Read time: 9 minutes

Asymmetric and symmetric encryptions are the types of encryptions used in cryptography. There is only one key involved in symmetric encryption, which is used for both encryption and decryption. The key has to be shared among the parties involved who wish to encrypt and decrypt data. In comparison, asymmetric encryption uses two separate keys which are related to each other mathematically. The keys are called Private keys and public keys. Generally, a certificate is associated with a public key, which holds the information about the public key owner. The certificate contains information such as name, organization name, algorithms used, etc. Even though symmetric and asymmetric encryption seems similar, symmetric encryption is comparably faster than asymmetric encryption; thus, performance-wise, asymmetric encryption is slower, which is why symmetric encryption is often used in conjunction with asymmetric encryption. We will explore more about this on the use cases discussed below.  

Symmetric Encryption

As discussed above, symmetric encryption uses the same key for encryption and decryption, so the sender would somehow send the key to the receiver to decrypt the encrypted data. The key involved has to be protected and transferred securely. If the key is lost, then the data cannot be decrypted, and if the key gets compromised, that will compromise the encryption. 

Thus, symmetric keys are transferred among parties using asymmetric encryption, ensuring that the symmetric key remains encrypted. Two different keys are now involved in encrypting and decrypting the data.  

Symmetric encryption is comparably much faster than asymmetric encryption, which is why it is still used massively today.  

Asymmetric Encryption

Asymmetric encryption uses two separate keys which are mathematically involved with each other. The first key is called the private key. The private key is the one that is heavily protected. Often this key remains in an HSM or an air-gapped computer to ensure the protection of the private key. The public key is derived from the private key and can be distributed. A certificate is often created with a public key containing information about the key’s owner and a few details about the key itself.  

The key pair relies on prime numbers of extended length. The public and private keys are computed simultaneously, using the same mathematical operation, namely trapdoor functions. The most characteristic of trapdoor functions is that they’re simple to calculate in one direction, nevertheless troublesome calculating in the reverse order. Using a private key, we can find the public key, but the private key cannot be obtained using the public key.  

Even though asymmetric encryption provides more protection to the keys, they are comparatively slower than symmetric encryption. For this reason, asymmetric encryption is often used to exchange the secret key, which can be used to establish symmetric encryption for faster data transfer and make encryption and decryption of the data faster. 

Use Cases

Symmetric Encryption
Symmetric Encryption uses one key for encryption and decryption, which is why it is best used to encrypt and decrypt local data. Some of the use cases involving symmetric encryption can be: 

  •  Data at rest: Data at rest refers to data stored in a physical drive and is not transferred among devices. This data can be stored in hard drives, SSD, flash drives, etc. Data at rest often involves data that can be valuable to attackers as it usually contains customer information, employee information, trade secrets, Intellectual Properties, etc. To be able to protect this data adequately, organizations use symmetric encryption.
    One effective way to encrypt all the data in a physical drive is to encrypt the drive itself. This is called whole disk or full disk encryption, which has fewer benefits than partial or folder encryption. Many files (such as Word files) create a temporary file while it is opened. This temporary file can remain unencrypted. Many Linux distribution does provide full disk encryption while installing the operating system, and Microsoft delivers BitLocker Drive Encryption for Windows. Full drive encryption does leave the boot volume unencrypted for the operating system to boot, but every other volume, including swap space and temporary files, remains encrypted.
  • Banking and Payment Industry: The banking and Payment Industry is one of the most secure industries, and there are many compliances involved in keeping it safe. Nevertheless, it is also one of the busiest industries, which requires them to be fast. Symmetric encryption provides fast encryption and decryption of a large amount of data, which includes the transaction. It can often contain Personal Identifiable Information (PII), which needs to be protected for being compliant with PCI DSS and preventing Identity Theft. They also need to ensure the identity of the user and the authenticity of the transactions fast. This is one of the reasons why the banking industry uses symmetric encryption.

Asymmetric Encryption 
Asymmetric Encryption is slower than symmetric encryption, so it is used for small amounts of data, such as exchanging secret keys or providing digital identities.

As organizations move to the digital age, digital signatures become crucial to identifying authentic data and ensuring someone’s identity. Digital signatures provide that the data involved has not been modified and if the data (which can include PDF, applications, etc.) is authentic.  The recipient of signed data will use a digital signature to demonstrate to a 3rd party that the claimed individual generated the signature. This is often called non-repudiation since the individual cannot simply repudiate the signature at a later time.

The following steps explain how a digital signature is used to exchange information between a sender and a receiver:

  1. First, the data that would be transferred is hashed using some hashing algorithms such as SHA-256. Hashing is a one-way function and produces a unique value for unique input. The original data cannot be obtained using the hash value. This ensures data integrity, as if the data is modified, the corresponding hash value will also change.
  2. The hash is then encrypted using the sender’s private key. This creates a digital signature.
  3. The digital signature would now be attached and sent to the sender.
  4. After receiving the data and the digital signature, the signature is decrypted using the sender’s public key, which provides the hash value generated on the first step.
  5. The receiver then hashes the obtained data.
  6. If the hash obtained on step 5 is equal to the hash receiver got on step 4, it ensured data integrity. If, however, the hashes do not match, then the data has been modified.

Digital signatures are meant to be used in emails, transferring data, distributing software, and other applications, requiring data integrity and ensuring the authenticity of the data origin.

Use case of Asymmetric and Symmetric Encryption

Asymmetric and symmetric encryption is often used in combination with each other to maintain a balance of performance, secure transfer, identification, etc. A single one may not be able to achieve alone. 

Use case 1: Messaging Applications

Many messaging applications such as WhatsApp, telegram, Signal provide end-to-end encryption to provide confidentiality of the users involved and authenticate users to communicate with each other securely. 

In end-to-end encryption, the messages and calls are encrypted so anyone apart from the users would not obtain plaintext information. Only the data is encrypted, but the headers, trailers, and routing information of the messages remain unencrypted.

One of the best features is that even if the key is somehow compromised from the user’s physical device, that key cannot be used to decrypt any previously encrypted text.

To be able to achieve this, both symmetric and asymmetric encryptions are used. Asymmetric encryption is used to initiate the conversation among the users, which involves exchanging secret keys for symmetric encryption. After the communication is established and a secret key is exchanged, symmetric encryption is used for the whole duration of the communication.

First, when the application is installed on the user’s end, the key pair is created. The user’s public key is registered and stored in the application server, but the private key remains in the user’s device. The user who wants to initiate the conversation obtains the receiver’s public key from the application server. Using the public key, the sender sends an encrypted message to the receiver. The encrypted message contains parameters to establish a symmetric session among the parties involved. The receiver would use their private key to decrypt the message and develop symmetric encryption between the sender and the receiver. Once the session has been established, clients exchange messages protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication. The encrypted session would be recreated only when the application is re-installed, or the device is changed.  

Use case 2: HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication.  HTTPS is specified by RFC 2818 (May 2000) and uses port 443 by default instead of HTTP’s port 80. 

The HTTPS protocol makes it possible for website users to transmit sensitive data such as credit card numbers, banking information, and login credentials securely over the internet. For this reason, HTTPS is essential for securing online activities such as shopping, banking, and remote work. HTTPS is now the standard protocol for all websites, whether they exchange sensitive data with users. 

An HTTPS connection between a client and a server uses both symmetric and asymmetric encryption. Like the previous one, asymmetric encryption is first used to establish communication and exchange secrets, and then symmetric encryption is used for the rest of the communication. The key used for symmetric encryption is called session keys. Session keys are randomly generated when a session is created and are used for that particular session only.  The steps involved in HTTPS are: 

  1. When the client tried to connect to the server, the server first sends a TLS certificate. The respective CA would verify the certificate to ensure the authenticity of the certificate and the server involved.
  2. The certificate also contains cipher suits and the maximum TLS version supported.
  3. After the certificate is verified and the algorithms and TLS versions are set to be the maximum among the client and the server, the client generates a session key. The session key is encrypted using the server’s public key and is sent to the server.
  4. The server decrypts the session key using its private key.
  5. The session key is then used for symmetric encryption, and data is exchanged among the server and the client using the session key.
  6. The session continues with only symmetric encryption.

Conclusion

Symmetric encryption is indeed one of the fastest encryption techniques, but the secret key needs to be exchanged securely to be effective. Asymmetric encryption is thus used to exchange the key involved for symmetric encryption. In both use cases, asymmetric encryption is used briefly to exchange parameters and establish symmetric encryption used for the rest of the communication.  Being slow and resource exhaustive, asymmetric encryption is only used to cover the shortcomings of symmetric encryption. Thus, both of them are used together to achieve ideal secure communication, maintain privacy, achieve authenticity, data integrity, and proper authentication. 

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 5 minutes 2 seconds

Organizations nowadays are storing and performing computation of the data on the cloud instead of handling themselves. Cloud Service Providers (CSPs) provide these services at an affordable cost and low maintenance. But to ensure compliance and retain privacy, organizations need to transfer the data in an encrypted format, which does ensure the confidentiality of the data. However, once the data reaches the cloud, the CSP has to decrypt the data to perform operation or computation.

Decrypting the data to the CSP loses the data’s confidentiality, which may concern the organization for not being compliant to data privacy regulations such as GDPR, FIPS, PCI DSS,  CCPA, etc.

What is Homomorphic Encryption?

Homomorphic Encryption makes it possible to do computation while the data remains encrypted. This will ensure the data remains confidential while it is under process, which provides CSPs and other untrusted environments to accomplish their goals. At the same time, we retain the confidentiality of the data.

Like other asymmetric encryptions, homomorphic encryption is encrypted using a public key and can only be decrypted by the respective private key. But while the data is encrypted, operations can be performed on the data, which retains confidentiality, and helps organizations achieve compliance even when using untrusted environments.

Why do we need Homomorphic Encryption?

Data creation has been increased tremendously in recent times, sent/stored in multiple environments belonging to other parties such as CSPs or other third-party organizations. From startups to big organizations, everyone uses CSPs to store or process data, where tools such as Big Query are used for data processing.

CSPs do provide some control over the data customers store in their environments, but those controls depend on CSPs. While users can encrypt and store data on CSPs, conducting computation on the data would be limited. Thus, standard encryption is only limited to data storage alone and does not provide any meaningful analysis that can be used.

To be able to process data while ensuring data privacy, researchers are focusing on privacy-enabled computation. Homomorphic Encryption (HE) is one of the promising approaches in this direction.

Types of Homomorphic Encryption

Homomorphic Encryption allows computation on encrypted data without decrypting. Mathematical operations that can be performed on the ciphertext differentiates the types of Homomorphic Encryptions.
They are mainly of two types:

  1. Partial Homomorphic Encryption (PHE) (supports either addition/multiplication, but not both)
  2. Fully Homomorphic Encryption (FHE) (supports both addition and multiplication)

Partial Homomorphic Encryption such as RSA and Paillier cryptosystems does support additive and multiplicative homomorphism. In 2009, Craig Gentry proposed an FHE scheme based on lattices for the first time. An FHE scheme usually supports addition and multiplication ciphertexts as follows:

HE(a+b) = HE(a) + HE(b) and HE(a*b) = HE(a) * HE(b)

Addition/Multiplication of plaintext is equal to the addition/multiplication of two ciphertexts.

Applications

HE makes it possible to achieve privacy-preserving computation in almost every scenario. Some of those include:

  1. Private Search

    Search Engines rely on ads to generate revenue. While serving searches to their users, search engines get a better view of the user’s preferences. This does help them provide customized ads for the user they serve. Homomorphic encryption does solve the problem. Search Engines can crawl the encrypted data, serve them as the algorithm is designed to, and serve the user with encrypted data. The user would get the desired result, while the search engines remain unaware of the data requested, which keeps preferences private and more challenging to serve ads.

  2. Encrypted Databases

    In any cyber-attacks, databases are often the most crucial infrastructure to protect. It may cost an organization a considerable fine in compliance and have a bad reputation to go along. Several security measures are kept in place, which includes Encrypting a database. In case of a breach, the database would remain encrypted and decrypted by a specific key, preventing unauthorized access to the database.
    If we employ the standard encryption, the encrypted database will not allow any operations on the records. We can use deterministic encryption, order-preserving encryption, and order-revealing encryption to support the encrypted database. But these would lead to leakages, such as memory access patterns and search patterns.
    With Homomorphic Encryption, it is possible to encrypt data in the database to obtain confidentiality, while we can also perform operations and computation on the data. Only authorized users with the key to decrypt the database can access the data in the database.

  3. Computation on Cloud

    Cloud Computing saves money and reduces maintenance that an organization needs to maintain its infrastructure for the services offered. Organizations can lease cloud infrastructure on a need basis to run their applications. CSPs also provides the ability to scale up according to the load on the infrastructure. Since the service providers typically manage clouds, organizations require the CSP to be compliant and get better privacy and security for their organization.
    If we choose to keep the data encrypted on the cloud and perform operations on those encrypted data, it will make CSP’s compliance and security measures less relevant. CSPs can maintain the infrastructure that store and process the encrypted data, while never accessing the plaintext.

Limitations and Drawbacks

Homomorphic Encryption computations are slow, and only a finite number of operations can be performed on the encrypted data. FHE based computation is at least 106 times slower than computation on the plaintext.

Homomorphic Encryption is also not feasible for multiple users. If we have a database, which we would need multiple users to access, we would need to create a separate database for every user, which is encrypted using the user’s public key. This would become impractical if the number of users increases or the size of the database increases.

Conclusion

Homomorphic Encryption in the current state is computationally expensive and practically inefficient. It can certainly be used to encrypt data, while we can perform different computations on the data. HE enables privacy-preserving computation, which helps us work with untrusted environments while maintaining the data’s confidentiality. Check out Format Preserving Encryption if interested in privacy-preserving computations.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Below are the top features of the leading commercial key management solutions:

  • Leading commercial key management solutions have dedicated hardware/software appliances for key storage that can be on the Cloud or on-premises. This key storage is only accessible by the customer, and allows the customer to inject the key into any CSP.
  • Commercial key management solutions are up to FIPS 140-2 Level 4 compliant and support symmetric and asymmetric keys. They also support AES – 128, 192, or 256 bit keys, RSA keys with  SHA-1, SHA-256, SHA-384, SHA-512, SSL3, Blake2b (256, 384, 512), or Blake2s-256 between 1024 and 8192 bits, DES keys of 56bits, 3DES keys of 168bits, and HMAC keys between 128 and 512 bits.
  • Commercial key management solutions are capable of key management, storage, and auditing, encryption, and tokenization.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Encryption is the process of using an algorithm to transform plaintext information into a non-readable form called ciphertext. In simpler terms, encryption takes readable data and alters it so that it appears random. Encryption helps protect the confidentiality of digital data either stored on computer systems or transmitted through a network such as the Internet. When the intended recipient accesses the message, the information is translated back to its original form, in a process called decryption. To unlock the message, both the sender and the recipient must use a secret encryption key — a collection of algorithms that scramble and unscramble data back to a readable format.

Table of Contents

Symmetric and asymmetric encryption: What is the difference?

There are two primary approaches to encryption, symmetric and asymmetric encryption.

  • Symmetric encryption uses a single key to encrypt and decrypt data.
  • Asymmetric encryption uses two keys, one for encryption and one for decryption. A public key (which is shared among users) encrypts the data. A private key (which is not shared) decrypts the data.

 

What is Tokenization?

Tokenization is the process of replacing sensitive data elements (such as a bank account number/credit card number) with a non-sensitive substitute, known as a token. The token is a randomized data string which has no essential value or meaning. Unlike encrypted data, tokenized data is undecipherable and irreversible because there is no mathematical relationship between the token and its original number. There is no key or algorithm, that can be used to derive the original data for a token. Instead, tokenization uses a database, called a token vault, which stores the relationship between the sensitive value and the token. The real data in the vault is then secured, often via encryption.

How data Tokenization works

Tokenization is one of the most popular security measures that merchants, payment processors, and banks use to protect sensitive financial and personal information from criminals.

For example, tokenization in banking protects cardholder data. While processing payment using the token stored in the systems, only the original credit card tokenization system can swap the token with the corresponding primary account number (PAN) and send it to the payment processor for authorization. The systems never record, transmit, or store the PAN—only the token. For tokenization to be effective, organizations must use a payment gateway to safely store sensitive data.

A payment gateway is a merchant service offered by an e-commerce application service provider that permits direct payments or credit card processing. This gateway stores credit card numbers securely and generates the random token.

Encryption vs Tokenization

CriteriaEncryptionTokenization
Working processTransforms plaintext into ciphertext using an encryption algorithm and keyReplaces sensitive data with a randomly generated token value
Kinds of Supported DataStructured data such as payment cards, and unstructured data, such as entire files and emailsStructured data such as payment card, social security numbers, etc
Use Cases

·        In-person transactions

·        Payments over the phone

·        One of the main use cases is to ensure the confidentiality of data-at-rest (even if the storage media is compromised or lost, attackers are not able to see the actual data as they don’t have the keys)

·        Card-on-file payment

·        Recurring Payments

·        E-commerce transactions

·        Storing customer data across multiple locations

·        One of the main use cases is to reduce PCI scope by passing tokens to downstream applications.

Exchanging DataData can be exchanged with a third-party or recipient who has the encryption keyExchanging data is difficult since it requires direct access to a token vault mapping token value
Security StrengthOriginal sensitive data leaves the organization, but in encrypted formOriginal sensitive data never leaves the organization
OutputOutput is not generally format or length preserving (e.g. AESRSA); exception FPE– Format preserving EncryptionOutput is format and length preserving
MappingMay or may not use encryption as a mapping function, could use a hash function or static mapping tableEncryption does not have any use of tokenization internally

 

What should your business use: Tokenization or Encryption?

The choice between encryption and tokenization is not always straightforward. Whether your organization should opt for tokenization or encryption will depend on your own unique requirements. If you want to stay compliant while reducing your obligations under PCI DSS, you can opt to use tokenization. If you want scalability, and must encrypt large volumes of data, then encryption is ideal since you only need an encryption key. But regardless of which one you choose for protecting private information, both tokenization and encryption can help satisfy regulatory requirements imposed by PCI DSS, HIPAA-HITECH, GLBA, ITAR and the upcoming EU Data Protection Regulation.

When to consider Encryption

Data encryption can efficiently apply a protective layer to large volumes of data without encumbering data transmission, or access by the recipient. In fact, for many general data protections use cases, data encryption offers the best mix of convenience, practicality, and security. Consider encryption for:

  • Unstructured data, large volumes of data: Where your enterprise transmits large amounts of data such as images or video footage, data encryption can provide effective protection without incurring large costs. Likewise, where data lacks the type of structure (ID numbers, credit card details, etc.) that is required for token association, encryption is a suitable alternative.
  • Lower compliance requirements. Some data requires Fort Knox-like protection, and regulation such as PCI compliance and HIPAA demands matching protective measures. Other data sets require merely adequate protection, with an associated reduced motive for data theft. In these cases, encryption is the most cost-effective protective measure.

 

Encryption Advisory Services

Encryption Consulting assist organizations to identify the key risks for their organization by conducting data encryption assessment. This also helps in understanding the capability maturity and any gaps that may exist in your organization. Based on this assessment, a data encryption strategy is developed, along with a roadmap that defines the components and capabilities of the data protection program and implementing an encryption plan end-to-end.

To learn more about Encryption Consulting’s advisory services, go to the following link: Encryption Advisory Services

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

More often than not, organizations utilize encryption to protect data-at-rest. While encryption is a valid method of protecting data, there are others, like tokenization. Tokenization is the process of converting plaintext into a token value which does not reveal the sensitive data being tokenized. The token is of the same length and format as the plaintext, and that plaintext and token are stored in a secure token vault, if one is in use. One of the reasons tokenization is not used, however, is due to the process resulting in an undecipherable and irreversible token. Tokenization can be irreversible if a vaultless tokenization method is used.

Table of Content

Tokenization Terminology

A token is data having no meaning or relation to the original sensitive data. A token acts as a place holder for the plaintext, allowing data to be used in a database without revealing the information it protects. Tokens are unique to each value and are random strings of information. If vaultless tokenization is in use, then there is no mathematical relationship between the token and the sensitive data, thus the tokenization process is irreversible and undecipherable. If a vault is used, then the process of detokenization is possible.

Detokenization is the process of reversing tokenization. Detokenization is only possible if a token vault is being used in the tokenization process. With a token vault, the token and plaintext data are related to each other, so that the sensitive data can be returned to a privileged user. Token vaults tend to be encrypted as well, to provide maximum security. In this way, the data will be useless to anyone who steals the information stored in the token vault.

Tokenization Uses

Tokenization has many different uses, benefitting any organization with sensitive data. Though this is true, tokenization is primarily used in the Payment Card Industry (PCI). Tokenization provides protection for credit card information, social security numbers, bank account information, and more in the Payment Card Industry. The PCI uses tokenization over encryption methods due to the simplicity of implementing tokenization, and the cost-efficiency of tokenization compared to other sensitive data protection methods. Another reason tokenization is used in the PCI is for meeting compliance standards.

PCI DSS Compliance

The Payment Card Industry Data Security Standards, or PCI DSS, require retailers dealing with credit card information to store their data somewhere other than on their Point of Sales (POS) systems. PCI DSS is required for every business, thus every business searches for the most cost-efficient and proven way to comply. The Payment Card Industry Security Standards Council (PCI SSC), which enforces the PCI DSS, released guidelines on using tokenization to comply with PCI DSS. Tokenization is a much better choice, as opposed to encryption, as encryption can be expensive and time consuming to be set up end-to-end.

Benefits of Tokenization

Tokenization has many benefits to its use, including the level of difficulty attackers face when attempting to steal tokenized information. Since sensitive data that is tokenized without a token vault cannot be reversed, then this form of tokenization is completely safe from attackers. Even if the data is stolen, it cannot be reverted to back to its normal form, so it is useless to attackers. If the tokenization is done with a token vault, it is still extremely difficult for hackers to steal the information. Though the tokens are related to their plaintext, the data in the token vault still tends to be encrypted as well, just as a secondary precaution.

Another benefit to tokenization is its ability to work well with legacy systems. Even if an application and database have been created and in use for years or even decades, the information secured therein can be tokenized without the need to reinvent, or recreate, the application. Tokenization also uses less resources than encryption does, and has less of a chance of failure, compared to other data masking methods.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

The human desire for privacy in communication is perhaps as old as the desire for communication itself. The scrambling of messages through encryption, into a form that only the intended recipient can understand, has been going on for centuries, with Julius Caesar’s cipher being one of the most cited early examples. A lot has changed since then, but in today’s digital, connected world the need for encryption is as strong as ever. This is reflected in the widespread adoption of encryption technologies and solutions in enterprises across the world. What are some of the business drivers for enterprises to adopt encryption? This article explores some of the important ones.

  1. Protecting sensitive/classified information: Every company deals with sensitive and confidential data. This could be their own data, such as information related to their core Intellectual Property (IP) or their contracts with customers and partners. This could also be as a custodian of sensitive data that has been shared with them by a customer or partner – an example being personally identifiable information (PII) of customers for enterprises which are in the Business to Consumer (B2C) space. Protecting such sensitive and confidential data is of paramount importance for any business and this is where encryption plays a key role.
  2. Compliance with data privacy security regulations & standards: Europe’s General Data Protection Regulation (GDPR), which came into force in May 2018, is a well-known example of how legislations are being put in place for data protection and privacy. In the US, data privacy laws are usually sector and state specific, an example being the California Consumer Privacy Act (CCPA) of 20181. Another example is the Payment Card Industry Data Security Standard (PCI DSS) for the financial services industry, which is applicable globally. The encryption of consumer data is one of the fundamental requirements for all these regulations, with both in-transit data as well as data at rest being covered within the scope for encryption. While the choice of encryption algorithms, technologies and vendors is left to the enterprise, non-compliance can lead to significant penalties, especially in the event of data breaches.
  3. Protection against known threats: There are several known threats to data security that exist today. An example could be the threat to data stored on the cloud. As enterprises move more and more data to the cloud, the risk of breaches increases since the data no longer resides within the organization’s physical boundaries and network security perimeter. It is not enough to depend only on the cloud service provider’s data security mechanisms. Enterprises need to have their own cloud data encryption strategy in place. Companies can choose to encrypt data on-premise before sending it to the cloud, or encrypt the data after it moves to cloud, using technologies and compute power from the cloud provider2. Another example of known threats could be at an application and application programming interface (API) level. Enterprise applications as well as APIs exposed to the outside world are always vulnerable to attack. It is critical that any interfaces and communication channels these applications have with the external world are protected using encryption protocols such as Secure Sockets Layer (SSL) and its newer version Transport Layer Security (TLS). As a third example, attacks on databases for such applications (or independent data stores maintained by the enterprise) are another known threat. Database security through encryption can be implemented at three levels – encryption of any configuration files with database access information (e.g. those used by web and application servers), encryption of the data stored in the database, and sometimes encryption of the entire file system where the database is stored.
  4. Limiting the liability of data breaches: Whatever the precautions, it is a fact that data breaches can happen – any enterprise that believes otherwise is living in a fool’s paradise. The fallout of data breaches can be significant, and the resulting liabilities can be enormous. Apart from the financial and legal liabilities of data breaches, enterprises also must deal with the reputational damage and the loss of customer trust. Strong encryption mechanisms applied to sensitive data in the enterprise can ensure that even in the event of a data breach, the stolen data cannot be used by the attackers. While these are some of the key business drivers for enterprises to adopt encryption today, must be noted that encryption alone is not a ‘silver bullet’ solution to all data threats. For example, insider threats account for a large number (reports vary between 60% – 75%) of data breach incidents. If insiders have access to encryption keys and once those keys are compromised, not much can be done. That’s why Enterprise Key Management goes hand-in-hand with any effective enterprise encryption strategy. And similarly, Encryption should be addressed as a part of a larger, holistic solution to implementing cyber security in the enterprise.

1A comparison between the CCPA and GDPR is available in an earlier blog, available at this link: https://www.encryptionconsulting.com/2019/01/10/summary-of-the-california-consumer-privacy-act-and-comparison-with-the-gdpr/

2In either scenario, key management becomes an important issue – but that is out of scope for this article and will be covered in a future topic

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

California voted and signed in the California Consumer Privacy Act in June 2018, which will go into effect January 1, 2020. California is no stranger to privacy laws. The state of California has introduced privacy laws such as the California Shine the Light Law, California Invasion Privacy Act, California Online Privacy Protection Act, California Anti-Phishing Act of 2005, Privacy Rights for California Minors in the Digital World, and the California Electronic Communications Privacy Act. However, the California Consumer Privacy Act is harsher than any of the previous laws enacted by the state of California rivaling the most recent General Data Protection Regulation of the EU. The CCPA does not cover all that is required by the GDPR, but creates the strictest privacy laws the United States has ever seen.

Personal information of individuals is at an all-time high risk. The misuse of personal data and privacy rights is now a primary concern worldwide. The California Consumer Privacy Act introduces never before seen consumer privacy regulations in America. The legislation aims to protect personal information by creating a broad definition: Personal Information (PI) is “information that identifies, relates to, describes, and is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” stated by the California Consumer Privacy Act. The legislation addresses organizations using, compiling, and distributing personal information. By doing so, the act aims to protect California consumers by enforcing the protection of personal information and forcing organizations to respect the privacy of citizens. The organizations will have to comply with the CCPA for those operating in California or do business within California if they fall under one of the three categories:

1. Annual gross revenue is greater than $25 million, 2. Buy, receive, or sell PI of 50,000 or more consumers, households or devices, or 3. 50 percent or more of annual revenue by selling California-based consumers’ PI. If these regulations are not followed, fines will be made by the Attorneys General up to $7,500 per international violation and lawsuits can result in $100-750 per consumer per incident.

The California Consumer Privacy act aims for the consumer to retain ownership, power, and security of your personal information if you are a citizen of the state of California by establishing the significant rights to consumers such as:

• The right to know what and where personal information is being collected, sold and disclosed about them
• The ability to deny the sale of personal information.
• The right to have equal service and price, if one decides to exercise their privacy rights.
• The right to be able to have personal information deleted

While the CCPA and the GDPR are similar, they have a fair amount differences in regulations. In the table below, it will go into comparison on showing both similarities and differences within both policies. For organizations that comply with GDPR, you will be forced to make further provisions to comply with the CCPA as well.

Fines√√ (Will be Higher)

Major Requirements California Consumer Privacy Act General Protection Data Regulation
Encrypted/Redacted Personal Data
Privacy by Design X
Compliance by all businesses collecting/personal data X
Limit sale of Personal Data X
Reporting of Data Breaches X
Options for Minors
Policies for Cookiess X
Processing Bans X
Equal service and price, if exercising their privacy rights. X

About the author:

Fazel Ahsan is a cybersecurity expert specializing in the Encryption space. He is currently working as an Encryption Consultant at Encryption Consulting LLC.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk