Ask anybody with some level of experience in cyber security how to protect data and there is a good chance that they would answer with the suggestion to encrypt it. In today’s world encryption is ubiquitous in life.
Any modern mobile phone for example will be encrypted by default. It is unusual for a website not to enforce connectivity via an encrypted connection in the form of TLS.
The general concept of encryption is to take data and scramble or lock it up by passing it through an encryption algorithm along with an encryption key so that this scrambled data is unreadable and therefore unusable by a hacker who intercepts or steals it.
A hacker cannot feasibly brute force modern encryption methods. Even if a hacker gets past your access control and API security and exfiltrates the encrypted data it is useless to them. The only way to reconstitute the original data is to use the right encryption key to decrypt it.
Therefore, there is no realistic way a hacker can brute force their way into decrypting your data unless that hacker gets hold of your encryption key.
Encryption is therefore certainly an attractive option when faced with the directive to protect data. However, whilst the concept of encryption is simple to understand, implementing it in a proper and secure way can be challenging.
How Do We Tell Good Crypto from Bad?
There are a plethora of algorithms and associated cryptographic mechanisms out there to choose from and unfortunately, it is not always obvious which is going to be the most appropriate pairing for your task.
If you are not an expert in the field, then you may end up inadvertently choosing an algorithm and mechanism that is not appropriate. In addition to selecting the right algorithm, there is of course the question of how you ensure the encryption key is secure?
The quality of cryptographic implementations varies greatly. And that can be covered by 3 common questions:
- How to be sure that the cryptographic implementations used are sound?
- Does your company have a cryptographic policy?
- How will you manage your cryptographic keys to ensure the appropriate level of security along with availability?
Let’s deep dive to understand the solutions to the problems.
How to be Sure That the Cryptographic Implementations Used are Sound?
As mentioned above, an attacker merely must steal the encryption key to be able to unlock or decrypt the encrypted data. Therefore, encryption keys are attractive targets for hackers. Even if you have figured out how to secure the key properly, can you ensure they will always be available when needed?
Encrypting data and then not having access to the key is the same as not having the data at all. If you lose the key permanently then any data encrypted by it is also lost.
So, with all that in mind, you surely want to be using good crypto, not bad. Therefore, follow your company's cryptographic policy if you have one. If you don't have one, then consult with experts to get one developed.
How Will You Manage Your Cryptographic Keys to Ensure the Appropriate Level of Security?
The cryptographic policy addresses the questions regarding appropriate cryptographic algorithms and keys for your company’s workloads and risk profile.
Typically a sound cryptographic policy will recommend the use of FIPS 140-2 certified cryptographic implementations and key management techniques which is an internationally recognised standard for cryptographic modules [Source]. You can be assured that any certified implementations have been checked for robustness by a trusted assessor.
Does Your Company Have a Cryptographic Policy? How to Choose the Right one
When considering the generation of cryptographic keys ensure the chosen key length is appropriate for the level of security assurance you are after. A good reference is the NIST SP 800 131A Rev. 2 publication [Source] where you can find guidance of which algorithm, mechanism and key length is appropriate for a range of scenarios. Also, your company's key management policy will help here. Another point to keep in mind is that the material for the keys is sourced from a high-quality source of random data. This is not always as easy as it sounds. If there is any sort of predictability in the key, then you have already lost. For an interesting discussion of why random numbers matter I encourage you to look at Cloudflare's blog entry on the topic [Source].
Embracing the Hybrid Setup
So certainly, it is prudent to use encryption to secure your data. Now the question is, where does this data exist that you wish to encrypt? If it exists on-premises, then you may only have a few different systems that you need to implement encryption on, all under your direct control.
However, in today's world, the situation is not normally that simple. Today we are embracing the cloud in all its forms, be it PaaS, SaaS or 'lift and shift' of workloads. This means that our data is now located on multiple systems outside our direct control.
Ensuring that you are always encrypting with appropriate policy-approved algorithms, utilising secure key lengths and maintaining security control over those keys becomes considerably more complex.
So, consider a consolidation approach, then the burden of ensuring that cryptographic policies are being followed and enforced is handled in the one place. The one system is responsible for ensuring that key management is conducted securely in a manner consistent with company policy.
Any application that needs to consume cryptographic resources authenticates to and calls the service to receives a consistent quality implantation of crypto and level of service. Furthermore, any use of crypto can be logged for auditing purposes.
If a particular application or endpoint becomes untrusted, its access to the service can be disabled. The centralised key management and encryption service naturally needs to easily integrate with the above-mentioned cloud-based workloads.
The Fortanix Advantage
Fortunately, Fortanix has done this hard work for you and have developed the Data Security Manager (DSM) SaaS to support the above requirements. A unified data security platform powered by confidential computing that delivers a wide range of data security services, including encryption, multi-cloud key management, tokenisation, database encryption and multiple other capabilities from one single console.
Company cryptographic policies are enforced by the DSM SaaS ensuring that accidental deviations from policy cannot occur. All administration and cryptographic operations are logged. Keys are generated from a high-quality source of random data as recommended by NIST SP800-90A [Source].
Fortanix DSM SaaS Explorer Tier is now available free of charge in for a variety of workloads.