Encryption is one of the most essential parts of any security strategy. Data that's stored in readable 'plaintext' format is a tempting target for hackers, whether it’s at rest in a business' data center, or in motion when it’s being transferred from one user or system to another.
Encrypting this data to make it unreadable helps protect companies so that, even if they do fall victim to a breach, their most precious data is not compromised. But there are a large number of standards and technologies used for encryption, and some are more secure than others. So how do firms ensure their information is protected, while at the same time allowing people who do have authorization to read it easily?
When sending data securely - whether this is via email, file transfer or a cloud sharing service - there are three key types of encryption that you need to be aware of:
The symmetric encryption method uses a single key both to encrypt and decrypt the data. This makes the operation simpler and allows data to be encrypted and decrypted very quickly. However, if this type of encryption is deployed, it’s imperative that the key itself is kept secure; if it is compromised, it’s easy for a hacker to read the data.
Therefore, symmetric encryption is more useful in narrow circumstances where the sender and the recipient of data can share the key without risk of interception, such as meeting face-to-face. Ensuring keys are changed frequently is also important.
The second major encryption method is asymmetric encryption, also sometimes known as public key encryption. In this case, a different key is used to encrypt and decrypt data. These two keys are commonly known as the public key, which is able to be shared widely, and the private key, which is known only to one individual. While either one can be used to encrypt data, it can then only be decrypted by the other key.
This is considered much more secure than symmetric encryption, as there’s no need to share the decryption key. It also makes key management much simpler. With symmetric encryption, a user must generate a new key for every contact to ensure security. However, with asymmetric encryption, the public key can be shared and used by anyone to encrypt data without compromising security.
Asymmetric encryption also allows a higher level of verification to ascertain the sender or recipient's identity, avoiding the risk of a hacker spoofing an email address, for example. This is done through a digital signing system, with trusted third parties such as Certificate Authorities providing assurances the owner of a key is who they claim to be.
Hashing involves replacing the contents or summary of a file with a fixed-length value based on a mathematical formula. It's often considered an encryption method, but this isn't entirely accurate, as there are a few important differences. A key feature of hashing is that the data is not intended to be decrypted, so the process should ideally be irreversible. Instead, it’s used as a verification method.
The most familiar form of this is password hashing. Any good server won't store its users' passwords in plaintext, where a hacker can easily read them. Instead, it will use a specific formula to hash them. Then, when the user types their password, the same formula is used on the text they enter and compared to the stored hash.
As the process is repeatable, if the same input (the password) was used, the same output (the hash) will be returned. This therefore allows data such as passwords to be verified without ever storing the actual password.
The key types of encryption algorithms
While all encryption protocols fall into one of the above categories, they're not created equal. Some offer much stronger protections than others, while others may offer some compromise on security in order to increase usability. Here are some of the most common types:
Developed to replace the original Data Encryption Standard (DES) - one of the first modern encryption tools - Triple DES is a symmetric standard, using three 56-bit encryption keys. It's slowly being phased out in favor of more secure tools, but is still common.
A public key encryption algorithm, this is one of the most commonly-used tools for sending encrypted data over the internet. It's used in key protocols like PGP and is regarded as very tough to break.
Advanced Encryption Standard (AES) is the algorithm trusted by organizations including the US government. A successor to DES, it offers 128-bit keys, as well as even tougher 192 and 256-bit keys for the most secure encryption. It's considered impervious to all but the biggest brute force attacks and is widely seen as a de facto standard for protecting data.
Can hackers bypass encryption and steal your data?
No encryption technology is perfect, and it will be possible for especially determined hackers to bypass it in order to steal your data. However, breaking into encrypted files to make them readable is often hugely resource-intensive and impractical, especially when using tougher encryption standards such as 256-bit AES.
It's far more efficient for hackers to find ways around encryption than attempt a brute force approach. For example, it's much easier to try and steal encryption keys or passwords that will allow them access to protected databases. As such, it's vital firms deploy a defense in depth strategy that protects these resources, as well as their key data, and a key part of this should be cryptography key protection.
Learn more: What Exactly is Cryptography (and How Does it Work)?
Building a strong encryption strategy
A strong security strategy requires more than encryption itself. In fact, the encryption of your files should be viewed as a last line of defense to protect data that's already compromised. The best solution will ensure this is combined with other technology to reduce the risk of hackers breaching your perimeter in the first place.
This should start with solutions such as next-generation firewalls, which will be the first point of contact with any attack. An effective system can do much more than block suspicious traffic - it can also provide visibility across your network to prevent instructions and apply emerging threat intelligence to your systems. This should also be backed up by tools such as endpoint and cloud security defenses to ensure the best coverage.
Why combine encryption and tokenization
When discussing encryption, you may hear it contrasted against tokenization which, instead of encrypting data, replaces it with a 'token' - a meaningless string of characters that reference the original data, but cannot be used to guess its value. This offers a number of advantages. As there's no direct relationship, you can't reverse-engineer a token back to the original data.
Like encryption, tokenization has its own pros and cons. Therefore, you shouldn't treat it as an 'either or' option. While the two aren't interchangeable, they can be used to complement each other within a business.
Certain types of data, such as large files containing unstructured data, will be better suited to encryption. Others, however, such as simple, structured data like social security numbers or account numbers favor tokenization. Knowing when to use each is a key part of ensuring your data is protected, but they should both be part of your security landscape.
- 7 Types of Security Threat and How to Protect Against Them
- 5 Encryption Mistakes Every IT Security Pro Falls For
- Endpoint Hardening: How Thinking Like a Hacker Can Reinforce Your Cyber Defenses
Access the latest business knowledge in IT
Join the conversation...