The impending GDPR deadline, and most particularly it’s regime of fines for data breaches, has placed security at the top of the agenda at many organisations.
There is now a compelling reason for the use of data encryption after it has laid dormant for decades.
It is a shame that encryption is still so misunderstood as it is just a tool like any other.
Below are the three key approaches to encryption in use today and, as you will see, your own IT team is key…
Machine level encryption – preventing external theft
If you are a small business you may be simply wanting to know your data is safe from physical theft. Low-level hard drive encryption secures a machines data so that even if it is stolen, data cannot be accessed by prying eyes.
Microsoft BitLocker, for example, provides that blanket protection without your users or applications needing to know or care.
However, the risk of inappropriate access remains where someone inside the business – a staff member or consultant perhaps – can access all users’ data that is still “in the clear” on a hard drive, unless further or more targeted steps are taken.
Directory or Database level encryption – preventing internal theft
A larger business may be looking at securing their systems to ensure the safety of sensitive PII data from theft by either normal users or departmental IT staff who may still need to support those systems.
Typically this data is accessed only via the business applications which control access at a user level.
What is important is that the raw data of those systems cannot be read if accessed directly or stolen?
Here you can use Microsoft EFS (encrypted file system) or Microsoft SQL server transparent encryption for databases to prevent readability of these raw assets from users on your network.
Again, applications should not need to know that this encryption is in place. It is something that the IT team can implement and these are configurations that software vendors should willingly support.
With the above two approaches, we have already covered encryption needs for 95% of businesses.
In some cases, it is necessary to have a mix of encrypted data and data in clear in the same business application – rather like a password protected attachment in an email.
This is where applications themselves offer specific support and functionality for data security.
Document, Application or fine-grained encryption – preventing in-application theft
Working at this level requires the application itself to be aware of encryption and is a more complex and expensive topic.
For most situations, it is not needed, but it can be important if it is the only way to use a system for both common and sensitive data at the same time.
If this is your requirement then it is critical you discuss it in detail with your software vendor. If you can avoid it – do so.
Enabling encryption for most business data is actually really quick and painless.
Don’t let yourself be bamboozled by the technical terms, just focus on your key threats and obligations – and get that encryption done!