Safeguarding Data with Strong Encryption Techniques

Protecting our personal information is paramount. Encryption serves as the virtual lock and key that keeps our data safe from prying eyes. But how does it work, and how does it apply to everyday situations like online shopping or messaging friends? Let's demystify encryption, exploring secret codes, advanced ciphers like AES 256 and RSA, and other powerful encryption techniques, all crucial for securing our digital infrastructure.

Alright, sounds good. But how does it work?

First, we need to understand, that there are two types of encryption;

Symmetric and Asymmetric with a large variety in architecture.

Symmetric encryption is most commonly used for protecting data at rest.

What this means is that it's being stored in an established location such as a database, block and blob storage, or even on a local machine.

This differs from asymmetric encryption, in that- the key (private key), is only to be known by authorized parties. The key is rarely ever shared to provide confidentiality, which is just a fancy word for keeping information private.

The most common ciphers for data at rest are AES-192 / 256, RC5, and 3DES. This isn't a post specifically about cryptography so I'll spare the details like cipher modes (XOR, Cipher Block Chaining, etc.) but you should be aware of the different categories and variants.

Asymmetric encryption, on the other hand, uses two or multiple keys.

One that is intended to be private and the other(s), public. We won't go into the famous scenario of Bob and Kelly, but it's important to know that this is most commonly used for the encryption of data in transit, typically across open and public networks.

This is called data in transit because, as it sounds, it's for restricting the sharing of information with others across untrusted networks.

"Geeknote: Common key ciphers for asymmetric encryption are RSA (2048), Diffie-Helman (DH), with ECC being a weaker key often used for IoT devices like mobile phones, or medical equipment.

Okay? I'm starting to get a better understanding, but how do we implement this?

Implementing encryption of any kind involves several steps:

Key Generation: Generating encryption keys, which serve as the digital locks for our data.

Data Encryption: Using these keys to encrypt sensitive data, rendering it unreadable without the corresponding decryption key.

Key Management: Safeguarding encryption keys and managing their lifecycle securely.

In reality, this is just the tip of the iceberg- key management is an entire domain in an of itself.

Okay, Let's do it!

Implementation of encryption of any kind requires a managerial understanding of business processes.

We need to think about why and when it's appropriate.

When it is appropriate, and then selecting the most appropriate type after a thorough risk assessment. My recommendation is to reference any applicable regulations, and compliance standards/frameworks, then reference the business narrative and asset inventory to understand what you're doing with the data, and the tools you have at your disposal.

This process requires critical thinking. Here's a situation.

You have a system that was deployed without encryption, what do you do?

The question that needs to be answered first is, how did it get there? Who put the system into production, and how can the root cause be addressed? Was it deployed using infrastructure as code (IAC) via a push mechanism or process like Terraform? Maybe it was done in AWS via CloudFormation or perhaps an ARM (Azure Resouce Manager) template.

If so, we should start there. Besides, if those templates aren't updated, they'll just continue to re-deploy unencrypted resources. Perhaps the Terraform script is missing this portion along with some configuration on the MySQL GUI.

resource "mysql_encryption_key" "example" {

# Create an encryption key with AES-256

key_id = "aes256_key"

key_algorithm = "aes256"

key_length = 256

}

Perhaps you're storing sensitive information in CosmosDB, a popular storage solution for documents provided by Microsoft Azure. Or maybe you're using good old, reliable MySQL. If this is the case, after performing your risk assessment, my advice is to reference vendor documentation on how their solution incorporates this functionality.

After searching for less than a minute, here's a link to the documentation.

MySQL :: MySQL Enterprise Transparent Data Encryption (TDE)

Of course, there are newly introduced risks that have to be considered, such as networking and access controls. Which users, roles, hosts, subnets, and IPs can access this database? Which privileged accounts are used to access the database? Should this database only access sensitive information through an API? Which application account Is used to access the data? Is the account hardened?

Or perhaps, after a third-party or vendor risk assessment, you've deemed their offering unsatisfactory and want to build your own. With encryption libraries, you can do just that. But that can take a lot of time and overhead, there are many solutions from companies like Vormetric, Broadcom, Check Point, etc.

Another alternative is simply to not store the sensitive data, which may not be possible. But it all starts with understanding your organization's needs to meet the bottom dollar.

So, this has been an introduction to encryption from a business perspective.

I'm sure that we'll cover more topics and even videos on different ways to incorporate these controls, but if there's anything specific that you're interested in learning about, feel free to reach out on LinkedIn or the Contact page.

Until next time, be safe, lock your doors, and be aware of your environment.

"Security is like oxygen: you tend to notice it only when it's missing." - Ted Koppel