Decrypting encryption
With the impending GDPR deadline, the topic of data encryption has become topmost, after being dormant for decades. Secure is now, well, sexy. It is a shame that encryption is still so misunderstood, as it is just a tool like any other. Below are the three key approaches to encryption in use today and as you will see, your own IT team is key...
Machine level encryption - preventing external theft
If you are a small business, you may be simply wanting to know your data is safe from physical theft. Low level hard drive encryption secures a machines data so that even if it is stolen, data cannot be accessed by prying eyes. Microsoft BitLocker, for example, provides that blanket protection without your users or applications needing to know or care.
However, if someone is inside the business – a staff member or consultant perhaps – and they can access that hard drive all the data is still "in the clear" for all users, unless further or more targeted steps are taken:
Directory or Database level encryption – preventing internal theft
A larger business may be looking at securing their systems to ensure the safety of sensitive PII data from theft by both normal users or departmental IT staff who may still need to support those systems. Typically this data is accessed only via the business applications which control access at a user level. What is important that the raw data of those systems cannot be read if accessed directly or stolen. Here you can use Microsoft EFS (encrypted file system) or Microsoft SQL server transparent encryption for databases to prevent readability of these raw assets from users on your network. Again, applications should not need to know that this encryption is in place. It is something that the IT team can implement and these are configurations that software vendors should willingly support.
With the above two approaches, we have already covered encryption needs for 95% of businesses. In some cases, it is necessary to have a mix of encrypted data and clear data in the same business application – rather like a password protected attachment in an email. This is where applications themselves offer specific support and functionality for data security
Document, Application or fine-grained encryption – preventing in-application theft
Working at this level requires the application itself to be aware of encryption and is a more complex and expensive topic. For most situations, it is not needed but can be important if it is the only way to use a system for both common and sensitive data at the same time. If this is your requirement then it is critical you discuss it in detail with your software vendor. If you can avoid it - do so.
Enabling encryption for most business data is actually really quick and painless. Don’t let yourself be bamboozled by the technical terms, just focus on your key threats and obligations – and get that encryption done!
Stuart, thanks for sharing!