What role does encryption play in data security?
Widespread connectivity creates many entryways for cybercriminals to hack your network. When data falls into the wrong hands, the consequences can be devastating. Accounting for all of the traveling data across your computers, mobile devices, databases and cloud systems is a serious challenge. Luckily, there are tried-and-true methods to safeguard your assets—and encryption is at the top of that list.
Encryption is critical to the protection of sensitive data, and there are requirements for both encryption in transit and encryption at rest. In part one of this article, we will focus on encryption in transit.
Don’t get discouraged by the many abbreviations used to discuss this solution–VPN, SSL, disk encryption, storage volume encryption, TDE, PKI, and HSM to name a few. I will decipher these terms so that you can implement an encryption strategy of your own.
Understand the Different Types of Encryption
While information security seeks to protect our physical assets—servers, for instance—encryption protects the data that resides within those assets. Different encryption options are available, including hashing, public/private keys and symmetric encryption keys, and each type has a different function in protecting sensitive data:
- Hashing uses one-way encryption to protect data that does not need to be recovered, such as passwords and pins. The hashing function condenses messages into an irreversible value; as the authentication credential is converted into a hash crypto string, it is later compared to hashes generated during authentication attempts.
- Public/private keys encryption is based on mathematical functions that use a pair of keys (private key and public key). Using this encryption method, data encrypted by one part of the key pair, can only be decrypted by the other key part. With public/private key pair, the private key is always kept secure by the key owner, while the public part is distributed to the public.
- Symmetric keys encryption uses a single key for encryption and decryption. Anyone who has the encryption key can access the exchanged data using symmetric key encryption. The main weakness of this method is that you’re only able to exchange the encryption keys with certain parties. To protect the encryption key, the communication exchange requires an out-of-band means to exchange the key—i.e. if you’re communicating over the data network (LAN, WAN, etc.) the encryption key will be exchanged over the phone or regular mail.
With these encryption options in mind, let’s review how the various methods secure your data and maintain compliance within various security frameworks.
Challenges in Implementation
To secure data in transit, IPSec tunnels and secure sockets layer (SSL), and transport layer security (TLS) are some of the most common technologies involved.
IPSec tunnels offer a secure communication channel between two points, and in most cases, are deployed as network gateways or as a user and a gateway. Using a combination of encryption algorithms, the encryption keys are exchanged between the two parties, and then the encrypted data is extracted and transmitted. The following diagrams represent the implementation of IPSec virtual private network (VPN) tunnels:
Figure 1: Implementation of IPSec VPN Tunnels
The VPN tunnels help with traffic protection, but a portion of the communication is not protected, as there is no end-to-end security for the “traffic in clear.” To avoid issues, apply the exchanged traffic solution between fully trusted parties (i.e. company branch offices or remote VPN user accessing company resources). Beyond that, additional security measures are required to achieve compliance with security frameworks such as PCI, HIPAA, and similar regulations.
SSL/TLS protocols with public/private key implementation is another method to secure data in transit. This system forms a secure link between a server and a client machine with a pair of private and public keys. The public keys are “signed” by a trusted member of each party. When the client sends a request to the server, the server replies with the public key, which the client validates for authentication. Once the two parties agree on the symmetric encryption key, they will exchange data securely. Any client that trusts the server public key will be able to establish secure channel with the server and access its data, as the server does not authenticate its clients.
The communication method where clients authenticate the server through its public key–called one-way SSL authentication–ensures security and privacy of data exchanged by the server and any client. However, one-way SSL does not authenticate the client, and therefore, does not provide the sufficient level of security.
Figure 2: One-way SSL/ TLS Implementation
While one-way SSL/TLS provides a secure end-to-end connection between two parties compared to IPSec VPN, your inability to control client access to the server creates a confidentiality problem. To address this issue, I recommend a two-way SSL/TLS implementation, forcing customers to deploy their own certificate. Your server will use their certificate to authenticate the client. This method limits the number of client systems that can establish secure communication with your servers and overcomes the challenges associated with one-way SSL implementations. See the diagram below:
Figure 3: Two-way SSL/ TLS Implementation
Two-way SSL/TLS satisfies the need for a secure end-to-end data exchange, but because the communication occurs over internet, this method is subject to man-in-the-middle attacks.
How to Secure Data in Transit – Final Recommendation
Develop an encryption strategy using a combination of IPSec VPN tunnel and two-way SSL/TLS implementation to mitigate risks and safeguard your data in transit. With this approach, you establish a VPN between the gateways of the two parties (or the remote client and the remote gateway), and the two end-points use SSL/TLS communication that pass over the VPN tunnel. Unfortunately, the two-way SSL does not offer a great user experience, but it’s an excellent method to secure end-to-end communication between two business systems (machine-to-machine traffic). For end users, it is better to keep one-way SSL and implement additional security controls, such as applicative authentication, client IP address filtering, etc., to limit access to your server. The diagram below shows the recommended implementations:
Figure 4: Combination of IPSec VPN Tunnel and Two-way SSL/TLS
This post was first published on Onramp.
Nikola Todev has more than 18 years of experience leading infrastructure and security design, as well as operations for high performance financial and telco services. He is in charge of OnRamp’s information security strategy, practices, and implementation.