Information Security and Encryption - an Overview
I’ve seen lots of advice about information security. Most of it tells you about the security controls that you should put in place – and to be perfectly honest I’ve found advice that takes this as a starting point isn’t particularly helpful. This is because it’s not possible to make good decisions about the controls you need on a purely technical basis.
Understand what you need to protect
Before you can select the controls that are right for your needs you must understand what information you’re trying to protect, how much the information is worth to you, and what the likely risks to that information are. Otherwise you can end up with expensive technical solutions to problems you don’t have, and glaring gaps in relation to situations that are actually critically important to you.
Prevention, detection, and recovery
Once you have a clear understanding of what you need to protect and why, you will need to put in place a complete range of controls to help you prevent security incidents. However – and this is a hard truth that we all need to face up to – it is simply not possible to prevent all security incidents. What this means is that as well as measures to prevent incidents, you will also need to take steps to make sure that you can detect incidents that do occur, and that you can recover from these with minimal impact.
However, there are some controls that nearly all of us need, regardless of what we are trying to protect; and one of the most important of these is encryption.
Encryption can help to protect information in many different ways.
- It can prevent people from seeing your information as it passes across networks. This applies to private networks as well as to the internet.
- It can protect information stored on portable devices from being accessed if the device is lost or stolen.
- It can stop somebody who has logged in to your network from accessing information that you need to keep private, whether they have a legitimate right to log in or they have hacked their way in.
- It can provide protected storage for passwords that prevents anyone, even you, from seeing any passwords – only allowing an entered password to be compared to a stored one.
- It can be used to authenticate transactions, to confirm that they did take place at a particular time, by particular people.
- It can enable you to detect if information has been changed by someone unauthorized.
If you have read this far, and have not yet chosen to make use of encryption, I hope I have said enough to persuade you to take action.
What types of encryption are available?
There are many different types of encryption, suitable for different purposes. Hopefully, the superficial overview in this blog will be enough to start you thinking about what you might do next.
When you connect to a website using a URL that starts https:// then all communication between your browser and the web site is protected. The web site will present your browser with a security certificate, to prove that it really is the server you think it is, and all your communication with that server will be protected from eavesdropping anywhere between you and the server. Most web sites now support https, if you are reading this blog on the Optimal Service Management web site then you’re using it now. Look for the padlock symbol on your browser to verify the connection security. Every web browser comes with support for this built in, but if you manage a web site then there’s a little work to do to set this up, and you need to get a certificate for your site. You can obtain a free certificate from Let’s Encrypt, but if you want a certificate provider to provide assurance that you are who you claim to be this can involve some expense.
You can also use a VPN (virtual private network) to protect your network communication. When you use a VPN all traffic from your client device to the VPN server is encrypted. The VPN server can then route your data on to the internet, or to a private network. I always use a VPN when I am connected to public WiFi, in a hotel or a coffee shop for example, to prevent anyone from eavesdropping on my activity. Many organizations provide VPN servers on their network to allow employees to connect to their servers from the internet in a controlled way, but you can just subscribe to a public VPN service if you don’t need to use it to access your company network.
Portable devices, such as laptops, phones or tablets, are very easy to lose – either by carelessness or theft. Often the value of the device is fairly low, but the cost of the data on the device being seen by other people can be very high. The best way to protect your device is to encrypt it – most modern operating systems include whole device encryption as a standard feature, but you may need to turn it on yourself. Make sure you do, that way when the device is lost you will have a period of time during which it is very unlikely that the data has been exposed. I have enabled remote wiping of all my devices, so that I can trigger the device to erase all my data when it has been lost. This means that the encryption only needs to be good enough to protect the device for a limited period of time. If you work for a large organization then there is probably a policy for mobile device management that mandates these controls. Encryption probably won’t protect your data from a serious attack by a government, but that's probably not the most significant threat that you face.
You also need to encrypt data stored on portable devices such as USB drives. There are many software products available that can do this, I use Veracrypt which is a free open source product, but commercial organizations may choose a product that is integrated with their overall enterprise approach.
Encryption in the data centre
You may think that encryption is not needed in your data centre, after all it has lots of firewalls and other security devices isolating it from the internet, and only authorized people can log in to your servers. Nevertheless, things can and do go wrong, whether by accident or through malice, so if you want to be confident that you have done all you can to protect yourself and your customers then there are some things that you really do need to encrypt. In fact, some organizations encrypt nearly everything as part of a “defence in depth” approach.
If you have sensitive data that should only be seen by some people in the organization then you really should use encryption to make sure that it is not accidentally exposed to people that should not have access. Typically this protection should cover at a minimum any personally identifiable information about people, any payment card data, or anything else where there is a legal or regulatory need to keep the data private.
There are many different products available that can be used to encrypt whole disks, or individual files, or even single fields in a database.
Effective IT security involves making sure you understand what information you need to protect and how valuable it is to you. You need to know the potential costs of a data breach, and then take appropriate steps to protect yourself and your customers. You need good controls to prevent breaches whenever possible, to detect breaches that you can’t prevent, and to help you recover from any breaches.
Encryption can be a great control to help preserve the confidentiality and integrity of your information. A comprehensive approach will help you to ensure that all sensitive data is encrypted both when it is at rest on a disk or device and when it is in transit on a network. So if you are thinking about improving your information security and you don’t already make use of encryption, it’s an excellent place to start!
Image Credit: Yuri Samoilov