What is Enhanced Encryption? is the question asked and answered by Colin Tankard, pictured, managing director of IT and data security firm Digital Pathways.
Encryption is essential to protect information that is stored, such as on a device, in a database or in a cloud service, as well as when it is transmitted – commonly referred to as data at rest and data in motion. It ensures that data is protected against loss or unauthorized access.
For regulations such as GDPR, which require notification to authorities and data subjects in the event of a personal data breach, notification can be avoided if the data has been secured in such a way that it cannot be accessed by unauthorized persons for that. In the case of encryption, one would need access to the cryptographic key used to encrypt and decrypt the data.
Access control should then be applied to all data according to their defined sensitivity, paying particular attention to the role of privileged users. In general, organizations should strive to determine the least level of access privileges required of individuals based on their role and their need to process and transmit personal and sensitive information. Yet this is not a one-off exercise. People regularly change roles, leave or are hired by an organization that requires access rights to be reviewed regularly to ensure they are appropriate as situations change and so that no one has more access privileges than their current role.
By coupling access control with encryption, it can also enable segregation of duties, allowing administrators to manage data ie. backup, but blind them from reading the content. Such controls are invaluable when handling sensitive information such as employment contracts, mergers and acquisitions, and intellectual property.
Data classification: Knowing which data needs protection based on its value to the company is a key starting point. Data classification policies and tools make it easy to separate valuable information that can be targeted at less valuable information.
Key management: If keys and certificates are not properly secured, the organization is open to attack, no matter what security controls are in place. Always consider adding a High Security Module (HSM) to any encryption plan. The HSM will also help define any key rotation needs and processes to change the key used in each data set.
Encryption is fundamental to protecting your data. Access control adds even more protection by ensuring that only the right people have access to this data.