Thales e-Security released its 2016 Encryption Application Trends Study which revealed that the number of companies using encryption jumped from 7 percent to 41 percent over the past year. Companies are finally getting on board with what we’ve known all along: encryption is a vital component of cybersecurity.
While factors like ease-of-use and highly publicized hacks have helped more companies move toward encryption, many that still aren’t sure why encryption keys matter. Read on to learn the basics of key encryption and how to effectively implement a program of your own.
Why Key Encryption?
Key encryption is used to protect all types of company data, from emails to HR data to customer information. Here’s how it works:
- Keys are created using an algorithm to generate a string of values.
- The key is applied to the chosen information and converts it into an unreadable cipher. This is called “encrypted data”.
- Anyone who receives this encrypted data needs the encryption key (in some cases, a unique one), to unscramble the data.
This is what makes encryption so critical to cyber security. Information is transferred through the internet or other networks and stored on databases. Encryption ensures that only the intended person (the one with the encryption key) can access the information.
Types of Key-Encryption Management
Considering the growing threat of hacking and cybercriminal activity, you should start encrypting your company’s data as soon as possible. There are a number of protocols companies can select from, so it helps start with the three main protocol categories, decide which sounds the most fitting for your organization, and then select more detailed protocols from there:
- Centralized Protocols: This means your organization has an established key-management protocol that is followed across your entire company. The company is responsible for enforcing this protocol, too.
- Decentralized: In this scenario, individuals are solely responsible for their own key management with no support from the company. This places both responsibility and trust on the individual employees.
- Distributed: Lastly, each department could have the option to establish their own key management protocol. Department heads would carry the responsibility in this case.
The goal for any company should be to implement a centralized key encryption protocol. This ensures every employee follows the same guidelines for key encryption. Tech support can readily address employee concerns or security issues, and companies will have an easier time generating and updating keys as employees come and go.
Creating Encryption Key-Management Protocol
Building an effective key management protocol means following a step-by-step process that lays out exactly what’s expected of your encryption keys and the employees that use them.
First, you need to purchase the right equipment for key generation and storage. Keys are generated using key servers, which are specialized computers that come with extra security features. Equipment must meet federal security requirements. You should also cluster key servers so you can easily add, remove, and fail-safe equipment as needed.
Choosing the Encryption Key Type
Next, you need to decide the type of encryption algorithm to use for creating keys. Encryption algorithms used today are:
- Hash Functions: Hash values are computed based on the plaintext (readable text before encryption) and serve as a digital fingerprint. While not an encryption key per se, hash functions ensure that a message hasn’t been altered by an intruder or virus.
- Symmetric-key Algorithms: These encryption algorithms use the same key to encrypt and decrypt information. Both parties share the same key and therefore have exclusive access, similar to how a couple has their own keys to their home.
- Asymmetric-key (Public Key) Algorithms: Encryption algorithms that use one key (typically the public key) to encrypt information and another (private) to decrypt. By encrypting data with the public key, only those with the private key can decrypt and view data.
Asymmetric keys are commonly used to encrypt data exchanges, such as online transactions. Symmetric keys are often used for encrypting bulk data.
With equipment in place, your company needs to establish policies that relate to the creation, management, and destruction of keys. Having policies for each of these circumstances reduces miscommunication and lowers the risk of key compromisation. Things to consider include:
Key Creation and Strength
Decide who can create encryption keys. Can employees create them for their own laptops, or should everything be handed through dedicated tech administrators? Another thing to consider is the length of the encryption key, which determines its strength. Today, 128-bit keys are considered strong enough to resist brute-force attacks (trial-and-error attempts to break the key). However, 256-bit is becoming more common as computing strength continues to increase.
Key Distribution and Access
It’s a best practice never to let your keys leave the hardware security module. This ensures all key creation and decryption is done in a secure environment. If employees do need to transfer keys, make sure they’re transferred over secure networks like your VPN.
Companies also need to establish the circumstances regarding sharing (i.e., escrow) encryption keys. Without a clear policy on sharing keys, employees may be giving theirs to others without knowing they’re doing anything wrong. This increases the risk of keys falling into the wrong hands.
How often should you switch out encryption keys? Once a month? Once a year? This may depend on internal discussions and the type of data being encrypted. Compliance standards often require companies to rotate keys at specific intervals. It’s also important to have policies in place for swapping out encryption keys for employees who leave the company.
Keys should always be backed up on other hardware key servers and escrowed with other users. Should keys be lost or forgotten, you essentially lose all of your encrypted data. Rather than have that data accessed by unwanted parties, the data can’t be accessed by anyone at all!
Choosing the Right Provider
Now that you understand the basics of implementing key encryption protocol, it’s time to get started at your own company. The right encryption key provider should be able to answer all questions related to the topics covered here. Where are keys stored? How are they generated, shared, and destroyed?
Encryption key management should be a top priority for every company. With the rise of cyber criminals and expanded computing power, your company’s data is more vulnerable than before. It needs all the protection it can get.