Given the ever-evolving threat landscape due to the increase in the use of Internet-of-Things (IoT) enabled devices, bring your own devices (BYOD) and the normalization of work-from-home scenarios, organizations are increasing their data governance efforts, which includes ensuring data integrity, security, availability, and consistency.
Developing an encryption program is an important step for any enterprise risk management and data governance strategy. As part of the data governance strategy, organizations use encryption to maintain data privacy. Encryption is also used to authenticate users and machine identities before granting access to sensitive data and other digital assets. This critical function elevates the role of machine identities and makes them a valuable tool used by individuals and organizations to communicate privately and to secure sensitive data transmitted over the internet.
Encryption converts plaintext data to an unintelligible form called ciphertext. When data is decrypted, the ciphertext is converted back to plaintext. Encrypting data prevents unauthorized individuals from viewing sensitive information that is transmitted over the Internet. While encryption can be a valuable tool used to protect against cyberattacks and breaches, it is virtually useless if it’s not properly implemented. As the number of machines that organizations rely on grows, the threat landscape expands due to new risks related to authentication of machine identities. To be effective, it must be expertly implemented and managed.
There are two types of encryption algorithms: symmetric and asymmetric. Both algorithms have important use cases, but asymmetric encryption offers less risk because instead of using the same key to encrypt and decrypt a message, two keys are generated (a public and a private or secret key). Only the person with the private key will be able to decrypt the message. These keys can be used by people (users) or devices (machines).
Many organizations use Public Key Infrastructure (PKI) to manage encryption. PKI, which consists of a framework that includes technology and processes, is known for managing digital certificates which serves as a digital passport for user and machine identities. In short, the certificates facilitate verification of private key owners and authentication of machine identities.
One of the most important considerations for an encryption program is key management. Organizations must inventory and centrally manage their keys for encryption to be effective and to protect against threats posed by unmanaged keys. In addition, security best practices require automation of key management. Failing to follow key and certificate lifecycle management best practices such as properly inventorying keys, automatically deactivating expired certificates and automatically revoking compromised certificates will eventually result in a cybercriminal exploiting these vulnerabilities.
Securing keys requires a key management solution that provides strong governance throughout the key lifecycle, which includes initiation, distribution, activation, deactivation and termination. To effectively manage encryption keys and certificates, the organization must do so through the use of policies, guidelines and standards. The organization’s security policy should provide clear requirements for key management (e.g., authentication, access control, auditing, etc.), and consequences for noncompliance.
Organizations that build a strong security culture, fostered by security best practices and consistent training and awareness, demonstrate their desire to have a mature cybersecurity program. A similar culture must be adopted with respect to encryption. In the workplace, the best way to build a strong culture around encryption use is to make things simple by adopting a solution that automates encryption use, instead of leaving it up to employees to remember to encrypt their emails before pushing send. This will mitigate risks associated with human error.
Building a culture around encryption requires stakeholders to align their thoughts, practices, strategies and budgets around encryption policies (e.g., encrypt all data) and automated key management. As with all security related initiatives, the organization must drive the appropriate awareness and training to accomplish their security goals. What is appropriate will depend on the security posture and desired maturity of the organization. Instead of investing in a one-size-fits-all approach, organizations should invest the time and resources into baselining current encryption program practices, including key and certificate lifecycle management. After identifying the baseline from which the organization will need to work to improve the program, consideration should be given to creating enterprise-wide visibility into the encryption program through the creation of a Center of Excellence (CoE) focused on driving accountability and compliance, as well as raising awareness of encryption management best practices.
In the event of a breach, properly encrypted data will be useless to cybercriminals. This makes encryption a very powerful tool for securing corporate assets. To realize the full power of encryption, a mature organization will not only properly implement encryption, they will go a step further and manage the encryption keys and certificates using an automated solution, such as Venafi’s Trust Protection Platform, paired with strong governance that includes best practices, policies, standards and awareness and training activities that complement the capabilities of the automated solution.
To learn more how Venafi Trust Protection Platform can supplement your data governance program, contact our experts.