Last Updated on September 23, 2014
A major mistake some organizations make is to consider data encryption as the solution for all their information security needs. “ENCRYPT EVERYTHING!!” is not a best-practice approach—not only is it impractical, but also it cannot eliminate all the risks to a company’s sensitive data.
When is it appropriate to encrypt data? Anytime you want to reduce confidentiality risk.
This basic maxim is applicable across a wide range of potential situations, especially these three:
- Encrypt data in motion.
Encrypt data anytime it moves from one point to another, whether it’s within your organization or between external endpoints. In particular, data moving between wireless zones is always at a high risk—encrypt it. - Encrypt to help enforce separation of duties.
Within an organization, encryption can help ensure that only employees with appropriate authorization can access sensitive data. Usually this requires you to encrypt some “level” of your database storage hierarchy (usually at the cell/field/row-, column-, or table/tablespace-level). Database encryption presents a host of challenges, which is a major reason why many organizations don’t choose to encrypt data at rest behind their firewall. - Encrypt when regulations require it.
Most organizations have to comply various industry/government regulations and policies. In these instances, encryption addresses the security needs of the individuals and organizations your business serves. For example, encrypting patient medical information (PMI) in a range of situations is required for HIPAA compliance because it reduces security risks to individuals. The risk encryption mitigates for the business in such cases is the risk of fines, sanctions and reputational damage due to non-compliance.
Encryption provides a very important layer of protection within your security architecture, but it can’t do it all. In particular, encryption alone cannot guarantee that every piece of data your business is responsible for is 100% protected from unauthorized access 100% of the time.
For example, encryption is usually not in effect when data is being processed behind your firewall by an application. If an attacker gets access to that server, your unencrypted data could be a veritable “sitting duck.” It is also possible that your encryption keys can be compromised, such as through an insider attack.
Used in combination with other information security controls (e.g., authentication and authorization, access controls, physical security, security event management), encryption can reduce the risk of unauthorized access and its corresponding potential outcomes (regulatory fines, a very unhappy CISO) to acceptable levels.
Holistically evaluating, prioritizing and addressing risk to information is best undertaken in alignment with a risked-based, practical information security framework, such as ISO 27001.
To talk with an expert about how to get the most value from encryption in your organization, contact Pivot Point Security.