If you work at a company processing sensitive data—like personal, health or financial information—it is very likely that data encryption is one of the key pillars of your data protection policy. First, because data encryption is a basic requirement of sensitive data regulations such as PCI-DSS and HIPAA. Second, because it is a recommended practice of most information security frameworks (ISO 27001, SOC 2) and privacy laws (GDPR).
In this article, we won’t cover the details of encryption algorithms or their pros and cons. Implementing data encryption consistently at rapidly innovating companies is a challenge, so instead you will find concrete tips to help you implement and monitor your data encryption policies at scale.
What is data encryption?
Data encryption refers to the process of converting human-readable information—known as plaintext—into a series of algorithmically generated letters and numbers—known as ciphertext—that humans cannot make any sense of. Only authorized parties can decipher a ciphertext back to plaintext using a cryptographic key.
There are two main types of encryption:
- Symmetric encryption. All communicating parties use the same secret key to encrypt and decrypt data.
- Asymmetric encryption, also known as public key encryption. The communicating parties use a public key to encrypt data and a private key to decrypt it. For example, if you want something sent to you in a way that ensures only you can read it, you would provide the sender with your public key. They use that to encrypt it, but only your private key can decrypt it.
There are also two points at which data can be encrypted:
- At rest, for instance, the moment it is stored in a database.
- In transit, when it is being transmitted from one system to another. For instance, the communication protocol HTTPS relies on the cryptographic protocol Transport Layer Security (TLS) to protect data in transit.
Why is data encryption necessary?
- Data security: Encryption mitigates data breach risks. For instance, an unauthorized party may access your database and copy data, but without the encryption key the stolen data remains unreadable and unusable by the attackers. Data encryption helps secure data.
- Data privacy: Encryption keeps data private. Only the data owner or the intended recipient can read the data. It can’t be shared with third parties such as internet service providers, ad networks, or government agencies. Encryption is the cornerstone of online privacy.
- Data regulations: Most sensitive data regulations require encryption, including HIPAA, PCI-DSS, and GDPR. It reduces the financial and operational risks for your organization. For instance, in case of a data breach, GDPR requires your organization to notify the affected data subjects within 72 hours, except if the stolen data is encrypted.
- Data integrity: Encryption reduces the risk of data tampering in transit. On-path attackers can alter communications between two systems to impersonate one of the parties. For instance, they can target the HTTP connection between a user and the website they are connecting to steal their credentials. That’s why SSL/TLS is used to secure HTTP communications.
- Business: Your customers want to know that their data is safe. If you are a B2B organization working with Mid-Market and Enterprise companies, their procurement process surely includes a review of your encryption measures. If you are a B2C business, your users will choose you over someone else because they know that their data is safer with you. Plus, encryption can save your business from bad press if you suffer a data breach.
How to monitor data encryption
Implementing data encryption at scale across products is challenging. The increasing number of developers, services, and data flows makes it hard for the security team to maintain visibility over all systems. Where do you store sensitive data? How is it flowing through your product? Where is encryption missing? Where are you the most at risk? Where should you focus your attention to minimize data security and privacy risks?
Catalog your engineering components
First, you need a clear view of your software architecture. Keeping an up-to-date inventory of your engineering components is necessary to monitor any security measure, including data encryption. Your inventory should include the full list of your applications, services, data storage systems and third parties. Set up a clear and easy process to have your developers document new components as they code.
Map sensitive data flows
Second, identify sensitive data flows between your engineering components. You can’t be everywhere at once, so you must focus where the risk is highest. You should have a data taxonomy to classify data into categories with risk levels. Data flow mapping software can help with this. Use it to identify and classify data stored in your databases, data processed by your applications, and data shared with third parties. Again, you need to set up a process to help your developers classify and document new data processing as they build software. Without an ongoing process, your data map will never be up-to-date.
Document encryption measures
Third, document data encryption measures. Your data security policy should state the expected encryption measures for each data category. For instance, say you process health data which you need to encrypt end-to-end at the column level using a specific cryptographic protocol. Then you should look at every database column that is categorized as health information and check that end-to-end encryption has been actually implemented. If it is not, start a mitigation workflow to have your developers add missing encryption where it’s needed.
Monitor sensitive data encryption proactively.
The challenging part is to be consistent with the three previous steps. As your organization grows, it’s easy for developers to slip through the cracks unintentionally. That’s why training them and setting up efficient processes is so crucial to empowering them to implement encryption within your products. Culture and security awareness comes first. A development team that shares your responsibility of securing data is your best asset.
In addition, you should automate security testing to identify missing encryption as early as possible. And, if possible, set clear KPIs (like % of sensitive data encrypted) to track your progress and communicate it to the other executives in your organization.
Bring data encryption within your DevSecOps processes
Data detection and classification are often disconnected from the software development lifecycle. As a result, teams spot missing encryption of sensitive data too late, usually once it is in the production environment. Unencrypted sensitive data can flow through your systems for days, weeks, and even months before it is mitigated. If a breach occurs in the meantime, your organization is at great risk.
That’s why Bearer aims at helping security teams implement and monitor data encryption throughout the software development lifecycle. By scanning your code, we help you discover and classify data, and detect missing security measures such as data encryption. Not only once your product has been released to production, but while your developers are coding. That way you can mitigate the risks of a potential data breach easily and put your mind at ease.