Julius Caesar Used Encryption. Shouldn’t You?

Encryption is the process by which information is converted from a readable format into one that obscures its meaning from those without the authorisation or ability to decipher it and has long been used to protect sensitive information from prying eyes.

Julius Caesar around 100 BC, was known to use a form of encryption to convey secret messages to his army generals posted in the war front. This substitution cipher, known as Caesar cipher, is perhaps the most mentioned historic cipher in academic literature. In a substitution cipher, each character of the plain text (plain text is the message which must be encrypted) is substituted by another character to form the cipher text (cipher text is the encrypted message). The variant used by Caesar was a shift by 3 ciphers. Each character was shifted by 3 places, so the character 'A' was replaced by 'D', 'B' was replaced by 'E', and so on. 

Encryption is invaluable for ensuring that sensitive information that falls into the wrong hands, is prevented from being of use to anyone without the ability to decrypt that information.

This has huge benefits when compliance regulations come into play following a data breach as, if the data was encrypted the requirements for public disclosure are minimised, as the risk to data compromise has been eliminated. This is often referred to as ‘safe harbour’ and can be a life saver to organisations facing the stress of a data loss, with all its related impact on the business.

Encryption with its various techniques of securing data has a key role to play in keeping sensitive and confidential information protected wherever it resides or is being transmitted to, for example in emails.

As a technology it can be deployed for data stored in servers, back up devices and cloud services, often referred to as Data at Rest. For data in motion, encryption can be used to secure the transmission path by creating a unique closed point to point route between two or more points and eliminates the risk of a ‘man-in-the-middle’ attack, where a bad actor sits in between your transmissions and looks at your data.

Originally considered to be a complex technology to deploy and manage, it has now moved on and can be easily used by anyone. Gone are the fears that it will slow down access to data or double the size once encrypted. 

Here are some points you should know about encryption:

1.    Due to the increasing levels of both businesses and individuals falling victim to a plethora of cyber attacks, the need for encryption is at an all-time-high.

2.    Tokenisation is a form of encryption where applications can still operate but using tokens so that sensitive data is hidden, reducing  risk of exposure. An example of where it would be used is for medical research purposes, where large sets of data related to people are analysed but sensitive data  that could be used to identify a person, is replaced with tokens.

3.    Data masking encryption scrambles information, but it is often done more selectively. An example of where it is particularly useful is in redacting sensitive data in documents such as emails and office productivity documents, so that they can be sent largely in plain text but with sensitive information, such as credit card numbers, hidden or masked.

4.     Providers such as Google or Microsoft, or other centralised providers, offer encryption but if they hold the encryption key, they may de-code data if officially asked to, by a government or law enforcement agencies, or worse still  if one of their employees wants to sell your data. For this reason, the technique of ‘bring your own key’ has been introduced where you hold and control your own keys outside of any service provider.

5.    End-to-End encryption stops third parties accessing data, as it flows from the sender to receiver only and is used by apps such as WhatsApp. Private networks called Virtual Private Networks (VPN)can be set up to achieve this.

6.    Public/Private Key encryption is available for all to use but, only the intended receiver will have the decryption key by which to unlock the communication. This process works so any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.

7.    Key Management: If keys and certificates are not properly secured the organisation is open to attack, no matter what security controls are in place. Always consider adding a High Security Module HSM into any encryption plan. The HSM will also help define any key rotation needs and processes to change the key used in any data set.

8.     Encryption is based on levels of complexity and thus security. The higher the encryption number  the better the encryption code. Typically, 256bit encryption is the standard level.

9.     There are many names for encryption codes. Some are held for government use only and many others are proprietary. The most common commercial and widely recognised as being of a strong level of encryption are AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adleman) and DES (Data Encryption Standard). Go for these rather than an unproven version.

10.    Encryption when linked to access control can be a powerful tool in separation of duties by controlling who or what process can see the data. This means users, in particular system administrators, can be prevented from reading the data but still allowed to manage it, for example to do backups.

We all want to be able to communicate securely and without interference. Encryption can help us to achieve this and should be considered a core part, if not the starting point of any data security strategy that organisations develop both for data at rest and in motion.

For both data security needs and for achieving regulatory compliance, encryption should be the baseline for any data security strategy.

Colin Tankard is Managing Director at Digital Pathways

You Might Also Read: 

PAM, IAM, Or Both?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Meta Will Contest EU $1.3B Data Privacy Fine
Artificial Intelligence To Replace 55,000 Telecom Jobs »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Skybox Security

Skybox Security

Skybox combines firewall and network device data with vulnerability and threat intelligence, putting security decisions in your unique network context.

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security is a leading manufacturer of network security appliances for use in industrial environments.

Fastpath Solutions

Fastpath Solutions

Fastpath deliver software solutions that enable you to take control of your security, compliance and risk management initiatives.

Menlo Security

Menlo Security

Menlo Security protects organizations from cyberattacks by eliminating the threat of malware from the web, documents, and email.

Deductive Labs

Deductive Labs

Deductive Labs consulting services help customers with their technology, security and automation challenges.

MailXaminer

MailXaminer

MailXaminer is an advance and powerful email investigation platform that scans digital data, performs analysis, reports on findings and preserves them in a court validated format.

Nozomi Networks

Nozomi Networks

Nozomi Networks is a leader in Industrial Control System (ICS) cybersecurity, with a comprehensive platform to deliver real-time cybersecurity and operational visibility.

Pluribus One

Pluribus One

Pluribus One develops customized solutions and other data-driven applications to secure your business and your devices.

Beazley

Beazley

Beazley are a specialist insurer with three decades of experience in providing clients with the highest standards of underwriting and claims service worldwide.

Security Innovation Network (SINET)

Security Innovation Network (SINET)

SINET is dedicated to building a cohesive, worldwide Cybersecurity community with the goal of accelerating innovation through collaboration.

DMARC360

DMARC360

DMARC360 analyzes your email traffic patterns and sources, rapidly deploys email authentication protocols and monitors your email domains with automated recommendations and incident response.

Crosspoint Capital Partners

Crosspoint Capital Partners

Crosspoint Capital Partners is a private equity investment firm focused on the cybersecurity and privacy sectors.

Curatrix Technologies

Curatrix Technologies

Curatrix Technologies is a Managed IT Service provider based in Hampshire, UK, providing high quality and reliable Managed IT Services since 2015.

Sentryc

Sentryc

Sentryc provides automated monitoring of brands on online marketplaces and social media making online brand protection processes faster, more clearly structured and more efficient.

Anura

Anura

The world’s most accurate ad fraud solution protects your web assets by eliminating bots, malware and human fraud, ensuring your content is seen by real people.

Secure Blink

Secure Blink

Secure Blink provides automated application and API security solutions that empower developers and security engineers to protect critical assets from exploitation.