What is Data Encryption?

Data encryption is a means of protecting data from unauthorized access or use. Commerce, government, and individual internet users depend on strong security to enable communications. According to the Cybersecurity Infrastructure and Security Agency (CISA), the public safety community increasingly needs to protect critical information and sensitive data, particularly within land mobile radio (LMR) communications, and encryption is the best available tool to achieve that security.

The original Data Encryption Standard (DES) was first developed in the early 1970s, and emerged as a result of the US government recognizing a need to secure and protect data of a more sensitive nature as developing nations were increasingly keen to get their hands on this type of information.

Data encryption is meant to both protect critical information in transit as well as inspire confidence in the user or sender of the data that, if bad actors were to steal/exfiltrate that information, there is a small likelihood they would actually be able to read or interpret it.

As Generative AI (GenAI) adoption becomes more widespread and manipulatable by bad actors, it will become imperative for those looking to protect proprietary data to become superior at leveraging GenAI. Those that do not adopt this technology to accelerate their encryption methodologies will inevitably become more attractive targets for data theft and encryption cracking.

How Does Data Encryption Work? 

Data encryption works by – primarily – utilizing an identical, or symmetric, key to encrypt and decrypt a message, so that the sender and receiver should know and utilize the identical private key. In more technical terms, “plaintext” is converted into “ciphertext.”

According to the National Institute of Standards and Technology (NIST), the plaintext, after being transformed into ciphertext, appears random and does not reveal anything about the content of the original data. Once encrypted, no person (or machine) can discern anything about the content of the original data by reading its encrypted form.

Decryption is the process of reversing encryption so that it is readable. The symmetric key must be present for both the encryption and decryption process. Encryption isn’t just for data moving in and out of different environments and clouds, however.

  • Data in transit: This can include data moving between two endpoints, onto and off of a cloud environment, between multiple destinations on an internal network, and much more. 
  • Data at rest: Examples of this data type include storage devices like hard drives, flash drives, and other endpoints on which sensitive data might be stored "at rest."

If data is encrypted and a threat actor is not in possession of the key, then the data – even though it was technically stolen – is considered useless. Data loss prevention (DLP) techniques and tools can actually search for unencrypted data on a network so that internal personnel can quickly encrypt it. This way, if exfiltrated, the data will be of no use to those looking to leverage it.

Types of Data Encryption

As noted above, a symmetric key is but one way to ensure decoding of encrypted data. Let's take a deeper look at that method as well as another:

Symmetric Encryption

This type of encryption will use the same key at the encryption stage and decryption stage. In that way, this type of encryption has an inherent vulnerability: if a threat actor were to identify or steal the key – particularly if it was unbeknownst to the original user – then that key could be used to decrypt the information and could potentially be leveraged for other attacks.

Asymmetric Encryption

This type of encryption addresses the issue stated above, employing two types of keys: one “public” and one “private.” The sender of the data must ensure encryption with the public key, while the receiver must be in possession of the private key in order to perform decryption.

Asymmetric encryption is obviously a higher-complexity scenario to leverage, however it’s critical to remember why encryption is being used in the first place: to maintain data security and confidentiality as information moves around -- both inside and outside of -- a security organization or business. In today’s climate, encryption is used frequently in many applications.

Data Encryption Standards

There are several formats – or standards – of data encryption. It’s important to implement a standard that makes the most sense for a specific organization and its workflows.

  • Data encryption standard (DES): This standard specifies an encryption algorithm to be implemented in electronic hardware devices and used for the protection of computer data. 
  • Triple data encryption algorithm (3DES): This standard is an advancement of the DES standard, and utilizes three unrelated 64 bit keys. Through exerting the algorithm three times in progression with three unlike keys, 3DES simply enhances the key size of DES. 
  • Advanced encryption standard (AES): This standard is asymmetric-key square figure calculation for secure and grouped information encryption and decoding, and works on Substitution Permutation Networks (SPN).
  • Rivest-Shamir-Adleman (RSA): This standard is named for the initials of the inventors of the system. Four steps are incorporated in this algorithm: encryption, decryption, key distribution and key generation. The standard is widely considered the most well-known cryptography system in the world. 
  • Twofish encryption: This standard utilizes a large encryption bit size, and employs a symmetric key that can be as long as 256 bits. Since it uses a symmetric format, it is encrypted and decrypted using the same key. But, due to its large bit size, it is considered extremely secure and difficult to break.
  • RC4 encryption: This standard is a “stream” cipher, meaning it runs data one byte at a time. It is considered one of the weaker encryption standards, particularly after notable vulnerabilities were discovered earlier in the 2000s.

In-Transit vs. At-Rest Encryption

We defined data at rest and in transit above, but how do the specific encryption protocols function for data in these different states?

Data Encryption in Transit

Once a connection has been established and data is ready to be transmitted, it's critical to keep the data away from prying eyes and as secure as possible while it is moving. According to Google Cloud documentation, encryption in transit defends data after a connection is established and authenticated by: 

  • Removing the need to trust the lower layers of the network which are commonly provided by third parties
  • Reducing the potential attack surface
  • Preventing attackers from accessing data if communications are intercepted

Data Encryption at Rest

Data at rest refers to data stored on some sort of medium, such as a laptop, cloud storage, USB drives, and so on. Any data sent to a cloud service should be encrypted when it is simply “sitting” in the cloud environment, as it is inherently at greater risk being in an ephemeral environment that is theoretically open to the public internet.

Encrypting at-rest data as a best practice protects it from potential system compromises or exfiltration by ensuring it is unreadable while not in use. This could also refer to archived data that has been deemed no longer useful.

Challenges of Data Encryption

Encryption has come a long way since its twentieth-century roots, and much of it can now be automated. But as Generative AI (GenAI) becomes a popular tool for threat actors – and as they make gains in the ability to brute-force their way past encryption protocols – it becomes clear there are challenges new and old to overcome.

According to CISA, vulnerabilities in key transmission procedures is a critical challenge. The agency stipulates that it’s good to disable Wi-Fi capabilities while encryption-key transmission is taking place. It goes on to say that, a transmission destination that "has its Wi-Fi capabilities disabled is referred to as hardened." Hardening ensures there is no inadvertent “leaking” of the encryption keys onto a wireless network where unauthorized personnel could access them.

Another challenge facing anyone looking to encrypt sensitive data could be a lack of WEP/WAP access-point encryption. A weak encryption mechanism can allow an attacker to brute-force their way into a network and begin man-in-the-middle attacking. The stronger the encryption implementation, the safer.

Another major challenge of data encryption is inherent trust of a cloud service provider (CSP). Typically, a CSP will maintain control over keys, thus an organization will never retain 100% control of the encryption process.

Trusting a CSP’s employees – and most likely any partners they may be leveraging – that exert control over the encryption process will always hold some liability for the company using the CSP’s services and trusting their data encryption processes. This is why the shared responsibility model is so critical to safeguarding an organization's data.

Benefits of Data Encryption

Benefits of data encryption may seem obvious, but let's take a more in-depth look at ways businesses might benefit from adopting a strong encryption strategy. 

  • Ensuring data unreadability: As noted above, if stolen data has been strongly encrypted, there is a strong chance it will never be readable or able to be nefariously leveraged.
  • Staying compliant: Adhering to local and national regulatory standards is critical, with encryption and key management (EKM) an important part of guidance from bodies like the Cloud Security Alliance.
  • Creating a proactive culture: Encrypting data is a proactive tool that can usually be automated on the front end as a layer of protection from bad actors. Doing it consistently helps to foster a culture of proactive security that will ultimately benefit everyone.
  • Enabling hiring of remote workers: Encryption can greatly mitigate security concerns with regard to large amounts of sensitive or proprietary data going to and from the cloud – which is exactly the kind of situation a remote worker leverages to do their job.

Read More 

Data Protection: Latest Rapid7 Blog Posts