By Rebecca Herold
Last updated: March 28, 2021
Throughout my career there has been one question that my clients, students, readers and listeners have consistently and frequently asked.
What encryption solution should we use?
Given the fact that computing technology is always evolving, impacting encryption and necessitating stronger and different types of encryption, this is not surprising.
Many of the organizations I help (one-person, small, medium and large), including many start-ups of all sizes, are under the assumption that if they get one encryption solution, they will be able to encrypt all their data in all places and in all situations. Throughout recent years I’ve also spoken to dozens of business owners, CEOs and lawyers who were under the incorrect assumption that HTTPS encryption kept the data encrypted everywhere. Dangerous assumption!
Every type of organization will typically each need to use at least two, but usually more, types of encryption solutions to meet their needs. Why? Because each organization needs to encrypt personal data, sensitive data, and a wide range of other types of regulated data, wherever the data is collected, stored, or transmitted.
It is important to understand that there are many different types of encryption solutions. Some are specific for server storage, some for use in mobile storage devices, some for encrypting computer hard drives, some for making data transmissions. Some specific to various email solutions, some specific to texting, some unique to VoIP, some specific to file transfer processes (FTP), and so on.
Before choosing the encryption solution best for your organization’s needs, you need to first realize that there are two basic data states where encryption will be used:
Data at rest. This is data stored in a server, on a mainframe, on your computer hard drive, in a cloud server, on a USB storage device, on a DVD, and so on. Anywhere data is stored.
Data in transit. This is being moved around, such as being sent by email, going through the Internet, going through the company network, sent using VoIP, and so on.
When considering how to encrypt your sensitive data, you need to think about what data items you have in each of these two states. There is an abundance of examples showing the need to encrypt data during certain situations that occur throughout the lifecycle of sensitive data. If you store a lot of data on laptops and USB drives then device encryption is essential. If sending sensitive attachments is a potential issue, then you need to identify a feasible email encryption solution.
Here is an overview of some of the most common situations where encryption should be used for personal information, and any other type of sensitive information.
Here are some of the common ways in which data can be encrypted in storage:
Full-disk encryption. This is used to encrypt all the data stored on desktops, laptops, and other computing devices. It is often implemented in conjunction with boot disk encryption.
File and folder encryption. This is encrypting specific files, folders or databases of data, typically located on central servers, hard drives, or large storage capacity computers. This encrypts only those areas, and does not encrypt the entire storage device itself.
Removable media encryption. Data on portable devices such as USB drives, CDs, removable hard drives and other types of external storage media. Some of these devices come with settings to allow them to be fully encrypted, but that setting is typically not the default.
Cloud encryption. Data that is stored within a server that is accessed through the Internet. Just a few of the millions of potential services include Dropbox, Salesforce, Basecamp, Slack, Carbonite, Alibaba Cloud, and AWS. If you use a cloud service to store protected health information (PHI), or any other type of personal or sensitive information, make sure the service uses strong encryption.
You need to use some type of encryption for the following types of data pipelines:
Data passing through private or public networks
All the communications passing through the network, including all data information associated (meta data) with the specific data items
Accessing data on a network from a remote location
Sending data via a file transfer process (FTP)
Using a wireless network
Collecting personal and sensitive data from apps
Data collected through IoT devices
The encryption solutions for these are often the use of TLS, SSL, HTTPS, WPA2 or WPA3 (preferred over WPA2 where available) for wireless network transmissions, Internet Protocol Security (IPsec) to encrypt all the IP packets transmitted during the communication sessions, or incorporated within a virtual private network (VPN) implementation.
Email encryption. There are encryption solutions for encrypting the body of email messages, for email attachments, for email headers and metadata, and/or for combinations of these.
Texting. Most organizations are sending sensitive data within text messages. I’ve seen this often within hospitals and clinics for doctors, nurses and other patient care providers. There are solutions specifically for these situations.
Instant messaging. These types of peer-to-peer (P2) messaging is being widely used within organizations to accommodate work team communications when they are geographically dispersed, for consultants communicating with remote clients, and so on. These messages are vulnerable for eavesdropping and interception. If sensitive information is being sent, those communications need to be encrypted.
Social media messaging. There are a few tools that can be used to encrypt messages sent using Linkedin, Facebook, and other types of social media site email capabilities. Never send sensitive business information through these types of email tools without encrypting it. If you can’t feasibly implement social network messaging encryption, then simply do not use it for business.
Voice over Internet Protocol (VoIP). If you use VoIP, you need to encrypt the communications. Make sure you use Transport Layer Security (TLS) and Secure Real-time Transport Protocol (SRTP) to strongly encrypt, and protect, every call.
Sensitive information collected on websites for retail sales transactions, and other types of activities involving sensitive information, needs to be encrypted. The most common way is through the use of TLS, SSL, HTTPS to protect it at the point of collection, and then as it is subsequently passed on to the destination server where it is then unencrypted in storage (unless you implement another solution to keep it encrypted at rest). TLS more secure than SSL. Additionally, most newer web browsers do not support SSL 2.0 and SSL 3.0. In 2014 Google Chrome stopped supporting SSL 3.0, and most other major browsers stopped supporting TLS 1.0 and TLS 1.1 in 2020.
Many of you are probably asking yourself after reading the previous sections: What are some strong encryption solutions? There are many! I am not endorsing any of them in particular; what you choose needs to be based upon your needs and the associated risks for the data involved. However, I do recommend that whatever you choose has the following characteristics:
AES-256: Symmetric-key encryption (256 bits). Used for encrypting data at rest and in transit.
RSA-4096: Public-key encryption (2048 bits, but use 4096 bits if available and possible in the environment where it will be used). Usually for data in transit (and traditionally in TLS). Often used in combination with other encryption algorithms, and also for digital signatures.
Here are some good resources from the U.S. National Institute of Standards and Technology (NIST):
NIST SP 800-67 Rev. 2: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher https://csrc.nist.gov/publications/detail/sp/800-67/rev-2/final
NIST SP 800-57 Part 1 Rev. 5: Recommendation for Key Management – Part 1: General https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
NIST SP 800-133 Rev 2: Recommendation for Cryptographic Key Generation https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf
NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
I’ve written many encryption articles over the years. Here are a few you may find useful:
Use Encryption despite Your NSA Snooping Fears http://privacyguidance.com/blog/use-encryption-despite-your-nsa-snooping-fears/
Encryption: Myths and Must Knows http://privacyguidance.com/blog/use-encryption-despite-your-nsa-snooping-fears/
Top 4 Reasons Encryption Is Not Used http://privacyguidance.com/blog/top-4-reasons-encryption-is-not-used/
Every organization, in all industries, of all sizes, in all locations, needs to encrypt personal data, and a wide range of other types of sensitive and confidential data, at one or more times throughout the full data lifecycle. Organizations need to identify the riskiest points throughout the lifecycles, and then determine the best type of encryption solutions to meet their own organization’s business environment.