Whether it’s to safeguard internal protocols and hierarchies, or to guard against attacks and data breaches in the escalating scale of current cyber-threats, implementing controls on the way information is transmitted and shared is more crucial to the enterprise than ever. Encryption has been and remains an essential aspect of this process. But how best to use encryption, to ensure the continued data integrity and security of your organization?
In this article, we’ll be looking at some strategies and best practices to help you get the most out of your encryption policies.
The Benefits Of Encryption
With hackers potentially able to compromise or reconfigure any or all of the routers shepherding data packets across the internet, eavesdropping into sensitive communications remains a popular pastime for them. Organizations relying on LAN or VLAN connections may fall prey to attackers who, with access to readily available tools may gain control of network hosts, and redirect traffic to their own systems.
Against these kinds of spying, encryption provides a robust line of defense.
Secure encrypted transfer protocols like SSH are easily deployed on Unix and Windows routers and systems, eliminating the need for organizations to rely on vulnerable technologies. SSH modules typically offer regular updates and security patches for routers and their operating systems. And open source code may be readily manipulated on Linux-based systems to create SSH proxies for specialist applications and hardware (including mainframes).
Encryption protocols also provide secure alternatives to clear text transmissions of data. For instance, secure FTP sessions that terminate on an SSH server may be used instead of standard FTP authentications. And SSL or TLS encryption provide protection to POP and IMAP communications.
An enterprise network is a complex ecosystem with many potential threat avenues to protect. So deploying encryption requires a systematic and rigorous approach.
Take An Inventory
Do a comprehensive sweep of all your operations to determine where sensitive information is stored, manipulated, and moved across the network – both within your data center and throughout your various sites, branch offices, and remote workstations. Identify those areas where valuable data is at rest, and when it’s in transit.
Remember that your “Data at Rest” inventory includes any virtual network infrastructure and applications you may have, plus your assets in the cloud. Encryption may be applied to structured and unstructured information in files, folders, applications, web servers, databases and network storage.
As data leaves the comparative safety of your firewalls, it’s opened up to potential assault by enterprising cyber-criminals. Unencrypted information may be hacked as it streams from place to place, and malicious outsiders may attempt to compromise that data or insert malware enabling them to gain control of your resources.
Determine Your Encryption Levels
Encryption to the AES-256 level is pretty much an industry standard for the strong protection of data at rest in corporate networks. But different regional jurisdictions may impose limits on allowable encryption strengths, and regulatory compliance regimes may demand a certain minimum standard. The choice you make will be influenced by these factors, and the specific requirements of your organization.
The working practices and security protocols of your particular enterprise will also determine how encryption keys are protected and handled.
For instance, a single password may be used in tight networks where an administrator retains possession of this credential, which may be shared with trusted colleagues at his/her discretion. Dual passwords may be used in larger environments, where a select group of administrators or IT engineers may have guardianship of one password, while the other is entrusted to a second group. Physical keys with RSA encryption files may be used where stronger protection is required – but this also imposes a requirement for enhanced security around the storage and backup of keys.
For web servers and internet communications (data in transit), a secure encryption protocol with strong cipher algorithms is required. The establishment of communications and the exchange of encryption keys between users and web servers are determined by the cryptographic protocol, while the sequence of mathematical procedures used to encrypt and decrypt data is governed by the cipher algorithms.
Transport Layer Security (TLS) is the enhanced successor to the Secure Sockets Layer (SSL) cryptographic protocol for web communications. But SSL is by no means dead: many legacy web browsers don’t support TLS, so support for SSL version 3 (the last stable release) must be included in public-facing applications and portals.
Various cipher algorithms are supported by both TLS and SSL, and servers should be configured to use an algorithm whose security is endorsed by reputable sources in the cryptographic community.
Centralize Your Encryption Keys
The strongest encryption in the world breaks down if intruders gain access to the keys required to decipher it. So it’s essential to manage and secure your enterprise encryption keys. Ideally, they should be stored in a central repository within the organization’s control – but in a location that’s separate from the data they’re intended to protect.
Set A Policy For Devices
With extended campus networks comprising centralized data centers, branch offices, remote sites, and remote workers empowered through BYOD (Bring Your Own Device), it’s essential for organizations to extend the protection of cryptographic technologies to their users with mobile hardware.
Conditions largely apply as for the encryption of web communications (TLS, SSL, etc.). Secure methods of data transmission such as secure FTP are preferred, and the exchange of signed digital certificates may be included for transactions involving web-based applications.
Dedicated encryption apps may be deployed from a preferred list of products stemming from approved vendors. The same applies to any VPN (Virtual Private Network) applications used to ensure confidential browsing.
Don’t Forget The Email
Even in the face of Instant Messaging, video chat, social networks and other technologies, email remains a potent force, accounting for well over 90% of all file transfer activity world-wide. Yet it’s estimated that more than 60% of workers don’t have access to email encryption – and those that do often need to rely on solutions that must be manually configured and deployed at each instance.
For enterprises, policy-based email encryption is the preferred option. This is a data-centric approach, which seeks to protect information by encrypting it through all stages of email communication.
Technologies like Identity-based Encryption
use a combination of policy-based rules and email routes over SMTP to ensure strong encryption while allowing for activities such as filtering, archiving and discovery to meet regulatory compliance demands. There are also various dedicated tools and plug-ins which perform on the fly decryption of email, in compliance with regulatory standards.
Des Nnorchiri
Des Nnochiri has a Master’s Degree (MEng) in Civil Engineering with Architecture, and spent several years at the Architectural Association, in London. He views technology with a designer’s eye, and is very keen on software and solutions which put a new wrinkle on established ideas and practices. He now writes for markITwrite across the full spectrum of corporate tech and design. In previous lives, he has served as a Web designer, and an IT consultant to The Learning Paper, a UK-based charity extending educational resources to underprivileged youngsters in West Africa. A film buff and crime fiction aficionado, Des moonlights as a novelist and screenwriter. His short thriller, “Trick” was filmed in 2011 by Shooting Incident Productions, who do location work on “Emmerdale”.