By Ben Kast   /   May 18th, 2021

Data Encryption Best Practices

Data Encryption imageIf you haven’t noticed, the cyber threat landscape is heating up. You are not imagining the uptick in ransomware attacks. The threat is real, and your data is at risk. If protecting data is your main concern, employing the proper use of advanced encryption is your best tool. To help you get started, we have compiled a list of data encryption best practices that will help you strengthen your organization’s cybersecurity posture.

Encryption and cryptography are complex topics. For the average person, the deeper you dig into it the more you realize just how much you don’t know. As a security practitioner I’ve developed some approaches to thinking about it that helps me simplify the complexity to ensure the most important areas are covered. What follows is a high-level primer on encryption and then some high-level data encryption best practices worth following. As mentioned, it is a big topic and there are a number of additional encryption areas that will be covered in a forthcoming blog post. For additional information, you can also watch our on-demand webinar.

The Basics – An Executive Summary of Encryption

  • What is encryption? A simple way to think about it is as a process of scrambling data so it can only be read by authorized people (e.g., those with the right encryption key).
  • Why do we need cryptography? Mainly, to keep things confidential. For example, to hide passwords and credit card numbers, protect databases and data on hard drives, keep conversations private, verify message integrity, and increasingly to maintain the integrity of digital currency (i.e., cryptocurrency) and other digital assets (i.e., non-fungible tokens (NFTs) and digital contracts).
  • How does cryptography work? It requires two things encryption and decryption. For encryption, a cipher (think, algorithm) and encryption key (think, string of characters used in conjunction with a cipher) are used to encrypt (scramble) plaintext (think, a human-readable message like what you are reading now) and turn it into what is called ciphertext (essentially unreadable output). There are two kinds of encryption, symmetric and asymmetric.
    • In symmetric encryption the same key is used for encrypting plaintext and decrypting ciphertext.
    • In asymmetric encryption (A.K.A. public key encryption) – two different keys are used, a public key and a private key – and the private key is kept secret. If one of the keys in the key pair is used to encrypt plaintext only, the other key can decrypt it.
    • There are some hybrid uses of asymmetric and symmetric encryption, most notably Transport Layer Security (TLS), which is the encryption used to secure web communications (e.g., HTTPS). It’s worth it to spend some time to understand how that works. With TLS a website uses asymmetric encryption by maintaining a public and private key pair, with the public key being presented to the website’s visitor as its TLS certificate and the private key being securely stored on the server and used to validate the server’s authenticity. When a user visits the website, it sets off what is called a “TLS handshake,” where the website and its visitor use the public key (presented to the visitor via the TLS certificate) and private key (stored securely on the server) to generate a new “session” (conversation) key, which is used by both the server and the client (visitor) to maintain secure communications for the duration of the session (conversation). The first part, using the private and public key pair to generate the session key is asymmetric encryption, the second part where both the server and client use the same session key to maintain the secure communications is symmetric encryption.

High-level Data Encryption Best Practices: A Deeper Technical Guide

Data encryption best practices suggest you should be using encryption at rest, encryption in transit and email encryption. Let’s look at these three different encryption options more closely:

  1. Encryption at rest refers to the encryption of stored data, e.g., data stored on a hard drive. Whether it is your iPhone’s hard drive, your PC’s hard drive, a removable hard drive, flash drive, or network or cloud data storage, encryption at rest can either be done at the file level, or by encrypting the full disk. In any event, encryption at rest employs symmetric encryption, that is, encryption that uses the same encryption key to encrypt and decrypt the data.

In general, if you want to keep data secure, data encryption best practices suggest you should use full disk encryption, or at the very least file encryption. Full disk encryption ensures that even if the hard disk is lost or stolen the data is secure and can only be decrypted with the encryption key.

Likewise, file level encryption requires the encryption key to decrypt the file, however, additional overhead is required for managing encryption at the file level, whereas all files residing on a given drive will be encrypted with full disk encryption.

As for encryption of data at rest in the cloud, data encryption best practices suggest both file level and full disk encryption can be used. When storing data in the cloud the use of encryption is even more important as it is the primary data safeguard under the control of the cloud customer, so that in the event there is a breach of a cloud provider’s systems, malicious actors will not be able to decrypt the cloud customer’s data without the encryption key(s). This also brings to light another one of our data encryption best practices – your encryption keys should always be stored securely offline, ideally using key escrow. AES encryption is an industry standard for data security and has 128-bit, 192-bit and 256-bit implementations with AES-256 bit being the most secure.

  1. Encryption in transit refers to the use of encryption to protect data as it moves from one location to another. For example, when you connect to your bank’s website to check your account balance, encryption in transit protects your authentication credentials (username and password) and any data shared between you and your bank’s website. TLS encryption – the hybrid asymmetric/symmetric encryption described above in the primer — is employed in these cases over the HTTPS protocol. Additionally, when you connect to a computer using the Secure Shell Protocol (SSH) it employs the use of asymmetric encryption (public-key encryption) to secure data communications.

SSH is commonly used to login to remote systems to issue commands and is a secure replacement for older communication protocols like Telnet. For web transport layer security (e.g., TLS), LMG Security recommends cipher suites include TLS versions 1.2 or 1.3, Elliptical Curve Diffie-Hellman (ECDH) with 128-bit AES encryption or greater, RSA with 128-bit AES encryption or greater, and GCM-mode cipher suites in lieu of CBC-mode cipher suites. As for SSH encryption always ensure that deprecated encryption algorithms are disabled.

  1. Email Encryption refers to the encryption of email message content. Email lives in both the encryption at rest and encryption in transit worlds. Most contemporary email clients send and receive email utilizing encryption while in transit but the message itself is not encrypted, so once the email is received – or in the event it is intercepted en route — the contents are in plaintext.

S/MIME and Pretty Good Privacy (PGP) encryption are commonly used for the encrypting and decrypting of the actual contents of email messages. Like TLS, PGP encryption uses both symmetric and asymmetric encryption. There is some overhead involved in using PGP encryption, mainly related to the management of email users’ encryption key pairs. Furthermore, the participants in the email exchange must have each other’s public key to encrypt and decrypt the messages.

If your intent is to ensure that email messages remain secure PGP encryption provides a good option. However, due to the management overhead involved, many organizations utilize secure email platforms that don’t require the key management overhead of PGP.

Bottom line, if your organization manages sensitive information — especially personally identifiable information (PII), electronic protected health information (ePHI), or financial information — email encryption is a data encryption best practice that should be employed to minimize the chance of sensitive email messages being intercepted by unauthorized people. In addition to PGP encryption, there are a range of secure email platforms that can be utilized by organizations for the purpose of keeping email messages secure.

As you can see, encryption is a really big topic and I have only skimmed the surface. Hopefully keeping these considerations top of mind will help you to determine any weak areas in your use of encryption. There are several related areas I did not get to covering, like the use of encryption in ransomware, encryption used in secure messaging platforms, and more. Stay tuned for my upcoming blogs that will cover these areas and include more data encryption best practices.

Contact us if you would like assistance in developing strong data encryption policies.

About the Author

Ben Kast

Ben Kast is a Principal Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).