The key 5 factors in a successful encryption project
Encryption ABC's
How to choose a flexible, scalable solution that's right for your business?
To be effective, encryption strategies must be approached as a whole: It’s just as important to protect from external threats as it is to compartmentalize the information system and provide end-to-end data protection. 5 simple rules for guaranteed successful deployment!
Rule number 1: Define an initial project scope while preparing for the future
As with any cybersecurity project, an analysis of the needs and risks involved needs to be conducted.
Encryption policy should have “Encrypt everything, everywhere, and always” as its motto.
Encrypting everything, everywhere and always, is the only way to protect yourself from the consequences of a data leak.
Global encryption is the target businesses must aim for. To reach it, however, things need to go forward gradually, without ignoring any of the steps.
When defining the initial project scope, the first thing that comes to mind is the data stored on the servers. Internal infrastructure contains critical data which is a highly important asset for you and your enemies alike…
Easier to get at, desktops or laptops are also a target not to be neglected. The same applies to all removable media (USB thumb drives, hard drives) which are widely used by teleworkers.
New uses of IT should push security managers to pay special attention to SaaS collaborative spaces and cloud storage services by proposing preventive solutions that are easy for employees to use.
The encryption target will necessarily evolve over time: so the solution must be flexible and adapt to changes in scope. The approach must always be pragmatic: start with a limited scope, then gradually extend the encryption to other use cases. |
Rule number 2: Data compartmentalization, a basic encryption rule
In the digital transformation age, restricting or even prohibiting exchanges has quite literally become impossible. Information systems are increasingly open and interconnected, and such openness has clearly become a competitive lever.
Partners and service providers from outside organizations now have access to internal resources, which are themselves used and hosted externally, in particular in the cloud.
In this context encryption is the only real way to manage file access rights, namely to manage the rights to read and understand the data on target infrastructure that the company does not fully control. This is especially true of public cloud infrastructure.
The only guarantee of the confidentiality of sensitive corporate data is end-to-end encryption.
Encryption is also a compliance tool.
This may cover the duty to protect personal data set out in the European GDPR, or the need to comply with regulations in certain sectors or professions (banking, health care, restricted distribution, etc.). Encryption is amongst the best practices recommended by the ANSSI for the protection of personal data. It must be deployed in conjunction with the DPO.
Compartmentalize your data You need to favor a solution that will provide the means to compartmentalize data between different users, between departments and even internal IT or any external players. The selected encryption solution must be able to support fine-tuned data compartmentalization to guarantee confidentiality at the most precise level as possible. |
Rule number 3: Choosing the right key management for your business
An important criterion for the effectiveness, but also the acceptability of an encryption project to be deployed is the key management solution.
Should passwords be used, or software or physical key rings? There are several possible approaches to storing encryption keys, each with its own upsides and downsides. Whatever your initial choice, you need to make sure that the selected encryption solution is easy to upgrade from one type of key to another without creating a security vulnerability.
The technology must make it possible to switch from a password to a software key ring, or vice versa, to choose a USB dual key, a smart card… or to mix and match devices according to user groups, Business Units and subsidiaries.
Important! The choice of key medium should be made after consulting the future users. That will make project acceptability easier to achieve, and make it easier to avoid any attempts to work around it.
Finally, what are known as recovery keys need to be configured and stored. These keys, access to which must be strictly restricted to a few trusted individuals, can potentially only be used in an emergency. They provide access to all encrypted content, including the files of disgruntled ex-employees, or at the request of the authorities.
In all cases, the selected IT solution must ensure the organization retains the ownership of its data and is able to decrypt it at all times. Access to data must not be user-dependent. |
Rule number 4: Be careful when archiving and backing up data
The growing number of cryptolocker attacks – malware that encrypts the contents of its victims’ hard drives – has pushed many businesses to bolster their data backup systems.
This is an absolutely essential best practice, and cryptographic compartmentalization must not be allowed to hold back data backup projects or block backup software.
In addition to backups, every organization has data archiving systems in place. There are two possible approaches to all this “cold” data:
- If you choose to create unencrypted data backups, you need to make sure your backup tool is as effective and secure as an encryption solution designed for that purpose.
- You can also choose to back up encrypted data. In that case you’ll need to adjust certain backup processes so that the backups are usable in the long term. The keys used to encrypt data must be kept for the long term. That may mean keeping the encryption software and a machine with the right OS to run it.
Rule number 5: Don’t neglect change management
Acceptability must be the project manager’s number 1 concern when implementing an encryption solution. The needs and constraints of IT administrators and future users must be taken into consideration:
- in defining the strategy;
- in the choice of a solution;
- in the selection of the key medium.
In each of these phases, it’s essential to involve users in the security process. It’s absolutely essential that future users don’t see encryption as a constraint or a hindrance to their work.
A few best practices to garner support:
- A change management phase must be conducted parallel to the encryption project;
- Managers must explain security requirements and the risks incurred by the business;
- The project must be have high level of support in the organization;
- The project manager is in charge of guiding the teams in the use of the new tools.
Taking into account initial feedback is essential to adapting the scope or technical tools implemented in the project.
In that context, it’s important not to forget to train IT support staff in the use of the encryption solutions, on how to deal with the inevitable loss or breakage of access keys, and on the overall impact of encryption on the IT infrastructure, which must be kept to a minimum. |
2 bonus rules 🙂
- Implementing an encryption solution means testing its compatibility with all the other security solutions in place in your organization: anti-virus, workstation integrity solutions, backup and data recovery solutions.
- The selected solution must meet your needs and adapt to your specifications, not the other way around! One of the most important criteria is that the encryption solution must be both comprehensive, to cover all the company’s needs, and easy to use.
In today’s context of digital insecurity, encryption is the last bastion to protect your data, even in cases of intrusion or data exfiltration. Deploying an encryption solution may seem to be an essentially technical project, but it isn’t. The technology is mature, and a large part of your effort should be focused on the organizational side and on change management for future users. Success will never be achieved if they are not on board.