Julius Caesar Used Encryption. Shouldn’t You?

Encryption is the process by which information is converted from a readable format into one that obscures its meaning from those without the authorisation or ability to decipher it and has long been used to protect sensitive information from prying eyes.

Julius Caesar around 100 BC, was known to use a form of encryption to convey secret messages to his army generals posted in the war front. This substitution cipher, known as Caesar cipher, is perhaps the most mentioned historic cipher in academic literature. In a substitution cipher, each character of the plain text (plain text is the message which must be encrypted) is substituted by another character to form the cipher text (cipher text is the encrypted message). The variant used by Caesar was a shift by 3 ciphers. Each character was shifted by 3 places, so the character 'A' was replaced by 'D', 'B' was replaced by 'E', and so on. 

Encryption is invaluable for ensuring that sensitive information that falls into the wrong hands, is prevented from being of use to anyone without the ability to decrypt that information.

This has huge benefits when compliance regulations come into play following a data breach as, if the data was encrypted the requirements for public disclosure are minimised, as the risk to data compromise has been eliminated. This is often referred to as ‘safe harbour’ and can be a life saver to organisations facing the stress of a data loss, with all its related impact on the business.

Encryption with its various techniques of securing data has a key role to play in keeping sensitive and confidential information protected wherever it resides or is being transmitted to, for example in emails.

As a technology it can be deployed for data stored in servers, back up devices and cloud services, often referred to as Data at Rest. For data in motion, encryption can be used to secure the transmission path by creating a unique closed point to point route between two or more points and eliminates the risk of a ‘man-in-the-middle’ attack, where a bad actor sits in between your transmissions and looks at your data.

Originally considered to be a complex technology to deploy and manage, it has now moved on and can be easily used by anyone. Gone are the fears that it will slow down access to data or double the size once encrypted. 

Here are some points you should know about encryption:

1.    Due to the increasing levels of both businesses and individuals falling victim to a plethora of cyber attacks, the need for encryption is at an all-time-high.

2.    Tokenisation is a form of encryption where applications can still operate but using tokens so that sensitive data is hidden, reducing  risk of exposure. An example of where it would be used is for medical research purposes, where large sets of data related to people are analysed but sensitive data  that could be used to identify a person, is replaced with tokens.

3.    Data masking encryption scrambles information, but it is often done more selectively. An example of where it is particularly useful is in redacting sensitive data in documents such as emails and office productivity documents, so that they can be sent largely in plain text but with sensitive information, such as credit card numbers, hidden or masked.

4.     Providers such as Google or Microsoft, or other centralised providers, offer encryption but if they hold the encryption key, they may de-code data if officially asked to, by a government or law enforcement agencies, or worse still  if one of their employees wants to sell your data. For this reason, the technique of ‘bring your own key’ has been introduced where you hold and control your own keys outside of any service provider.

5.    End-to-End encryption stops third parties accessing data, as it flows from the sender to receiver only and is used by apps such as WhatsApp. Private networks called Virtual Private Networks (VPN)can be set up to achieve this.

6.    Public/Private Key encryption is available for all to use but, only the intended receiver will have the decryption key by which to unlock the communication. This process works so any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.

7.    Key Management: If keys and certificates are not properly secured the organisation is open to attack, no matter what security controls are in place. Always consider adding a High Security Module HSM into any encryption plan. The HSM will also help define any key rotation needs and processes to change the key used in any data set.

8.     Encryption is based on levels of complexity and thus security. The higher the encryption number  the better the encryption code. Typically, 256bit encryption is the standard level.

9.     There are many names for encryption codes. Some are held for government use only and many others are proprietary. The most common commercial and widely recognised as being of a strong level of encryption are AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adleman) and DES (Data Encryption Standard). Go for these rather than an unproven version.

10.    Encryption when linked to access control can be a powerful tool in separation of duties by controlling who or what process can see the data. This means users, in particular system administrators, can be prevented from reading the data but still allowed to manage it, for example to do backups.

We all want to be able to communicate securely and without interference. Encryption can help us to achieve this and should be considered a core part, if not the starting point of any data security strategy that organisations develop both for data at rest and in motion.

For both data security needs and for achieving regulatory compliance, encryption should be the baseline for any data security strategy.

Colin Tankard is Managing Director at Digital Pathways

You Might Also Read: 

PAM, IAM, Or Both?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Meta Will Contest EU $1.3B Data Privacy Fine
Artificial Intelligence To Replace 55,000 Telecom Jobs »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cybsecurity Foundation (CSF)

Cybsecurity Foundation (CSF)

Cybsecurity is a non-profit NGO, which aims to work on improvement of security levels in the Polish cyberspace.

Arthur J Gallagher & Co

Arthur J Gallagher & Co

Arthur J. Gallagher & Co. is a global insurance brokerage and risk management services firm. Services include Cyber Liability insurance.

Center for Identity - University of Texas at Austin

Center for Identity - University of Texas at Austin

The mission of the Center is to deliver the highest-quality discoveries, applications, education, and outreach for excellence in identity management, privacy, and security.

TEISS

TEISS

Teiss.co.uk is a website dedicated to providing information about cyber security. TEISS also provide a series of conferences and events focused on cyber security.

WizNucleus

WizNucleus

WizNucleus develops, markets and supports a software platform (Cyberwiz-Pro) that enables Critical Infrastructure enterprises to ensure the future state of their cybersecurity and remain compliant.

Spherical Defense

Spherical Defense

Spherical Defense offers an alternative approach to WAFs and first generation API security tools.

Naval Dome

Naval Dome

Naval Dome provides the first maritime multilayer cyber defense solution for mission critical onboard systems.

BA-CSIRT

BA-CSIRT

BA-CSIRT is a center which is dedicated to assist and raise awareness among citizens and the Government of the City of Buenos Aires in everything related to information security.

Firedome

Firedome

Firedome's tailormade solution for IoT companies is designed to proactively prevent, detect, and respond to inevitable vulnerabilities in connected devices.

X4 Technology

X4 Technology

X4 Technology is a leader in finding the very best technology talent for some of the world’s most innovative start-ups and globally recognised brands.

CAPSLOCK

CAPSLOCK

CAPSLOCK delivers career-changing cyber training to help adults re-skill. Learn online to become a cyber security professional and pay no tuition until you land a high-paying job.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Matrixforce

Matrixforce

Matrixforce is a vetted IT support provider that uses the patented Delta Method of streamlining technology for financial and professional service firms to reduce complexity and avoid risk.

AHAD

AHAD

AHAD provides cybersecurity, digital transformation, and risk management services and solutions to Government, Fortune 500, And Start-Up Companies in the Middle East region.

Skyhigh Security

Skyhigh Security

Skyhigh Security enables your remote workforce while addressing your cloud, web, data, and network security needs.

Auxilion

Auxilion

Auxilion is an award-winning provider of consulting and IT support services, technologies and consulting for public and private organisations in the UK and Ireland.