Data Encryption

Encryption: choose the best!

Today, a lot of encryption solutions are available in the market. But understanding the differences among products is often a hard job due to the complexity of the encryption algorithms. Here some practical suggestions that can help you in choosing the right solution for you and your business.

After the Whatsapp decision at the end of 2015, to encrypt messages sent by its users, encryption has jumped to the forefront as a topic for discussion on social media.

Data encryption techniques, however, are not all the same, and understanding  the operation requires advanced knowledge of higher mathematics  and analytical concepts  that the average user rarely possesses. In an article published on Techbeacon.com last July, Luther Martin, software engineer of HPE, after a brief excursus in the fields of Economics, provides some useful tips to navigate the intricate world of data encryption

According to Martin, products that implement encryption are probably credence goods, that is goods whose properties cannot easily be checked, either before or after they are consumed. As well as many medicines are credence goods, because it is difficult to tell if your recovery was really due to the medication, a placebo effect, or even simply your body recovering on its own. It takes expensive and uncommon skills to verify that data is really being protected by the use of encryption, and most people cannot easily distinguish between very weak and very strong encryption. Even after you use encryption, you are never quite sure that it is protecting you.

Being a good in that you can just “believe”, is there a practical way to differentiate your offering and directing the choice towards those products that ensure more secure data protection and compliance in those areas where they are more restrictive?

There are many things to consider when selecting what type of encryption you should use and how to deploy it effectively to protect your sensitive data, but one criterion stands out as more important than all of the others: whether or not a given technology has been validated against the US government’s FIPS 140-2 standard (http://csrc.nist.gov/groups/STM/cmvp/standards.html). If you select encryption that meets this criterion, it will almost certainly be acceptable to your auditors, which is just as important as any other aspect of the technology.

(source http://techbeacon.com/software-engineers-guide-encryption-how-not-fail)

How Encryption can Help Your Business

The new GDPR will be effective in May 2018, stating new rules (and setting new and heavier penalties). Don’t look at it as a threat, but as an opportunity for improving your organization’s security!

The new European General Data Protection Regulation – effective in may 2018 – introduces important new features that will have a major impact on how organisations process personal data at their disposal (of employees, suppliers, customers) especially in the event of non-compliance. Here, we summarize briefly the main changes:

• Data protection standards: companies will have to implement all technical and organisational measures to ensure proper protection of personal data they hold. In particular:encryption and secure pseudonymisation;

  resistance of systems and services that process data;

  with adequate measures to ensure availability and recovery of data access in the event of a data breach;

  frequent verification of the effectiveness of the measures put in place.

• Need to notify any data breach: this notification shall be made to the data protection authority and, in the case of identity theft or fraud or other economic and social damage resulting from the data breach, to all interested parties. No notification is due, in the latter case, if the company can demonstrate that they have put in place appropriate security measures.

• Penalties: If a company is not in compliance with obligations under GDPR, faces a penalty of up to 10 million of euros or equal to 2% of the global annual turnover. In the event of a data breach, the latter percentage can go up to 4%.

Now, a number of studies have pointed out that about 90% of successful data breaches are due to human errors. Let’s consider the case of Eastern Health, one of the largest health providers in Canada’s Newfoundland and Labrador provinces, 

In June 2015, Eastern Health announces that a flash drive containing the personal information of around 9,000 employees has been lost. There is nothing to suggest that the information on the USB drive will be used for a fraudulent purpose. Actually, Eastern Health is saying that they have no idea where this flashdrive is. It could be at the bottom of someone’s drawer or fell down a sewage drain, sure, but it could also have been dropped on a busy city street or left on a subway. You can’t account for who will pick up a drive that you have no clue how to locate.

Then, two months later, a very interesting development was announced . The flashdrive was found – in an office file cabinet. Eastern Health had it in their offices the entire time. A happy end, isn’t it? Yes, for sure, from the point of view of protecting the privacy of employees, but a happy ending which costs the organization, to conduct research and to check the damage, about 100,000 dollars that could be saved by adopting some basic preventive precautions and operating with less levity.

Another recent survey indicates that though 64 percent of respondents report having data sharing and usage policies, only 30 percent have Data Loss Prevention solutions in place. Yet, according to Corey Nachreiner, WatchGuard Security Strategy Director, five simple steps CIOs and IT managers could be taken to protect the organization’s critical data assets from both intetional and accidental data loss.

• Do a Data Inventory – What sensitive data does your organization have? Where do you store this data? Why does the organization need this data? Who needs access to it? How do they use the data? You need to find out in order to protect it.
• Create a Data Policy – Good information security always starts with a well-thought out policy. Even the best security technologies cannot replace good planning.
• Leverage Access Control – You may already have many good tools to help, such as OS authentication, identity access management, firewalls, network ACL and other security controls. But, are you using them? The simple step of segmenting your trusted users from one another based on their roles can help.
• Use Encryption – Encryption can be expensive, but for data at rest and in motion, it is vital for sensitive documents. However, you don’t have to encrypt everything. If you learn where your organization stores its most vital data, you can concentrate on just encrypting that.
• Adopt DLP Technology – Vendors are offering cost-effective and easy-to-use solutions that can help organizations detect and block sensitive data at rest, in use and in motion. Consider Unified Threat Management (UTM) solutions that integrate DLP technology and allow it to be centrally managed through a single console. Gateway-based DLP technologies found on UTM devices can solve a big portion of the problem for a fraction of the cost and complexity of other solutions.