What is data encryption?
Data encryption is a means of protecting data from unauthorized access or use. Commerce, government, and individual internet users depend on strong security to enable communications. According to the Cybersecurity Infrastructure and Security Agency (CISA), the public safety community increasingly needs to protect critical information and sensitive data, particularly within land mobile radio (LMR) communications, and encryption is the best available tool to achieve that security.
A brief history on data encryption
The original Data Encryption Standard (DES) was first developed in the early 1970s, and emerged as a result of the US government recognizing a need to secure and protect data of a more sensitive nature as developing nations were increasingly keen to get their hands on this type of information.
Data encryption is meant to both protect critical information in transit as well as inspire confidence in the user or sender of the data that, if bad actors were to steal/exfiltrate that information, there is a small likelihood they would actually be able to read or interpret it.
As Generative AI (GenAI) adoption becomes more widespread and manipulatable by bad actors, it will become imperative for those looking to protect proprietary data to become superior at leveraging GenAI. Those that do not adopt this technology to accelerate their encryption methodologies will inevitably become more attractive targets for data theft and encryption cracking.
How data encryption works
Data encryption works by – primarily – utilizing an identical, or symmetric, key to encrypt and decrypt a message, so that the sender and receiver should know and utilize the identical private key. In more technical terms, “plaintext” is converted into “ciphertext.”
According to the National Institute of Standards and Technology (NIST), the plaintext, after being transformed into ciphertext, appears random and does not reveal anything about the content of the original data. Once encrypted, no person (or machine) can discern anything about the content of the original data by reading its encrypted form.
Decryption is the process of reversing encryption so that it is readable. The symmetric key must be present for both the encryption and decryption process. Encryption isn’t just for data moving in and out of different environments and clouds, however.
- Data in transit: This can include data moving between two endpoints, onto and off of a cloud environment, between multiple destinations on an internal network, and much more.
- Data at rest: Examples of this data type include storage devices like hard drives, flash drives, and other endpoints on which sensitive data might be stored "at rest."
If data is encrypted and a threat actor is not in possession of the key, then the data – even though it was technically stolen – is considered useless. Data loss prevention (DLP) techniques and tools can actually search for unencrypted data on a network so that internal personnel can quickly encrypt it. This way, if exfiltrated, the data will be of no use to those looking to leverage it.
Types of data encryption
As noted above, a symmetric key is but one way to ensure decoding of encrypted data. Let's take a deeper look at that method as well as another:
Symmetric encryption
This type of encryption will use the same key at the encryption stage and decryption stage. In that way, this type of encryption has an inherent vulnerability: if a threat actor were to identify or steal the key – particularly if it was unbeknownst to the original user – then that key could be used to decrypt the information and could potentially be leveraged for other attacks.
Asymmetric encryption
This type of encryption addresses the issue stated above, employing two types of keys: one “public” and one “private.” The sender of the data must ensure encryption with the public key, while the receiver must be in possession of the private key in order to perform decryption.
Asymmetric encryption is obviously a higher-complexity scenario to leverage, however it’s critical to remember why encryption is being used in the first place: to maintain data security and confidentiality as information moves around -- both inside and outside of -- a security organization or business. In today’s climate, encryption is used frequently in many applications.
Data encryption standards
There are several formats – or standards – of data encryption. It’s important to implement a standard that makes the most sense for a specific organization and its workflows.
- Data encryption standard (DES): This standard specifies an encryption algorithm to be implemented in electronic hardware devices and used for the protection of computer data.
- Triple data encryption algorithm (3DES): This standard is an advancement of the DES standard, and utilizes three unrelated 64 bit keys. Through exerting the algorithm three times in progression with three unlike keys, 3DES simply enhances the key size of DES.
- Advanced encryption standard (AES): This standard is asymmetric-key square figure calculation for secure and grouped information encryption and decoding, and works on Substitution Permutation Networks (SPN).
- Rivest-Shamir-Adleman (RSA): This standard is named for the initials of the inventors of the system. Four steps are incorporated in this algorithm: encryption, decryption, key distribution and key generation. The standard is widely considered the most well-known cryptography system in the world.
- Twofish encryption: This standard utilizes a large encryption bit size, and employs a symmetric key that can be as long as 256 bits. Since it uses a symmetric format, it is encrypted and decrypted using the same key. But, due to its large bit size, it is considered extremely secure and difficult to break.
- RC4 encryption: This standard is a “stream” cipher, meaning it runs data one byte at a time. It is considered one of the weaker encryption standards, particularly after notable vulnerabilities were discovered earlier in the 2000s.
Encryption for data in transit and at rest
We defined data at rest and in transit above, but how do the specific encryption protocols function for data in these different states?
Encryption in transit
Once a connection has been established and data is ready to be transmitted, it's critical to keep the data away from prying eyes and as secure as possible while it is moving. According to Google Cloud documentation, encryption in transit defends data after a connection is established and authenticated by:
- Removing the need to trust the lower layers of the network which are commonly provided by third parties
- Reducing the potential attack surface
- Preventing attackers from accessing data if communications are intercepted
Encryption at rest
Data at rest refers to data stored on some sort of medium, such as a laptop, cloud storage, USB drives, and so on. Any data sent to a cloud service should be encrypted when it is simply “sitting” in the cloud environment, as it is inherently at greater risk being in an ephemeral environment that is theoretically open to the public internet.
Encrypting at-rest data as a best practice protects it from potential system compromises or exfiltration by ensuring it is unreadable while not in use. This could also refer to archived data that has been deemed no longer useful.
Challenges of data encryption
While data encryption is one of the most effective tools for protecting sensitive information, it also comes with challenges—both technical and operational. As threats evolve and new technologies like generative AI (GenAI) emerge, security teams must continually adapt their encryption strategies.
GenAI and brute-force risks
Encryption has come a long way since its twentieth-century roots, and much of the process can now be automated. However, as GenAI becomes a more accessible tool for threat actors, the risks are also evolving. Malicious actors are now using AI to assist in brute-force decryption attempts or to probe for vulnerabilities in legacy encryption systems.
Organizations that fail to adopt modern encryption techniques—or fail to innovate with AI themselves—may become more attractive targets. Staying ahead requires regularly updating encryption protocols and leveraging AI defensively to improve encryption performance and cyber resilience—ultimately preserving data integrity by ensuring that information remains accurate and unaltered even if accessed during an attempted breach.
Key transmission vulnerabilities
One of the most critical weak points in any encryption process is the transmission of encryption keys. According to CISA, vulnerabilities in how keys are shared or distributed can lead to compromised encryption systems.
For example, the agency advises disabling Wi-Fi capabilities during key transmission to prevent inadvertent wireless leaks. A device or system that disables wireless communications during key exchange is referred to as “hardened.” Without this precaution, there’s a higher risk that encryption keys could be intercepted and exploited by attackers. Incorporating zero trust security principles—such as continuous verification and minimal access—can further reduce the chances of unauthorized key exposure.
Trust in cloud providers
In cloud environments, encryption introduces another challenge: control. Many organizations rely on cloud service providers (CSPs) to handle encryption and key management as part of their broader cloud security strategy. However, in many cases, the provider—not the customer—controls the encryption keys.
This creates a liability and trust issue. Organizations must not only trust their CSP’s encryption practices but also the behavior of any third-party partners involved in managing those systems. This is why the shared responsibility model is so important: while CSPs are responsible for infrastructure-level security, customers must ensure their data is encrypted, managed, and accessed appropriately. Strong encryption practices also support broader exposure management efforts by limiting the attack surface and reducing the impact of potential data compromise.
Benefits of data encryption
Benefits of data encryption may seem obvious, but let's take a more in-depth look at ways businesses might benefit from adopting a strong encryption strategy.
- Ensuring data unreadability: As noted above, if stolen data has been strongly encrypted, there is a strong chance it will never be readable or able to be nefariously leveraged.
- Staying compliant: Adhering to local and national regulatory standards is critical, with encryption and key management (EKM) an important part of guidance from bodies like the Cloud Security Alliance.
- Creating a proactive culture: Encrypting data is a proactive tool that can usually be automated on the front end as a layer of protection from bad actors. Doing it consistently helps to foster a culture of proactive security that will ultimately benefit everyone.
- Enabling hiring of remote workers: Encryption can greatly mitigate security concerns with regard to large amounts of sensitive or proprietary data going to and from the cloud – which is exactly the kind of situation a remote worker leverages to do their job.