Protecting Zion: InfoSec Encryption Concepts and Tips
This is Part 9 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.
In the movie The Matrix, The Key Maker controlled access to many locations and resources with the goal of preventing malicious code from destroying sensitive information. In a rare life-imitates-art situation, organizations today face the same challenge as they work to protect operational processes and corporate information. In this article, we’ll discuss a few encryption concepts as they pertain to security and offer some related tips.
Why Use Encryption
Encryption is a key pillar in cybersecurity best practices. If your data isn't protected, it can be maliciously modified, which leads to loss of integrity and confidentiality.
Encryption at Rest and in Motion
Encryption can take many forms. Let’s focus on the following encryption methods:
- Data at rest: When sensitive data is stored on a disk, USB drive, or in the cloud, it’s considered at rest.
- Data in motion: When sensitive data is passed over the network, it’s considered in motion.
If the data isn’t considered sensitive, the need for encryption, whether at rest or in motion is generally lower.
Encryption Protocols and Common Uses for Each
There are different encryption protocols depending on the requirement. Some examples you might recognize include:
Table 1: Common Encryption Protocols and their Uses
Common Tools for Effective Encryption Usage
There are many challenges when protecting data both at rest and in motion. For example, just finding all the data that needs protecting means knowing whether it’s on a USB drive, a server, a database, a cloud drive, etc. With the evolution of the cloud, new methodologies have risen to make it easier to find and encrypt data both at rest and in motion. Cloud vendors and other 3rd party tools offer a range of data protection services. Some examples of data protection tools include:
Data Protection Solutions
Data Protection Solutions applies a tag to data and then encrypts it. For example, Microsoft’s Purview offers data protection for on-prem and cloud data.
Key Stores
Key Stores securely hold encryption keys, so access is tightly restricted to only the authorized resources. Keystores don’t define what type of encryption is used; they just protect the keys used by the encryption process. All cloud vendors offer keystore services.
SASE: Secure Access Service Edge
As VPNs have done in the past, SASE provides encryption for end users accessing corporate resources. However, SASE can be much more granular in its segmentation of what can be accessed, and it can even ensure encryption is used against public-facing web applications not in the corporate network. You may also see SASE referred to as ZTNA or Zero Trust Network Access.
Database Encryption
Databases contain structured, schematized data that requires specific encryption methods. Some examples include row-level encryption, table-level encryption, and full encryption. All cloud vendors support a variety of database encryption methods, but the support methods may be different for each vendor, so some research is required.
CSPM: Cloud Security Posture Management
Although it doesn’t provide encryption, CSPM helps identify and advise on poor encryption practices such as using deprecated authentication protocols.
Encryption Best Practices
Due to the complexity of where to use encryption, it’s a good idea to refer to compliance standards and/or cloud vendor’s recommendations. Here’s a list of common resources for encryption best practices:
|
Name |
Region |
Web Link |
|
European Union |
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en |
|
|
United States |
||
|
Payment Card Industry Data Security Standard (PCI DSS) |
Global |
|
|
Federal Information Processing Standards (FIPS) 140-2 |
United States |
|
|
Global |
||
|
California Consumer Privacy Act (CCPA) |
United States (California) |
|
|
United States |
||
|
National Institute of Standards and Technology (NIST) |
United States |
|
|
Center for Internet Security (CIS) Benchmarks |
Global |
|
|
Microsoft’s Well Architected Framework |
Global |
https://learn.microsoft.com/en-us/azure/well-architected/security/encryption |
Table 2: list of common resources for encryption best practices
Where NOT to trust encryption
Hackers have found some clever ways around encryption, so it’s important to educate your users on protecting their data in less secure environments. Some examples are:
- Airports, coffee shops, and other public WiFi locations – hackers will commonly set up wifi hotspots and wait for unassuming users to connect, so they can siphon off their credentials.
- Token-Based Authentication Methods – Unfortunately, many web-based authorization methods are token based, so if an attacker can get access to your authentication token and the token has not expired, they may have access to your login session. To avoid this issue, use FIDO keys or applications that support more dynamic token key rotation, such as Microsoft’s CAE – Continuous Access Evaluation.
Summary
Cloud security solutions are making it easier to encrypt and protect information. Follow the guidance from security vendors and security best practices to develop and grow your organization's data protection policies.
References
- Microsoft Well Architected Framework
- Azure Data Security Best Practices
- AWS Encryption Best Practices
- AWS Encryption Best Practices
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions.
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.