What is enhanced encryption? is the question posed, and answered, by Colin Tankard, pictured, Managing Director of the IT and data security firm Digital Pathways.
Encryption is essential for protecting information that is in storage, such as on a device, in a data-base or in a cloud service, as well as when it is being transmitted—generally referred to as data at rest and data in motion. It ensures that data is safeguarded against loss or unauthorised access.
For regulations such as GDPR that mandate notification of authorities and data subjects in the case of a personal data breach, notification can be avoided if the data has been protected in such a way that it cannot be accessed by those without authorisation to do so. In the case of encryption, a person would need access to the cryptographic key used to encrypt and decrypt the data.
Access controls should then be applied to all data according to its defined sensitivity, paying particular attention to the role of privileged users. Generally, organisations should look to assign the least level of access privileges required to persons according to their role and their need to pro-cess and communicate personal and sensitive information. Yet, this is not a one-off exercise. People regularly change roles, leave or are hired by an organisation requiring that access entitlements are regularly reviewed to ensure that they are appropriate as situations change and so that no one has more access privileges than their current role requires.
By linking access control with encryption it can also enable separation of duties, enabling administrators to manage the data i.e. back-up, but blind them from reading the content. Such controls are invaluable in handling sensitive information such as Contracts of Employments, Mergers and Acquisitions and Intellectual Property.
Data classification: Knowing what data needs protecting by its value to the company is a key start-ing point. Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information.
Key Management: If keys and certificates are not properly secured the organisation is open to at-tack, no matter what security controls are in place. Always consider adding a High Security Module (HSM) into any encryption plan. The HSM will also help define any key rotation needs and processes to change the key used in any data set.
Encryption is fundamental in securing your data. Access control adds even more protection by making sure only the right people can access that data.
Visit: www.digpath.co.uk.
