By Joseph Steinberg @JosephSteinberg
Many businesspeople put their firms’ data at risk because they fail to understand several important concepts about encryption. Simply understanding that data can be protected from unauthorized parties by encrypting it is insufficient to deliver security; in order to secure information people must know when needs to be secured, and must actually encrypt accordingly.
Many businesspeople know, for example, that they must encrypt sensitive information while it is in transit; they understand that data being transmitted electronically between locations is at risk of being read by unauthorized parties along the communication path. Such folks also often comprehend the need to encrypt data “at rest” – that is, sensitive information stored on hard disks, solid state drives, USB drives, backup tapes, or any other media. If outsiders hack into an organization the use of encryption on stored data can be the sole barrier between criminals stealing sensitive information or being unable to access it. Likewise, if removable storage is lost, encryption may be the only thing standing between corporate secrets and anyone who finds the media. Furthermore, encryption blocks rogue insiders – who pose the greatest information security risks to businesses of all sizes – from retrieving (and potentially stealing and misusing) information.
What many businesspeople fail to grasp
The important concept of encrypting data during processing – from the time that it is created in a secure environment, while it is being used, and until it is destroyed. Such security is especially significant in the era of cloud applications and services; many organizations effectively outsource a significant portion of their IT systems to third parties, meaning that data processing is done on equipment outside of organizational infrastructure – on technology which frequently also handles data and processes belonging to other organizations. If your data is not encrypted at a cloud service provider and that party were to be breached by criminals, for example, criminals could obtain your data. Think of the potentially catastrophic impact to a medical facility, law firm, or business if sensitive information in its databases stored at a Software-as-a-Service provider were to be compromised in such as fashion.
Cloud provider offered encryption
It is also important to understand that the encryption services offered by cloud service providers often do not sufficiently address this risk – if a provider is breached criminals could gain access to systems that have access to decryption keys. As such, it is far better to encrypt the data using one’s own keys prior to transferring the data to the provider – and to keep it encrypted whenever possible while it is present on those systems. Also, keep in mind, that if you rely on the SaaS provider for encryption and your password to the SaaS system is somehow compromised (for example, through social engineering or hacking at your site or the SaaS provider’s site), a criminal could be able to decrypt and steal your data. Additionally, if the government serves your cloud provider with a warrant for data and the only encryption in place is that of the provider, your data may end up in the hands of the government. (This is true even if you are not suspected of committing a crime, but some other party utilizing the same cloud provider is.)
Likewise, there is significant risk created by third-party providers offering services to any cloud service provider whose services your organization utilizes. Such third-parties – who may handle administrative tasks such as billing, customer satisfaction surveys, or other functions – may have access to data stored at the SaaS provider – including your data. If your data is unencrypted, or is encrypted solely with keys used belonging to the SaaS provider, a breach at the third party could lead to a compromise of your sensitive information. Even if both you and the SaaS provider maintain a high level of information security you could be in for a nasty surprise; in fact, third-party access is known to have been a major contributor to some significant headline-making security breaches.
Be wary of providers that claim to have “military-grade encryption” or “bank level security” – often such inherently vague claims are made without regard for at least some of the aforementioned issues.
The bottom line is that if you have sensitive information you need to protect it from the time that it is created until the time that it is destroyed – including when it is in use at cloud service providers. Furthermore, you should also encrypt sensitive information using keys that are under your control – even if you also use the encryption provided by a SaaS provider.
