Guide to Enterprise Data Encryption and Protection Solutions

Do you have a proper enterprise data encryption and protection solution? Years ago, only companies handling the most sensitive data, such as patient records, bothered with extensive encryption.

Times have changed, however. GDPR and CCPA have tightened privacy laws in Europe and California – and thanks to the global nature of the internet, these regulations can affect every company, regardless of where they are located.

This simple guide will help you understand which data encryption processes are most useful to you and your company.

Types of Enterprise Data Encryption and Protection

You need to "protect data wherever it pools or flows," according to Binghamton University's CIO, Sharon Pitt. This becomes truer as more data and systems move to the cloud, the Internet of Things matures and technology spreads; your data likely resides in many different places during its life cycle, and each requires its own approach.

There are 3 broad areas of data to be considered:

 

 

 

Let's take a deeper look!

Data at Rest: Protecting Inactive Data

 Inactive data is stored physically – on a computer hard drive, on a USB stick, or on a server in the cloud. This type of data is kept inactive until it is needed. There are several methods to protect data at rest. Use all of them to enable many layers of security.

• Encryption of Entire Drives
  Laptops, USB sticks and mobile devices are commonly lost or stolen. Any device that might be moved outside a secure area must be protected with whole drive encryption. This method will likely stop, or at least slow down, a thief's attempts to read the drive.
• Encryption of Selected Files and Folders
  Yet whole drive encryption falls short when the user is logged in and the drive is then accessible. To address this risk, sensitive files and folders should be encrypted with an added layer. There are a few tools available for encrypting selected data – check out our guide to find the right one for you. Remember to apply this type of protection also to files stored in the cloud.
• Encryption of Individual Items
  In some cases, you might want to encrypt a specific sensitive piece of data; this often includes things like credit cards, social security numbers and other official IDs. Luckily, most database management systems (DBMS) provide this functionality, but you need to make sure it is enabled as needed.

Data in Transit: Encrypting Data That You Send

 While encryption of data-at-rest is a critical last line of defense, it’s not enough. Data must still be delivered to those who need it. Be aware, your data could easily pass through a compromised server, with the data being checked and potentially copied. To keep others away from your sensitive data in transit, encryption is necessary to protect not just text, but also voice, video and metadata.

• Encryption Online
  Always make sure to use browser links that start with 'https’ – this means you're using encryption. Transport Layer Security (TLS), still sometimes known as SSL, is the most widely used form of in-transit protection. If you have a website, you need to get an SSL certificate.
• Encryption of Emails
  If you are sending protected data over email, it must be secured using a cryptographically strong email tool such as S/MIME or PGP. You can also encrypt the data with file encryption and send it as an attachment.
• Encryption of Communications
  Many communications and messaging apps are insecure, and companies providing the service can often access everything you say. End-to-end encryption is the best way to keep this secure, preventing even the service provider from reading what is sent, as well as anyone who might intercept the message. Always use messaging services, such as Signal, that support effective end-to-end encryption.

Data in Use: Control Access to your Data

 Unlike data at rest or in transit, data in use must be accessible by users and apps. So, how to keep data protected while still allowing it to be modified?

For right now, access control is the general rule. Authenticate who (user or process) accesses the data and for what purpose (read, write, copy, rename). Don't allow access to users or processes when they don't need it. This type of control can reduce the risk of ransomware reading or modifying your files.

5 Steps to Get Ready

In order to implement an effective enterprise data encryption and protection solution, you must follow these 5 steps:

#1 Define Sensitive Data

Make sure you know which data is sensitive and needs the most protection. Ask yourself, "which data would cause the most harm if compromised?". Read through relevant regulations, which generally provide a list of what type data must be protected.

Common categories of protected data:

• Names
• Health records
• Credit cards
• Social security numbers

#2 Locate Sensitive Data

Where is your sensitive data stored? Build a map of your data flows so you know where your data is, where it’s going, and who it’s going to.

#3 Select Proper Tools

Which encryption tools are best suited for your organization's needs? Consider these factors:

• Phase of data lifecycle
• Data may reside in different places, and you need to make sure you have a solution for each part of the lifecycle – whether it's at rest, in transit, or in use. Data protection needs to cover everything.
• Technical requirements
  Does the regulation you need to follow require a specific algorithm, key, or standard? If so, make sure the solution you choose fulfills these requirements. Ask the vendors if not sure; it's a good way to test out their customer service.
• Key management
  Keys can be stolen or copied. Use a key management system to allow admins to destroy or replace encryption keys after a breach. Also, make sure that the chosen solution allows admins to recover or reset keys that have been forgotten. Almost everyone does it, especially after time off.
• Auditing
  Many regulations require documentation for audits and proof of compliance. Make sure you have everything tracked and logged so you can easily show it to inspectors. An auditing system can also help you spot unauthorized access.

#4 Implement Solutions Carefully

Before implementing your solutions, prepare for what could go wrong.

• Mindset
  Interaction with non-technical people will happen. Make sure that employees are on board with using encryption by offering training and doing your best to keep everything user-friendly.
• Integration
  Make sure that you address any conflicts between different solutions. Since you are using multiple encryption practices, you need to make sure they play nicely with each other. Conflicts can cause a vulnerability.
• Performance
  Test the encryption tools to avoid causing performance issues that may impact productivity. Consider alternatives if needed.

#5 Review

After some time, review your solutions. Are they performing as expected? Are there technical issues? Are there holes that might expose your data?

Ask yourselves these questions and see if you need to tweak or alter anything. Use logging tools to evaluate your encryption and to provide details on who is accessing what data, and when. Finally, keep an active dialogue with your colleagues. They will have insights into what is working and what is not.

Having a solid enterprise data encryption and protection solution helps protect your company from data breaches and their impact – as well as ensuring you comply with the law.

Happy Encrypting!

 

Related Articles

The Guide to Encrypting Data in the Cloud
Commercial or Open-Source Encryption Software – Whose Side Are You On?