Guide to Enterprise Data Encryption and Protection Solutions22 Mar 2020 | Michael Waksman
Do you have a proper enterprise data encryption and protection solution? Years ago, only companies handling the most sensitive data, such as patient records, bothered with extensive encryption.
Times have changed, however. GDPR and CCPA have tightened privacy laws in Europe and California – and thanks to the global nature of the internet, these regulations can affect every company, regardless of where they are located.
This simple guide will help you understand which data encryption processes are most useful to you and your company.
Types of Enterprise Data Encryption and Protection
You need to "protect data wherever it pools or flows," according to Binghamton University's CIO, Sharon Pitt. This becomes truer as more data and systems move to the cloud, the Internet of Things matures and technology spreads; your data likely resides in many different places during its life cycle, and each requires its own approach.
There are 3 broad areas of data to be considered:
Let's take a deeper look!
Data at Rest: Protecting Inactive Data
Inactive data is stored physically – on a computer hard drive, on a USB stick, or on a server in the cloud. This type of data is kept inactive until it is needed. There are several methods of data protection. Use all of them to enable many layers of security.
- Encryption of Entire Drives
Laptops, USB sticks and mobile devices are commonly lost or stolen. Any device that might be moved outside a secure area must be protected with whole drive encryption. This method will likely stop, or at least slow down, a thief's attempts to read the drive.
- Encryption of Selected Files and Folders
Yet whole drive encryption falls short when the user is logged in and the drive is then accessible. To address this risk, sensitive files and folders should be encrypted with an added layer. There are a few tools available for encrypting selected data – check out our guide to find the right one for you. Remember to apply this type of protection also to files stored in the cloud.
- Encryption of Individual Items
In some cases, you might want to encrypt a specific sensitive piece of data; this often includes things like credit cards, social security numbers and other official IDs. Luckily, most database management systems (DBMS) provide this functionality, but you need to make sure it is enabled as needed.
Data in Transit: Encrypting Data That You Send
While encryption of data-at-rest is a critical last line of defense, it’s not enough. Data must still be delivered to those who need it. Be aware, your data could easily pass through a compromised server, with the data being checked and potentially copied. To keep others away from your sensitive files, encryption is necessary to protect not just text, but also voice, video and metadata.
- Encryption Online
Always make sure to use browser links that start with 'https’ – this means you're using encryption. Transport Layer Security (TLS), still sometimes known as SSL, is the most widely used form of in-transit protection. If you have a website, you need to get an SSL certificate.
- Encryption of Emails
If you are sending protected data over email, it must be secured using a cryptographically strong email tool such as S/MIME or PGP. You can also encrypt the data with file encryption and send it as an attachment.
- Encryption of Communications
Many communications and messaging apps are insecure, and companies providing the service can often access everything you say. End-to-end encryption is the best way to keep this secure, preventing even the service provider from reading what is sent, as well as anyone who might intercept the message. Always use messaging services, such as Signal, that support effective end-to-end encryption.
Data in Use: Control Access to your Data
Unlike data at rest or in transit, data in use must be accessible by users and apps. So, how to keep data protected while still allowing it to be modified?
For right now, access control is the general rule. Authenticate who (user or process) accesses the data and for what purpose (read, write, copy, rename). Don't allow access to users or processes when they don't need it. This type of control can reduce the risk of ransomware reading or modifying your files.
5 Steps to Get Ready
In order to implement an effective enterprise data encryption and protection solution, you must follow these 5 steps:
#1 Define Sensitive Data
Make sure you know which data is sensitive and needs the most protection. Ask yourself, "which data would cause the most harm if compromised?". Read through relevant regulations, which generally provide a list of what type data must be protected.
Common categories of protected data:
- Health records
- Credit cards
- Social security numbers
#2 Locate Sensitive Data
Where is your sensitive data stored? Build a map of your data flows so you know where your data is, where it’s going, and who it’s going to.
#3 Select Proper Tools
Which encryption tools are best suited for your organization's needs? Consider these factors:
- Phase of data lifecycle
- Data may reside in different places, and you need to make sure you have a solution for each part of the lifecycle – whether it's at rest, in transit, or in use. Data protection needs to cover everything.
- Technical requirements
Does the regulation you need to follow require a specific algorithm, key, or standard? If so, make sure the solution you choose fulfills these requirements. Ask the vendors if not sure; it's a good way to test out their customer service.
- Key management
Keys can be stolen or copied. Use a key management system to allow admins to destroy or replace encryption keys after a breach. Also, make sure that the chosen solution allows admins to recover or reset keys that have been forgotten. Almost everyone does it, especially after time off.
Many regulations require documentation for audits and proof of compliance. Make sure you have everything tracked and logged so you can easily show it to inspectors. An auditing system can also help you spot unauthorized access.
#4 Implement Solutions Carefully
Before implementing your solutions, prepare for what could go wrong.
Interaction with non-technical people will happen. Make sure that employees are on board with using encryption by offering training and doing your best to keep everything user-friendly.
Make sure that you address any conflicts between different solutions. Since you are using multiple encryption practices, you need to make sure they play nicely with each other. Conflicts can cause a vulnerability.
Test the encryption tools to avoid causing performance issues that may impact productivity. Consider alternatives if needed.
After some time, review your solutions. Are they performing as expected? Are there technical issues? Are there holes that might expose your data?
Ask yourselves these questions and see if you need to tweak or alter anything. Use logging tools to evaluate your encryption and to provide details on who is accessing what data, and when. Finally, keep an active dialogue with your colleagues. They will have insights into what is working and what is not.
Having a solid enterprise data encryption and protection solution helps protect your company from data breaches and their impact – as well as ensuring you comply with the law.
The Guide to Encrypting Data in the Cloud
Commercial or Open-Source Encryption Software – Whose Side Are You On?
Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings more than 20 years of communications, technology and leadership experience.
At Jetico, Waksman has lead creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the global compliance market and for personal privacy.
Waksman served as vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As dual citizen, he is a native New Yorker and has been living in the Helsinki region for over 15 years.
Thank you for contacting Jetico! We will respond to you as soon as possible.
Send us a message - we'll reply within 24 business hours.
Need help now? Call Us
US: 202 742 2901