Since cyberattacks have ramped up over the past few years, data encryption needs to keep pace. But what advancements should be considered for enterprise and small businesses, and how should cybersecurity experts be using them effectively?
According to a report by Cybersecurity Ventures, global cybercrime is predicted to cost businesses more than $6 trillion USD annually by 2021, which is a significant upgrade from the $3 trillion USD reported in 2015.
And yet, we still see reports like this one from Varonis: on average, only a mere 5% of companies’ folders are properly protected from data breaches.
Or how about this from Accenture: 68% of business leaders said they felt cybersecurity risks are increasing.
But then what are these business leaders doing about the rising threats?
Absolutely there are advancements in the works and logical solutions that could already be set in place for these businesses, but if the decision makers don't know what they are supposed to consider for their cybersecurity defense practices, it's only a matter of time before more cyberattacks become a harsh reality.
We asked the tech experts to weigh in on what encryption advancements are already available and what should business owners be aware of.
The Honey Encryption Method
The encryption technology that I'm looking forward to in 2020 the most is the Honey Encryption method. Honey Encryption basically cons the hacker into thinking that they have successfully stolen the data whereas the data they stole is fake.
This can prove to be a game changer for cybersecurity models like VPNs, firewalls and enterprise level security solutions because the fake data would be indistinguishable from the real data and thus would ensure its safety.
Data Loss Protection
Data loss protection (DLP) has advanced much in the last 10 years and is now pretty commonplace for most endpoint protection services. Most people do not enable it and that is where the problem is. Ransomware is evolving and advancing and they are no longer just holding your data hostage but actually releasing the data to the public causing secondary issues such as compliance, regulation violation and public embarrassment.
You can restore data quickly through any means of backup and negate a ransom where infestation, but once they have your data there is only one thing you can do. That is where DLP comes in. With data loss protection, the data is encrypted at rest by default and even when transmitted the data is encrypted. Therefore if a hacker penetrates your network, it doesn't matter because the data is useless if taken off net.
Encryption is not a thing that should be taken for granted and considered future proof. As generic as it sounds, following best practices and keeping up to date is the most important aspect of keeping ourselves safe. Most of the encryption algorithms we use right now require too much computing power to crack, but that will change with quantum computing — hence, the Infosecurity community’s hype about quantum-resistant encryption. And we have to be prepared.
Keeping track of standards, like Advanced Encryption Standard (AES), having flexible environments ready to switch between ciphers is a good practice, regardless of what sort of encryption you're going to use. Strong, even forced policies need to be in place to keep accidents to a bare minimum.
End-to-End Encryption (E2EE)
Encryption must be future-proof, meaning that ciphers and key lengths must be monitored to ensure they haven’t become obsolete. A key length does not necessarily need to be as long as possible, but it does need to be long enough to be secure for the foreseeable future.
It is essential that encryption keys are only controlled by individuals with a need to access data — and that those encryption keys are stored and shared securely. This is the biggest growing trend in cybersecurity; commonly referred to as end-to-end encryption (E2EE) because only end users have access to unencrypted data.
When data is stored in the cloud or can be accessed remotely, E2EE is vital so that data always remains encrypted while in transit and is only ever seen in an unencrypted state by end-users in command of the decryption key.
Newly emerging forms of encryption include Homomorphic encryption, which allows data to remain in an encrypted format even when it is accessed and processed. By storing and processing data in an encrypted format, the potential for attack is greatly reduced.
Physical-based security, hardware-based full disk encryption, data segregation, and air-gapping are also increasingly seen as pragmatic ways to ensure that encrypted data is accessible by key assets on location only.
Transport Layer Security, Lightweight Cryptography and More
Data encryption technologies have made significant progress during the past few years in addressing the increasing cyberattacks and data breaches. The top data encryption advancements include the fourth generation of the TLS protocol, Transport Layer Security version 1.3 (TLS 1.3), password-free logins, standardization of post-quantum cryptography, lightweight cryptography, threshold cryptography, homomorphic encryption and zero-knowledge proof.
Cybersecurity experts should have a deep understanding of new data encryption techniques and follow the best practices suggested by the standardization bodies when integrating these technologies into systems.
Focus On the Basics
There are many advancements in data encryption with technologies like secure multiparty computation (MPC), fully homomorphic encryption (FHE), post-quantum cryptography (PQC), and more. However, the most important
thing that data encryption cybersecurity experts need to focus on is the basics.
First, make sure that you are using standard, well implemented cryptographic schemes, with the most up-to-date algorithms and appropriate key sizes. (For example, no SHA1, RSA with 2048-bit keys at least, ECC with 256-bit keys at least, and so on.)
Second, make sure that your keys are well protected (in hardware, using MPC, or the like) and cannot be stolen along with the encrypted data by cyber-attackers.
Third, make sure that your cryptographic code is agile, meaning that in the case a flaw is discovered you can swap out the method relatively easily (it’s never easy, but the more abstract it is, the better). (Read Should You Always Aspire to be Agile?)
Finally, make sure that you have in-house expertise, and all other developers/users are given an easy interface that
doesn’t require them to be subject-matter experts.
Format-Preserving Encryption (FPE)
When it comes to advancements in data encryption, you can find a lot of news on quantum computing (to easily decrypt anything encrypted), homomorphic encryption (to returns results on processing encrypted data), and honey encryption (tricks hackers into believing they retrieved the encrypted data).
As these and other advancements come to market, it’s easy to overlook some advanced encryption that produces a lot of value for business leaders today. With Format-Preserving Encryption (FPE), data is encrypted while it’s at rest, stored in files or databases, or on storage devices.
While data is encrypted, businesses cannot use it. Data needs to be decrypted in order to be used for business intelligence and analytics, or for downstream functions, such as help-desk, back office support, and other services. Decryption creates a potential security vulnerability, because the original data is exposed after the decryption process.
FPE allows organizations to benefit from the security aspect of encryption, but provides the business with benefit of the data utilization, by producing values that retains the format of the original data.
Moving Target Defense (MTD)
One of the areas cybersecurity experts should focus on is understanding and implementing the Moving Target Defense (MTD) model. Conceived by the DHS, it is an important paradigm shift which seeks to turn a usual position of disadvantage into one of advantage for the defenders.
It involves constantly changing the attack surface to increase the level of uncertainty for the attackers and complicate their attacks. Effective implementation of MTD would generally involve developing a decoy network to misguide any attackers at different layers of the tech stack.
Additionally, MTD schemes can also be seen as a cryptographic mechanism for facilitating secure communication.