(Written for SVSG.co blog – July 2016)
The formerly arcane subject of data encryption has recently gained public notoriety. Feature articles and opinion pieces in prominent publications including The Washington Post and The Wall Street Journal have offered overviews of encryption technology and covered news highlighting current debates about encryption. Meanwhile an ongoing stream of public disclosures of security breaches, including ones like the US Healthworks breach in 2015 in which inadequate encryption played a critical role, have also highlighted the importance of proper encryption policy and methods. Moreover, the highly public dispute between the FBI and Apple has helped catapult the topic of corporate responsibility regarding data privacy and security into public view – even Congress has entered the debate. Bringing the debate about what the bar should be for consumer-facing companies into the open, Apple has announced a plan for strong encryption of all data on personal devices while services like WhatsApp have added full encryption.
In this environment any responsible CEO must ask, “What does this mean for my company?” and “How should we think about encryption and about ensuring that we’re using it appropriately?” The short answer is that companies do need to step back and think about encryption in a new way. In the past best practice was “encrypt all important data” because of the substantial overhead burden of encryption, but the level of risk has risen while the cost of encrypting data has fallen. In these times, the new best practice needs to be “encrypt everything.”
It’s worth a closer look at how we got here and what’s changed.
Encryption’s Past: Neither Easy nor Cheap
In the past, encryption came with a significant amount of management and processing overhead — enough that it had not been easy or cheap to encrypt all data. Even today, most companies and individuals do not encrypt their emails.
Firms decided to encrypt only the most sensitive data, like Social Security Numbers and bank account numbers, because encryption was computationally expensive. Firms had to spend considerable time to decide what required encryption – leaving the firm on the hook if they got it wrong. The processing demands meant that encryption slowed everything down.
To selectively encrypt data, special application code often had to be written and maintained. All of this took considerable expertise and monetary investment – choosing the right encryption algorithms and mechanisms, managing encryption keys, having the trained and trusted staff or the technology to split keys so no one person could steal them. Rotating keys that affected large volumes of data also took time, effort, and expertise. All of this put pressure on many companies’ IT management to choose policies that balanced the overhead of encryption against the sensitivity of data and resulted in encryption being only selectively applied.
Breaking Down the Obstacles to Encryption
Technology has evolved in ways that fundamentally change the cost vs. benefit equation. Compute power is now a thousand times cheaper than it was a decade ago. You can get a PlayStation 4 for $400 that matches the compute power of the world’s fastest supercomputer in 2000. Encryption and decryption in hardware has become both fast and cheap, making encryption of data much more accessible.
There have also been advancements in the technology supporting encryption. The longstanding recommendation of the National Institute of Science and Technology to use the Advanced Encryption System (AES) has prevailed in the debates over what algorithm to use. Recent improvements in Transport Layer Security (TLS) have addressed vulnerabilities in encrypting data in flight. For data at rest, new database management systems let you to encrypt data without changing application code.
The most underappreciated change is that cloud, whether infrastructure as a service (IaaS) or software as a service (SaaS), has matured to the point where security and encryption can simply be built into its offerings. This allows companies using services that place an emphasis on security to encrypt everything without much burden to budget or quality of service because the overhead and complexity of implementing and managing encryption has become a seamless and automatic component of the service.
At the same time, the risk created by selective encryption of data continues to increase exponentially. For example, in the healthcare sector, HIPPA guidance on what items need to be removed or masked to de-identify healthcare data includes street address, telephone numbers, IP addresses, URLs, facial photographs, and birthdates – 18 fields in all.
As a result of these changes, “encryption everywhere” is the new best practice that companies need to adopt. Implementing this policy requires approaching security in a new way. Rather than a complex process to identify and put in place rules and code to categorize and protect data based on its class, companies need to look for technology that makes it easy for them to automatically ensure that all their data is encrypted.
As the public understanding of privacy and security risks increase and the technology to encrypt becomes more available and easier to use, the previous trade-offs that led to selective encryption are no longer justified. Companies have an obligation to deploy the best possible protection for their firm’s and the public’s data assets. Encrypting everything is the only way to achieve that.
Director of Security at Snowflake Computing
Mario has 16 years of experience as a security professional working in the retail, health care, and financial sectors. He has built and managed security teams, developed and implemented security programs, and managed PCI and HIPAA compliance initiatives for medium and large organization.
Snowflake Computing, a cloud data warehousing company, has reinvented the data warehouse for the cloud and today’s data. The Snowflake Elastic Data Warehouse is built from the cloud up with a patent-pending new architecture that delivers the power of data warehousing, the flexibility of big data platforms and the elasticity of the cloud. Snowflake can be found online at snowflake.net.