DES)—A modernization of the older, but highly influential Digital Encryption Standard (DES). 3DES takes DES’ 56-bit key size up to 168-bits, making it harder to crack, but also more compute-intensive to handle.
  • Advanced Encryption Standard (AES)—A symmetric cipher based on the Rijandael block cipher. It is used in the US federal government as well as in consumer technologies like the Apple Macintosh computer.
  • RSA—One of the first and most widely adopted modes of asymmetric cryptography for data in transit. It originated in 1977. RSA works through a public key based on two large prime numbers, along with an additional value used to encrypt the data. 
  • Elliptic curve cryptography (ECC)—A powerful, not-well understood form of data encryption. It is faster than comparable algorithms, so it is favored by government agencies like the NSA.

Data Encryption Made Easy

How complicated is data encryption? It depends on how sophisticated your needs are. You can buy a simple encryption app for your laptop. That’s easy, if it’s just for you. If you’re managing encryption for a Fortune 500 corporation, it’s a job for a team of people and some pretty powerful, expensive tools. 

Encryption best practices should align with your broader security policies. It makes no sense, and is too complicated and expensive, to encrypt everything. Data encryption requires specialized software tools. You usually have to purchase keys, either directly or by buying an encryption product that embeds the keys in its functionality. And, encryption slows down processes like emailing and data processing. 

It makes sense to be selective about encryption. You should encrypt data which is sensitive, data that would have a negative impact on you or your business if it were breached, blocked by ransomware or corrupted. 

How to Encrypt Your Data

You might wonder about actionable steps for basic data encryption on your devices. The good news is that a lot of solutions are available, either at low or even no cost. Android phones have full-device encryption if they run Android Gingerbread (2.3.x) or later. On Pixel Phones and Nexus 5+, encryption is by default. On earlier versions of Android, you have to turn it on, but it’s there.  The process of setting up encryption on and Android device involves first configuring a lock screen PIN, pattern or password. Then in Settings/App Settings, you choose Security & Location. Where it says “Encryption” on this screen, select “Encrypt Phone.” That’s really all it takes. You can do this process in reverse to end encryption. 

For your computer, you can encrypt your data at rest with solutions from companies like Symantec, Kaspersky, Sophos and ESET. You can also get encrypted USB drives. Email can be encrypted through products like DataMotion SecureMail software, Proofpoint Email Encryption and Symantec Desktop Email Encryption.

Using Prey to Encrypt Your Data

From the same Prey Control Panel you can manage BitLocker for disk encryption in Windows 10 Professional, Enterprise or Education with a physical Trusted Platform Module (TPM) installed and active. With it you can select the disk to encrypt, watch its progress and select your preferred security standard between  AES128 and XTS_AES128.

The Future of Data Encryption

Data encryption and data security are constantly evolving to keep up with a worsening threat environment. While brute force decryption may be hard, hackers can still steal keys or attack places in the data management chain where encryption is suspended. For example, data is almost always encrypted when it goes through a computer’s Central Processing Unit (CPU). This is changing now, with chip makers like Intel introducing encryption tools for their CPUs.

The future of data encryption promises more innovations. These include encryption algorithms that incorporate biometrics and voice recognition—a sort of unique, personal key, if you will. The industry is also introducing “Honey Encryption” traps that show a fake, but plausible plaintext when a hacker guesses at the decryption key. Blockchain, which is not, strictly speaking, a form of encryption, makes use of encryption-like algorithms to ensure the integrity of data that is stored using a blockchain framework. There is likely to be a lot more of this kind coming in the future.

Takeaways

Data encryption is a common and necessary element of cyber security and data security in particular. The process requires highly sophisticated technology, but solutions are becoming increasingly easy to use, at least at the consumer level. In some cases, like with iOS, encryption is happening whether the user knows it or not. For organizations, encryption should be part of the security mix, to protect business-sensitive data. 


About the author

Hugh Taylor

Hugh Taylor is a Certified Information Security Manager (CISM) who has written about cybersecurity, compliance, and enterprise technology for such clients as Microsoft, IBM, SAP, HPE, Oracle, Google, and Advanced Micro Devices. He has served in executive roles at Microsoft, IBM, and several venture-backed technology startups. Hugh is the author of multiple books about business, security, and technology