Data encryption is an important topic and everyone should have a basic understanding of why it is important and how data encryption is used.

Data encryption is the process of encoding the data into a non-readable format so only the intended recipient can decode the data. This process of encoding is done by the sender and recipient agreeing upon a shared secret (or cipher). There are two important aspects to data encryption: data in transit AND data at rest.

Data in transit is how the data is received over the network, e.g., how you send financial information to your bank website. Data at rest is when the data is stored, e.g., the bank storing the data in their database.

Most of the information available on data encryption typically focus on data at rest, i.e., how the data is secured once it has reached an application. However, it is just as important to secure the data in transit to the application.

Data in Transit

The overwhelming majority of Websites use HTTPS to encode the data from the browser to the Web Server. See my previous blog on HTTPS: HTTP and HTTPS

Custom applications may use different methods of encrypting the data from the client to the server. There is a vast array of technologies and methods to satisfy a given application.

Without securing data in transit, the data is vulnerable to network attacks. Unencrypted data can “sniffed” on the network and can be stolen.

Data at Rest

Data at rest refers to the data is stored once it has reached the application. Data storage could be in the form of files on a filesystem, object store, database, backups, etc.

Just like “Data in Transit”, there are many methods and techniques for applications, depending on the sensitivity of the data and the underlying storage type. Furthermore, some regulated industries, like finance and healthcare, there are limited lifetime of the data. Once the data has reached the maximum age, it needs to be purged.

To secure data, application providers must make sure their encryption is up to industry standards. Furthermore, they must make sure that only the necessary data is kept and all copies of that data are monitored.

Data Security is more than Data Encryption

As a Security Engineer, when I ask the question about data security, I sometimes get the response, “We’re good, its encrypted”.

Data encryption is an important component of Data Security, but they are not equivalent. Data security is a set of process and controls above data encryption to ensure the overall system is secure.

An example control would is ensuring only authorized users have access to sensitive data and any access is logged.

Summary

All of us have used a provider which has been breached or has exposed our data. As consumers, it is important to have an overview of how data should be transmitted and stored so we can ask the appropriate questions.

For those producing application, it is important for us to ensure that we consider all the steps in the data lifecycle.