Guide: Data Masking

Data Encryption: Top 7 Algorithms and 5 Best Practices.

What Is Data Encryption?

Encryption is a method of data masking, used to protect it from cybercriminals, others with malicious intent, or accidental exposure. The data might be the contents of a database, an email note, an instant message, or a file retained on a computer. 

Organizations encrypt data to ensure it remains confidential. Data encryption is a component of a wider range of cybersecurity counter-processes called data security. Data security involves ensuring that data is protected from ransomware lockup, malicious corruption (altering data to render it useless) or breach, or unauthorized access. 

Encryption is also employed to safeguard passwords. Password encryption processes jumble up your password, so that cybercriminals can’t read it. 

In this article:

How Does Encryption Work?

When information is shared via the internet, it passes through a set of network devices from around the world, which comprise a section of the public internet. As information ventures throughout the public internet, the possibility exists that it might be exploited or stolen by cybercriminals. To stop this, users may install network security software or hardware to secure the transfer of information.

These security tools encrypt data so that it is unreadable to anyone without an appropriate decryption key. Encryption necessitates the conversion of human-readable plaintext to ciphertext, which is text that is incomprehensible. 

 

Encryption uses a cryptographic key, a series of mathematical values agreed upon by the recipient and sender. The recipient makes use of the key to decrypt the information-thus converting it into its original plaintext.

 

The complexity of the cryptographic key determines the level of security. Stronger encryption makes it harder for third parties to decrypt data using brute force attacks (which involve using random numbers until the right combination is stumbled upon).

 

Learn about alternative methods of data masking in our guides to:

  • Pseudonymisation (coming soon)
  • Data tokenization (coming soon)

 

Data Encryption Types

Symmetric vs Asymmetric Encryption

Encryption techniques can be classified according to the type of encryption key they use to encode and decode data:

 

Asymmetric encryption

This method is also called public-key cryptography. It encrypts and decrypts the information utilizing two distinct cryptographic asymmetric keys (a private key and a public key).

 

Symmetric encryption

This method utilizes one private key for decryption and encryption. Symmetric encryption works faster than asymmetric encryption. It is most suited for use by individuals or in a closed system. Employing symmetric methodologies with several users in an open system, for example over a network, demands the transmission of the key, which presents the possibility of theft. The most readily employed form of symmetric encryption is AES.

Data Encryption in Transit vs Data Encryption at Rest

Data encryption solutions, including cloud data encryption and data encryption software, are often categorized according to whether they are intended for data in transit or data at rest.  

 

In-Transit Encryption

Data is deemed to be in transit when it moves between devices, including over the internet or within private networks. When being transfered, data is at increased risk of exposure, given that it must be decrypted prior to transfer. Encrypting data for the duration of the transfer process, called end-to-end encryption, makes sure that if data is intercepted, it remains private. 

 

At-Rest Encryption

Data is labeled at rest when it remains on a storage device and is not being transferred or actively used. Data at rest tends to be less vulnerable than when it is in transit. Device security attributes restrict access—however, this doesn’t mean that data at rest is unexploitable. This data often tends to be especially valuable, so it is a more attractive target for attackers. 

 

Encrypting data at rest minimizes the possibility of data theft as a result of lost or stolen devices, accidental permission granting, or accidental password sharing. It lengthens the time needed to access data and offers valuable time for the owner of the data to discover ransomware attacks, data loss, changed credentials or remotely erased data. 

 

One means of protecting data at rest is via Transparent Data Encryption; a method used by Oracle, IBM and Microsoft, to encrypt database files. TDE safeguards data at rest, encrypting databases on backup media and on the hard drive. TDE does not safeguard data in transit.

Top 7 Encryption Algorithms

Today, the Data Encryption Standard is an outdated symmetric encryption algorithm. With DES, you utilize the same key to decrypt and encrypt a message. DES utilizes a 56-bit encryption key and encrypts data in units of 64 bits. Such sizes are generally not big enough for today’s purposes. Thus, different encryption algorithms have superseded DES.

Blowfish

As with DES, Blowfish is now out-of-date—nevertheless, this legacy algorithm is still effective. This symmetric cipher organizes messages into units of 64 bits and encrypts them one by one. Twofish has superseded Blowfish.

Twofish

Utilized in both hardware and software applications, Twofish makes use of keys up to 256 bits in length. However, it remains one of the quickest encryption algorithms. This symmetric cipher is unpatented and free.

Triple DES

Triple DES (3DES or TDES) runs the DES algorithm three times. It encrypts, decrypts and re-encrypts to produce a longer key. It may be run with just one key, two keys, or three distinct keys—the more keys, the more security. 3DES utilizes a block cipher methodology, causing it to be vulnerable to attacks including block collision.

The Advanced Encryption Standard (AES)

A symmetric encryption algorithm. It encrypts blocks of data (of 128 bits) per time. There are three options for keys used to decrypt the text: 

 

  • 128-bit key—encrypts the information in 10 rounds
  • 192-bit key—encrypts in 12 rounds
  • 256-bit key—encrypts in 14 rounds 

 

Every round comprises a few steps of substitution, mixing of plaintext, transposition and more. AES encryption standards are the most prevalent encryption methods today for data in transit and at rest.

Rivest-Shamir-Adleman (RSA)

RSA is an asymmetric encryption algorithm. It is founded on the factorization of the result of two big prime numbers. Only an individual who knows these numbers will know how to decode the message. RSA is typically employed when passing data between two distinct endpoints (such as web connection). However, it functions slowly when handling encryption of large volumes of data.

Elliptic Curve Cryptography (ECC)

ECC, favored by agencies including NSA, is a fast and powerful form of data encryption employed as a component of the SSL/TLS protocol. It utilizes an entirely different mathematical process that lets it utilize shorter key lengths to increase speed, while offering superior security. For instance, a 3,072-bit RSA key and a 256-bit ECC key offer identical levels of security.

Common Criteria (CC)

This is not an encryption standard, but rather a series of international guiding rules for checking that product security claims are resilient under testing. Encryption was not initially covered by CC, though it is now more commonly included in the security standards outlined for the project. 

 

CC guiding rules were established to offer a third-party, vendor-neutral checking of security products. Vendors voluntarily present products for evaluation, and their functionalities are studied either individually or as a whole. Once a product has been evaluated, it’s capabilities and features are checked in keeping with up to seven levels of rigor. It is also compared to a set of standards based on product type.

5 Data Encryption Best Practices

The following practices can help you ensure your data is secured effectively.

Build a Data Security Strategy

Your security approach should take into account your organization’s size. For instance, organizations with a lot of users should be employing cloud servers to retain their encrypted data. Alternatively, small organizations can store their media on workstations. 

 

The following are some points to consider when developing a security approach: 

 

  • Know the regulations—PII requires robust encryption to comply with government regulations. See which other governing rules apply to your organization and how they affect your security approach.  
  • Choose the right tools—decide which encryption tools are most suitable for your organization (consider your organization’s needs and data volume).
  • Use a strong encryption algorithm—see if the algorithm or technology utilized by your encryption vendor adheres to international standards.
  • Manage decryption keys—find ways to store, replace and generate keys. Also, develop strategies to erase the encryption keys if there is a security breach.
  • Audit your data—decide how you will find irregularities or isolate unauthorized access to the encryption keys.

 

An additional point to consider is the speed of your encryption. You don’t want to have to wait hours for your data to be encrypted, particularly if you need to urgently transfer it over the network. Check with your vendor to see how fast the tool can encrypt the file, but ensure security is not compromised.

Choose the Right Encryption Approach for Your Data

When deciding which data you should encrypt, you must think about the worst outcome. How much damage and loss would take place if a certain part of the data is exposed? If the risk is unacceptable, then you have to encrypt that data.

 

Data that should be encrypted irrespective of the strength of your security systems are, for example, sensitive details such as constant information, names, credit card information and social security numbers.  

 

You must also ensure that files you are accessing remotely or transferring over a network are encrypted.

Control All Access to Your Data

Provide access to encryption keys to your users according to the sort of data they require. For instance, your financial data must only be accessible by individuals from within the finance department.  

 

Furthermore, determine what a user may access from the files. For instance, your marketing group may access your customer’s email from the PII file, but must not be allowed to see their credit card information or passwords.

 

You can achieve this by encrypting every column in a file of its own, or altering your vault access policies.

Encrypt Data in Transit

Storage and data collection are core parts of every organization. Data retained in your system or in dedicated servers is simpler to safeguard than files that are in transit. While data is being transferred to and from various locations, it is advisable to employ a VPN to mask your IP address. 

 

Here are some additional reasons for using a VPN when you transfer data: 

 

  • VPNs establish an encrypted connection between the internet and your device, masking all your online undertakings
  • VPNs use security protocols to protect your data and devices from attacks via public Wi-Fi 
  • A VPN modifies your IP address, so malicious actors cannot see when files are in transit
  • VPNs ensure secure access to storage devices (i.e. servers, cloud network) from workstations

Build a Data Backup Strategy

If data is lost or stolen, you must be able to access the files or recover the keys employed to encrypt the information. 

 

Store your decryption keys in a secure location and retain a backup of all files. Keep your decryption codes separately from your backup keys.

 

You may also employ a centralized key management approach to reduce the possibility of isolation. Such a system ensures all parts of key management (such as software, hardware and processing) are in one physical place, thus reinforcing security.

 

Additional points to consider when putting in place an encryption approach:

  • Ensure your encryption vendor lets you scale your network with minimal disruptions
  • Your encryption approach should support data migration, particularly if your organization plans to move to the cloud
  • Make sure you can easily integrate third-party technologies without affecting security
  • Establish several layers of security to protect your information in the event of a data breach
  • Ensure your encryption approach doesn’t adversely affect the accessibility, performance or functionality of your data

Protecting Sensitive Data with Satori

Learn more about how Satori can help you protect data access to sensitive data by booking a demo with one of our experts, or read more here.

 

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.