If you work with any kind of private data, it is good to acquaint yourself with encryption and a growing number of requirements to protect sensitive data.
The Future Lab recently reported on the growing and costly instances of data breaches, and the trends in various countries for using encryption methods to combat against unauthorized entry in buildings. The article also looked into how mobile devices are making data and passwords ever more vulnerable to capture by the wrong hands.
But what if you first have more basic questions about encryption, such as: What is it and where did it come from? What pressures are making companies worry about encryption more? What are the different types of encryption? And what sorts of technical and regulatory terms should you be conversant in, in case you need to investigate how your organization’s existing or forthcoming data encryption strategy or methods could affect physical security?
Encryption refers to various methods to turn plain text into unreadable patterns (ciphertext), which protects the text against unauthorized viewing and use. The receiver of encrypted text uses a “key” to return it to its original plain text form. Public-key cryptography, which underlies Internet standards (see TLS, PGP below), uses an asymmetric-key pair. One key is kept private and the other is used freely in public. Public-key encryption is commonly used for digital signatures in electronic banking.
According to “Foundations of Cryptography” at SecurityDocs.com, the development of this technology and science has deep roots in history, especially political or military history where secrets written in ink or on paper were paramount – up to the present when it is more often personal or company information in a digital form that is at stake:
“From the simplest ciphers of shifting letters, to mathematically provably secure ciphers of today, cryptography has progressed a long way. It also has widened to a number of uses and capabilities to fit an ever-growing number of applications. Cryptography makes it possible to keep data secure over an insecure network. It also makes it possible to keep private data on your computer safe from prying eyes. Even car thieves can be foiled by crypto systems in your remote unlock system.”
PGP Corporation, which got its name from the development of Pretty Good Privacy software in the 1990s, is a leading provider of email and data encryption software. Besides offering a wide range of encryption resources on its site, PGP also sponsors presentations and white papers such as “The Critical Need for Encrypted Email and File Transfer Solutions,” written by Michael Osterman and Linda Leung, available at Osterman Research.
If your company does business in the United States, consider that Osterman and Leung report only 5 states now remain without breach notification laws, and that “there are a growing number of U.S. federal requirements to protect sensitive data, as well as requirements in a number of other countries…” such as the Health Insurance Portability and Accountability Act (HIPAA) about health information disclosure, and the Gramm-Leach-Bliley Act (GLBA), Privacy of Consumer Financial Information (Regulation S-P), Payment Card Industry Data Security Standard (PCI DDS), and Personal Information Protection and Electronics Act (PIPEDA). These are all important acronyms to know if you work at or in partnership with financial services firms or if your company stores or transmits credit card information in the process of doing business. For regulations specific to other countries, view the free Ponemon reports on recent trends in encryption.
Although you are unlikely to be the person responsible for encrypting data at your company, Osterman and Leung offer a detailed overview of the the major methods to keep in mind, including:
Now that you are armed with some encryption basics, find out which of the methods from the list above your organization uses, and then discuss with management if it is robust enough, or if any planned changes to the management of encryption could pose new risks to physical security.
By Derek Scheips
* indicates mandatory field