In a world where data is currency and cyber attacks are becoming more sophisticated by the day, the importance of data encryption cannot be overstated.
Data exposure fallout
I woke up to yet another data breach notification recently:
Dear <First Name>,
Protecting the security of our customers' information is very important to us. We are writing to inform you about an incident that may have impacted your account.
Another service I used was hacked, rendering my precautions -- using a password manager and creating unique and complex passwords -- moot.
The email continued, "The personal information that was exposed could have included your name, address and/or date of birth."
At first glance, it's no big deal. My name, address and email are well known. But many banks and other financial institutions use date of birth as part of the authentication process, so I try to keep that information hidden.
Those with bad intent can combine data from multiple breaches and public records services to build a comprehensive profile, making it easy for even cybersecurity experts to fall victim to a social engineering attack.
While miserable on a personal level, it's nothing compared to the terror felt by the security teams and executives at JD Sports, T-Mobile, Mailchimp, PayPal and Chick-fil-A when each suffered a major data breach in January. And they're not the only ones.
Breaches large and small occur on an almost daily basis. Worse yet, for some of these companies and their security teams, it's not their first time being breached. Unfortunately for everyone, it won't be the last time either.
With companies storing an increasing amount of sensitive information online, it's crucial that we take proactive measures to protect data from prying eyes. Whether it's bank details, personally identifiable information, personal health information, product designs, customer lists, corporate financial records or any other sensitive data being stolen, the consequences of a data breach can be devastating. Organizations have fired security leaders and company executives, suffered brand damage and lost customers and revenue due to data breaches.
The power of encryption
People have wanted to keep their sensitive data and messages secret for a long time. Some examples include the Spartans and Julius Caesar. Around 600 B.C., Spartans wrote messages on pieces of leather wrapped around wooden rods. When unwrapped, the letters on the leather are meaningless. The message only made sense if the reader had the correctly sized rod. The Caesar cipher, which was used around 60 B.C., was a substitution cipher. It involved replacing each letter in the original message with another letter from a certain number of positions down the alphabet.
Encryption evolved in the mid-16th century when Italian cryptologist Giovan Battista Bellaso created the first encryption technique, or cipher, that uses a key -- an agreed-upon keyword that the recipient needs to know in order to decode and access the encrypted message.
Today, modern computer-based ciphers are used. With an asymmetric encryption cipher, encryption and decryption use two different keys. TLS -- the communications protocol for secure web communications (HTTPS) -- relies in part on asymmetric encryption, also known as public key encryption (PKI).
The security of RSA, a well-used PKI cipher, comes in part from the computational difficulty of determining the factor of two large prime numbers. It could take hundreds of years or more to determine the keys when using 4096-bit keys.
Whether using an early and easy-to-understand cipher or today's modern computer-based ciphers, encryption scrambles data so it can only be read by someone who has the key.
The power of data encryption is that it prevents malicious or negligent parties from reading sensitive data. Even when the attacker gets access to an environment and exfiltrates the data or snoops on data while in transit, if the data is encrypted the attacker can't access it. The data is therefore rendered useless.
Encryption solves one problem but creates a few more
Of course, encryption is not perfect. Attackers can still access encrypted data in the following ways:
- Attackers can get access to encryption keys. This leads to the challenge of key management, which includes the following precautions:
- securing and controlling access to encryption keys;
- routinely rotating (changing) keys over time; and
- replacing stolen keys to prevent unauthorized access.
- Attackers can find a weakness in the implementation of the cipher. In 2014, a vulnerability in the implementation of OpenSSL, known as Heartbleed, enabled a remote attacker to expose sensitive data. The vulnerability was patched the same month it was found, but many systems were still vulnerable and compromised for months afterward.
- Attackers can use brute force to figure out the keys. Even if we have 1 million possible keys, attackers can quickly try random keys or a brute-force attack through all 1 million to find the right key. The more key possibilities we have, the more secure our cipher is. Key size must be balanced, however, against the increased amount of storage space and time needed to encrypt and decrypt messages using larger keys.
- Attackers can break the cipher. In 1973, the U.S. adopted the Data Encryption Standard (DES) as a national standard. One of the first modern computer-based ciphers, DES remained in use until it was cracked in 1997.
Innovative technologies, such as quantum computing, have the potential to speed up the process to the point where the encryption cipher no longer secures data. Given the state of quantum computing today, there is no immediate danger. With rapid development, however, quantum computing could become an issue for encryption in the next decade. NIST has been working to devise and vet ciphers that can resist an attack from a future quantum computer.
Despite the problems, use encryption
Even with a few challenges, data encryption is a critical and foundational component of data security and privacy in today's digital age. It helps protect sensitive information from unauthorized access, theft and other security threats. Encrypting data ensures that even if it falls into the wrong hands, it cannot be easily read or understood.
It is an essential step for businesses, organizations and individuals to take to protect their data and maintain their privacy. Investing in solid data encryption is a smart decision that will pay off in the long run and ensure that your sensitive information stays secure.