The human desire for privacy in communication is perhaps as old as the desire for communication itself. The scrambling of messages through encryption, into a form that only the intended recipient can understand, has been going on for centuries, with Julius Caesar’s cipher being one of the most cited early examples. A lot has changed since then, but in today’s digital, connected world the need for encryption is as strong as ever. This is reflected in the widespread adoption of encryption technologies and solutions in enterprises across the world. What are some of the business drivers for enterprises to adopt encryption? This article explores some of the important ones.
- Protecting sensitive / classified information: Every company deals with sensitive and confidential data. This could be their own data, such as information related to their core Intellectual Property (IP) or their contracts with customers and partners. This could also be as a custodian of sensitive data that has been shared with them by a customer or partner – an example being personally identifiable information (PII) of customers for enterprises which are in the Business to Consumer (B2C) space. Protecting such sensitive and confidential data is of paramount importance for any business and this is where encryption plays a key role.
- Compliance with data privacy security regulations & standards: Europe’s General Data Protection Regulation (GDPR), which came into force in May 2018, is a well-known example of how legislations are being put in place for data protection and privacy. In the US, data privacy laws are usually sector and state specific, an example being the California Consumer Privacy Act (CCPA) of 20181. Another example is the Payment Card Industry Data Security Standard (PCI DSS) for the financial services industry, which is applicable globally. The encryption of consumer data is one of the fundamental requirements for all these regulations, with both in-transit data as well as data at rest being covered within the scope for encryption. While the choice of encryption algorithms, technologies and vendors is left to the enterprise, non-compliance can lead to significant penalties, especially in the event of data breaches.
- Protection against known threats: There are several known threats to data security that exist today. An example could be the threat to data stored on the cloud. As enterprises move more and more data to the cloud, the risk of breaches increases since the data no longer resides within the organization’s physical boundaries and network security perimeter. It is not enough to depend only on the cloud service provider’s data security mechanisms. Enterprises need to have their own cloud data encryption strategy in place. Companies can choose to encrypt data on-premise before sending it to the cloud, or encrypt the data after it moves to cloud, using technologies and compute power from the cloud provider2. Another example of known threats could be at an application and application programming interface (API) level. Enterprise applications as well as APIs exposed to the outside world are always vulnerable to attack. It is critical that any interfaces and communication channels these applications have with the external world are protected using encryption protocols such as Secure Sockets Layer (SSL) and its newer version Transport Layer Security (TLS). As a third example, attacks on databases for such applications (or independent data stores maintained by the enterprise) are another known threat. Database security through encryption can be implemented at three levels – encryption of any configuration files with database access information (e.g. those used by web and application servers), encryption of the data stored in the database, and sometimes encryption of the entire file system where the database is stored.
- Limiting the liability of data breaches: Whatever the precautions, it is a fact that data breaches can happen – any enterprise that believes otherwise is living in a fool’s paradise. The fallout of data breaches can be significant, and the resulting liabilities can be enormous. Apart from the financial and legal liabilities of data breaches, enterprises also must deal with the reputational damage and the loss of customer trust. Strong encryption mechanisms applied to sensitive data in the enterprise can ensure that even in the event of a data breach, the stolen data cannot be used by the attackers. While these are some of the key business drivers for enterprises to adopt encryption today, must be noted that encryption alone is not a ‘silver bullet’ solution to all data threats. For example, insider threats account for a large number (reports vary between 60% – 75%) of data breach incidents. If insiders have access to encryption keys and once those keys are compromised, not much can be done. That’s why Enterprise Key Management goes hand-in-hand with any effective enterprise encryption strategy. And similarly, Encryption should be addressed as a part of a larger, holistic solution to implementing cyber security in the enterprise.
1A comparison between the CCPA and GDPR is available in an earlier blog, available at this link: https://www.encryptionconsulting.com/2019/01/10/summary-of-the-california-consumer-privacy-act-and-comparison-with-the-gdpr/
2In either scenario, key management becomes an important issue – but that is out of scope for this article and will be covered in a future topic