This is Part 9 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.
In the movie The Matrix, The Key Maker controlled access to many locations and resources with the goal of preventing malicious code from destroying sensitive information. In a rare life-imitates-art situation, organizations today face the same challenge as they work to protect operational processes and corporate information. In this article, we’ll discuss a few encryption concepts as they pertain to security and offer some related tips.
Encryption is a key pillar in cybersecurity best practices. If your data isn't protected, it can be maliciously modified, which leads to loss of integrity and confidentiality.
Encryption can take many forms. Let’s focus on the following encryption methods:
If the data isn’t considered sensitive, the need for encryption, whether at rest or in motion is generally lower.
There are different encryption protocols depending on the requirement. Some examples you might recognize include:
There are many challenges when protecting data both at rest and in motion. For example, just finding all the data that needs protecting means knowing whether it’s on a USB drive, a server, a database, a cloud drive, etc. With the evolution of the cloud, new methodologies have risen to make it easier to find and encrypt data both at rest and in motion. Cloud vendors and other 3rd party tools offer a range of data protection services. Some examples of data protection tools include:
Data Protection Solutions
Data Protection Solutions applies a tag to data and then encrypts it. For example, Microsoft’s Purview offers data protection for on-prem and cloud data.
Key Stores
Key Stores securely hold encryption keys, so access is tightly restricted to only the authorized resources. Keystores don’t define what type of encryption is used; they just protect the keys used by the encryption process. All cloud vendors offer keystore services.
SASE: Secure Access Service Edge
As VPNs have done in the past, SASE provides encryption for end users accessing corporate resources. However, SASE can be much more granular in its segmentation of what can be accessed, and it can even ensure encryption is used against public-facing web applications not in the corporate network. You may also see SASE referred to as ZTNA or Zero Trust Network Access.
Database Encryption
Databases contain structured, schematized data that requires specific encryption methods. Some examples include row-level encryption, table-level encryption, and full encryption. All cloud vendors support a variety of database encryption methods, but the support methods may be different for each vendor, so some research is required.
CSPM: Cloud Security Posture Management
Although it doesn’t provide encryption, CSPM helps identify and advise on poor encryption practices such as using deprecated authentication protocols.
Due to the complexity of where to use encryption, it’s a good idea to refer to compliance standards and/or cloud vendor’s recommendations. Here’s a list of common resources for encryption best practices:
|
Name |
Region |
Web Link |
|
General Data Protection Regulation (GDPR) |
European Union |
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en |
|
Health Insurance Portability and Accountability Act (HIPAA) |
United States |
|
|
Payment Card Industry Data Security Standard (PCI DSS) |
Global |
|
|
Federal Information Processing Standards (FIPS) 140-2 |
United States |
|
|
ISO/IEC 27001 |
Global |
|
|
California Consumer Privacy Act (CCPA) |
United States (California) |
|
|
Sarbanes-Oxley Act (SOX) |
United States |
|
|
National Institute of Standards and Technology (NIST) |
United States |
|
|
Center for Internet Security (CIS) Benchmarks |
Global |
|
|
Microsoft’s Well Architected Framework |
Global |
https://learn.microsoft.com/en-us/azure/well-architected/security/encryption |
Hackers have found some clever ways around encryption, so it’s important to educate your users on protecting their data in less secure environments. Some examples are:
Cloud security solutions are making it easier to encrypt and protect information. Follow the guidance from security vendors and security best practices to develop and grow your organization's data protection policies.
References
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions.
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.
David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.