SpiderLabs Blog

Protecting Zion: InfoSec Encryption Concepts and Tips

Written by David Broggy | Apr 29, 2024 1:00:00 PM

This is Part 9 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

In the movie The Matrix, The Key Maker controlled access to many locations and resources with the goal of preventing malicious code from destroying sensitive information. In a rare life-imitates-art situation, organizations today face the same challenge as they work to protect operational processes and corporate information. In this article, we’ll discuss a few encryption concepts as they pertain to security and offer some related tips.

 

Why Use Encryption

Encryption is a key pillar in cybersecurity best practices. If your data isn't protected, it can be maliciously modified, which leads to loss of integrity and confidentiality.

 

Encryption at Rest and in Motion

Encryption can take many forms. Let’s focus on the following encryption methods:

  • Data at rest: When sensitive data is stored on a disk, USB drive, or in the cloud, it’s considered at rest.
  • Data in motion: When sensitive data is passed over the network, it’s considered in motion.

If the data isn’t considered sensitive, the need for encryption, whether at rest or in motion is generally lower.

 

Encryption Protocols and Common Uses for Each

There are different encryption protocols depending on the requirement. Some examples you might recognize include:


Table 1: Common Encryption Protocols and their Uses

 

Common Tools for Effective Encryption Usage

There are many challenges when protecting data both at rest and in motion. For example, just finding all the data that needs protecting means knowing whether it’s on a USB drive, a server, a database, a cloud drive, etc. With the evolution of the cloud, new methodologies have risen to make it easier to find and encrypt data both at rest and in motion. Cloud vendors and other 3rd party tools offer a range of data protection services. Some examples of data protection tools include:

Data Protection Solutions

Data Protection Solutions applies a tag to data and then encrypts it. For example, Microsoft’s Purview offers data protection for on-prem and cloud data.

 

Key Stores

Key Stores securely hold encryption keys, so access is tightly restricted to only the authorized resources. Keystores don’t define what type of encryption is used; they just protect the keys used by the encryption process. All cloud vendors offer keystore services.

 

SASE: Secure Access Service Edge

As VPNs have done in the past, SASE provides encryption for end users accessing corporate resources. However, SASE can be much more granular in its segmentation of what can be accessed, and it can even ensure encryption is used against public-facing web applications not in the corporate network. You may also see SASE referred to as ZTNA or Zero Trust Network Access.

 

Database Encryption

Databases contain structured, schematized data that requires specific encryption methods. Some examples include row-level encryption, table-level encryption, and full encryption. All cloud vendors support a variety of database encryption methods, but the support methods may be different for each vendor, so some research is required.

 

CSPM: Cloud Security Posture Management

Although it doesn’t provide encryption, CSPM helps identify and advise on poor encryption practices such as using deprecated authentication protocols.

 

Encryption Best Practices

Due to the complexity of where to use encryption, it’s a good idea to refer to compliance standards and/or cloud vendor’s recommendations. Here’s a list of common resources for encryption best practices:

Name

Region

Web Link

General Data Protection Regulation (GDPR)

European Union

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Health Insurance Portability and Accountability Act (HIPAA)

United States

https://www.hhs.gov/hipaa/index.html

Payment Card Industry Data Security Standard (PCI DSS)

Global

https://www.pcisecuritystandards.org/pci_security/

Federal Information Processing Standards (FIPS) 140-2

United States

https://csrc.nist.gov/publications/detail/fips/140/2/final

ISO/IEC 27001

Global

https://www.iso.org/isoiec-27001-information-security.html

California Consumer Privacy Act (CCPA)

United States (California)

https://oag.ca.gov/privacy/ccpa

Sarbanes-Oxley Act (SOX)

United States

https://www.sec.gov/spotlight/sarbanes-oxley.htm

National Institute of Standards and Technology (NIST)

United States

https://www.nist.gov/

Center for Internet Security (CIS) Benchmarks

Global

https://www.cisecurity.org/cis-benchmarks/

Microsoft’s Well Architected Framework

Global

https://learn.microsoft.com/en-us/azure/well-architected/security/encryption

 Table 2: list of common resources for encryption best practices

 

Where NOT to trust encryption

Hackers have found some clever ways around encryption, so it’s important to educate your users on protecting their data in less secure environments. Some examples are:

  • Airports, coffee shops, and other public WiFi locations – hackers will commonly set up wifi hotspots and wait for unassuming users to connect, so they can siphon off their credentials.
  • Token-Based Authentication Methods – Unfortunately, many web-based authorization methods are token based, so if an attacker can get access to your authentication token and the token has not expired, they may have access to your login session. To avoid this issue, use FIDO keys or applications that support more dynamic token key rotation, such as Microsoft’s CAE – Continuous Access Evaluation.

 

Summary

Cloud security solutions are making it easier to encrypt and protect information. Follow the guidance from security vendors and security best practices to develop and grow your organization's data protection policies.

 

References

 

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions.

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

 

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

 

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.