Once your new infrastructure has been selected and implemented, it’s time to look at how you can improve security. Secure infrastructure requires encryption. But ensuring the security of your ICT infrastructure is not the only reason to use encryption; it also keeps your data secure. We explain here how you can achieve effective encryption of your network as well as your data.
What is encryption?
Encryption locks data up using algorithms, ensuring that it is useless to malicious parties if it is unexpectedly stolen or lost. After all, without the key, they cannot decipher the data. The General Data Protection Regulation or GDPR stipulates that it is mandatory for organizations to provide optimal protection for their data. You must be able to prove that your data was properly protected at the time of its loss or theft. Encryption tools make that possible.
Encryption on the network
Network encryption means that all data that is transported across the network is encrypted before transmission. Even if malicious parties discover a vulnerability in the connection or manage to dig up the cable somewhere, the data will be useless to them without the key.
Data encryption means that the data is encrypted and then stored on a hard drive. If any malicious party runs off with the hard drive, it will be useless to them without the encryption key.
If you opt for network encryption, you first need to come up with an encryption key, or a code word. It is crucial to define a good encryption key that is changed regularly and has various bICT lengths. The longer the bICT lengths, the harder it is to hack.
The code word is entered into an algorithm, such as AES (Advanced Encryption Standard) based on the American FIPS (Federal Information Processing Standard). The algorithm ensures that the data is scrambled in a specific way. Once it has been scrambled, it is nearly impossible to decipher stolen data.
Then the encryption key is exchanged with the equipment on the connection. A time limit is also set when the key needs to be changed, usually once a minute. Even if a malicious party manages to retrieve the key itself, it resets a minute later, so the data is scrambled in a different way again.
Advances in network encryption standards
The Advanced Encryption Standard (AES) replaced the original FIPS for data encryption: the Data Encryption Standard (DES). By the late 1990s, DES was no longer considered fit for purpose, so a global competition was organized to design a new standard. The Rijndael block cipher algorithm won due to its combination of security, performance, efficiency, simplicity and flexibility.
RSA (an acronym for the names of its inventors: Rivest, Shamir and Adleman) is an asymmetric cryptographic algorithm that was designed in 1977. The security of RSA is based on the fact that it is hard to factorize very large composite integers. The encryption strength of RSA is based on the key size, which is still considered unbreakable; the risk is that new developments in this field could render the algorithm useless. The Federal Information Processing Standards (FIPS) are issued by the US federal government and specify how certain information needs to be stored in information systems. They are standards for the way certain information needs to be stored in information systems. Intended for use by non-military government agencies and government contractors, these standards include DES (FIPS 46) and AES (FIPS 197).
Hardware-based versus software-based encryption
There are various ways to encrypt a network. The best choice for your organization depends on how the connection is being used. For instance, it is possible to implement hardware-based encryption by placing encryptors in the equipment used to light the fiber. Hardware-based encryption ensures that all data transferred through the connection is encrypted. If the connection is used to transfer large quantities of privacy-sensitive and confidential information, we recommend encryption at the hardware level.
Hardware-based encryption requires specific hardware that provides the encryption key. This method is very secure. If a hacker tries to access the hardware to identify exactly how the encryption words, and removes so much as a single tiny screw, then the key is immediately erased.
There also various options for software-based encryption. The benefit is that it is possible to differentiate between data that needs to be encrypted and data that can be left unencrypted. A drawback of software-based encryption is that it adds more and more latency, which could slow down the connection.
Encryption at the network level means that the data is only protected if it is transferred across the connection. However, data can also be encrypted on an organization’s internal and external file storage systems.
In general, the server is equipped with a separate chip where the encryption key is stored, so the key is always physically separated from the hard drive. A hacker would only be able to decipher the key if he had the hard drive and could also access the chip on the server. Even if a laptop, smartphone or portable storage device were lost or stolen, then the information on the hard drive would still be secure.
Encrypting as much of your data as possible is recommended in order to ensure optimal data protection. This is especially important when the data is stored outside the organization’s own facilities, such as with a hosting or storage provider or in an external datacenter. In such situations, the data passes through various external providers. Full data encryption is the only way to make sure your data stays safe every step of the way.
Stay informed about all developments
You will receive the newsletter once per trimester.