Data encryption is one of the many ways organizations can protect their data. Encryption turns plaintext (readable data) into ciphertext (randomized data), which requires the use of a unique cryptographic key for interpretation.
In other words, encryption is a security measure used to scramble data so that it can only be read by authorized personnel.
There are many types of encryptions, and it’s important to choose the right encryption algorithms and techniques for your business’ security requirements. In this article, we will:
- Examine symmetric and asymmetric encryption methods
- Detail common encryption algorithms and when to use them
- Cover tips and best practices for data encryption
Let’s get started!
How data encryption works
The goal of data encryption is to protect information from being seen by unauthorized personnel. Practically, encryption is one way to conceal information by making it appear as random data, not useful information. Encryption can be applied both to:
- Data in transit (data in movement/being sent)
- Data at rest (data stored)
Organizations may choose to encrypt confidential information in databases, files, documents, messages and other communication channels over their network.
Importantly, let’s not forget that encryption can be used both for good purposes – protecting your assets – as well as for bad actions. In fact, proliferate ransomware attacks rely on speedy encryption methods to capture more files than ever before. According to recent research from SURGe, our in-house cybersecurity research team,
“…the median ransomware variant can encrypt nearly 100,000 files totalling 53.93GB in forty-two minutes and fifty-two seconds. A successful ransomware infection can leave organizations without access to critical IP, employee information and customer data.” – Ryan Kovar, March 2022
Due to multiple types of data and various security use cases, many different methods of encryption exist. We can broadly group data encryption methods into two categories: symmetric and asymmetric data encryption.
When using symmetrical encryption methods, a single secret key is used to encrypt plaintext and decrypt ciphertext. Both the sender and receiver have private access to the key, which can only be used by authorized recipients. Symmetric encryption is also known as private key cryptography.
Some common symmetric encryption algorithms include:
- Advanced Encryption Standard (AES)
- Data Encryption Standard (DES)
- Triple DES (TDES)
And we’ll look at each of these shortly.
This method of encryption is known as public key cryptography. In asymmetric encryption, two keys are used: a public key and a private key. Separate keys are used for both the encryption and decryption processes:
- The public key, as the name suggests, is either publicly available or shared with authorized recipients.
- The corresponding private key is required to access data encrypted by the public key. The same public key will not work to decrypt the data in this technique.
Asymmetric encryption offers another level of security to the data which makes online transfers safer. Common asymmetric encryption methods include Rivest Shamir Adleman (RSA) and Elliptic Curve Cryptography (ECC)
Comparing symmetric vs asymmetric encryption
Aside from the fact both techniques use different key combinations, there are other differences between symmetric and asymmetric encryption.
- Asymmetric encryption is a newer method that eliminates the need to share a private key with the receiver. Importantly, however, this approach takes longer in practice than symmetric encryption.
- Symmetric encryption techniques are best suited to larger data sets but use smaller ciphertexts in comparison to the original plaintext file. (The opposite is true of asymmetric encryption.)
Within the categories of asymmetric and symmetric encryption methods are unique algorithms that all use different tactics to conceal sensitive data. We’ll explore these below.
Quick note: how hashing works
Hashing is a technique that uses a mathematical function to convert inputs of any size (files, messages, etc.) into a fixed length value.
Many people mistake hashing for being an encryption technique, but this is an important distinction to make. In hashing, there is no key, which means you cannot ensure complete privacy. Additionally, a hash can be recreated.
Hashing is typically used alongside cryptography, as a method of storing and retrieving data. It is most commonly used for:
- Document verification
- Digital signatures
- Integrity controls
Common data encryption algorithms and techniques
Encryption methods vary based on a number of factors, including:
- The type of keys used
- Encryption key length
- The size of the encrypted data blocks
Now let’s look at seven common methods of encryption that you can use to safeguard sensitive data for your business.
1. Advanced Encryption Standard (AES)
The Advanced Encryption Standard is a symmetric encryption algorithm that is the most frequently used method of data encryption globally. Often referred to as the gold standard for data encryption, AES is used by many government bodies worldwide, including in the U.S.
AES encrypts 128-bit data blocks at a time and can be used for:
- File and application encryption
- WiFi security
- SSL/TLS protocols
2. Triple Data Encryption Standard (TDES)
The Triple Data Encryption Standard, sometimes shortened to Triple DES or 3DES, is a symmetric encryption method that uses a 56-bit key to encrypt data blocks. It is a more advanced, more secure version of the Data Encryption Standard (DES) algorithm. As its name indicates, TDES applies DES to each block of data three times.
Utilized by applications like Firefox and Microsoft Office, TDES encrypts things like:
- ATM pins
- UNIX passwords
- Other payment systems
3. Rivest Shamir Adleman (RSA)
The Rivest Shamir Adleman algorithm is an asymmetric form of encryption. Used to encrypt data from one point of communication to another (across the internet), it depends on the prime factorization of two large randomized prime numbers. This results in the creation of another large prime number — the message can be only decoded by someone with knowledge of these numbers.
It is extremely difficult for a hacker to work out the original prime numbers, so this encryption technique is a viable way to secure confidential data within an organization. There are some limitations to this method, primarily that it slows when encrypting larger volumes of data. Typically, though, RSA is used for:
- Smaller-scale documentation
This symmetric encryption algorithm was originally designed to replace the Data Encryption Standard (DES). The Blowfish encryption technique uses 64-bit block sizes and encrypts them individually.
This data encryption method is known for its flexibility, speed and resilience. It’s also widely available as it’s in the public domain, which adds to the appeal. Blowfish is commonly used for securing:
- E-commerce platforms
- Password management systems
- Email data encryption tools
The next generation version of Blowfish is Twofish, a symmetric encryption technique that encrypts 128-bit data blocks. Twofish utilizes a more complicated key schedule, encrypting data in 16 rounds no matter the size of the encryption key. It’s also publicly available like its predecessor Blowfish, but it’s a lot faster and can be applied to both hardware and software.
Twofish is most frequently used for file and folder encryption.
6. Format-Preserving Encryption (FPE)
Another symmetric encryption algorithm is FPE: Format-Preserving Encryption. As the name suggests, this algorithm keeps the format (and length) of your data during encryption. An example would be a phone number. If the original number is 012-345-6789, then the ciphertext would retain the format but use a different, randomized set of numbers e.g. 313-429-5072.
FPE can be used to secure cloud management software and tools. Trusted cloud platforms like Google Cloud and AWS use this method for cloud data encryption.
7. Elliptic Curve Cryptography (ECC)
The ECC encryption algorithm is a relatively new asymmetric encryption method. It uses a curve diagram to represent points that solve a mathematical equation, making it highly complex. The shorter keys make it faster and stronger than RSA encryption. ECC can be used for:
- Web communications security (SSL/TLS protocols)
- One-way email encryption
- Digital signatures in cryptocurrencies like Bitcoin or NFTs
Challenges to data encryption methods
Despite their obvious strengths, there are some drawbacks to encryption methods. Fortunately, careful adoption of best practices, which we’ll cover below, help overcome and mitigate these concerns.
One of the major challenges to data encryption techniques within an organization is key management. Any keys required for decryption must be stored somewhere. Unfortunately, this location is often less secure than people think. Hackers have a particular knack for uncovering the whereabouts of key information, posing a huge threat to enterprise and network security.
Key management also adds another layer of complexity where backup and restoration are concerned. When disaster strikes, the key retrieval and backup process can prolong your business’s recovery operation.
(Understand how vulnerabilities and threats contribute to overall risk.)
Brute force attacks
Vulnerability to brute force attacks is a less common — though serious — threat to encryption. A brute force attack is the formal name of a hacker’s attempts to guess the decryption key. Modern computer systems can generate millions or billions of possible combinations, which is why the more complex any encryption key, the better.
Today’s encryption algorithms, when used in combination with strong passwords, are usually resistant to these types of attacks. However, computing technology continues to evolve, continuing to pose an existential threat to data encryption techniques in future.
Best practices for a data encryption strategy
Data encryption is one of the best ways to safeguard your organization’s data. Still, like most things, successful encryption comes down to the strategy and execution. In this section, we’ll look at some best practices to ensure your data encryption algorithms and techniques are as effective as possible.
1. Define security requirements
Scoping out the general security landscape of your organization is an important first step in any encryption strategy. Encryption systems vary in strength and processing capabilities, so it’s important to assess your current security needs before buying into a solution.
To evaluate your security posture, you can…
- Conduct a threat assessment to uncover any system vulnerabilities.
- Speak to teams and stakeholders to learn of any business decisions, existing situations and even compliance regulations that could affect your strategy.
- Review prescriptive materials including well-established cybersecurity frameworks.
2. Classify your data
Building on the first step, you’re ready to better understand the types of data you store and send. This includes anything from customer information to financial data and company account details and even your proprietary information that your business relies on. You can then classify each type of data by:
- How sensitive it is
- Whether and how it’s regulated
- How often it’s used and called upon
(Compare data storage in data lakes and data warehouses.)
3. Choose the right encryption solution
Once you’ve identified your data priorities and security requirements, you can look for data encryption tools to fit your needs. You’ll likely need to install a range of encryption algorithms and techniques to protect different forms of data across your databases, files and applications. The best data encryption solutions are able to offer:
- Encryption at multiple levels (application, database and file) for data on-premises and in the cloud
- A centralized management dashboard for data encryption, encryption key policies and configurations
- An automated lifecycle process for encryption keys (both on-premises and cloud-based)
- Audit logging and shared group and role-based access controls (RBAC) to help address compliance
Use data encryption tools in addition to general security solutions like email security platforms, cloud security software, and payment gateways, as they can also encrypt data and provide added levels of security.
4. Consider any deployment obstacles
Adding to and overhauling existing security strategies is a significant change for any business. It’s therefore important to plan for any problems that could arise, such as the integration of data encryption solutions with application back-ends and legacy systems.
Ensure you have plenty of time to navigate these obstacles and consider partnering with a third-party IT provider to support your IT team with deployment.
5. Enable and collaborate for a culture of security
For your data encryption strategy to be truly successful, employees need to buy into a culture of security. Education and training on encryption key management and best practices are crucial for minimizing the human error factor of improper key storage, as we explored above, can put important data at risk.
6. Recognize the limits of data encryption
The goal of encryption is to prevent unauthorized access to sensitive information. But your organization still requires additional cybersecurity solutions to keep hackers at bay. These include firewalls, endpoint security measures and VPNs.
An encryption strategy should fit seamlessly into an already strong cybersecurity strategy.
(See how encryption fits into your InfoSec, or information security, strategy.)
The future of data encryption techniques
An effective data encryption strategy is an essential security measure for any business. However, as we’ve seen, it is not without risk. As cyberattacks become more sophisticated and computing systems further develop, encryption algorithms and techniques must also evolve. Luckily, initiatives like next-generation quantum-safe algorithms and homomorphic encryption represent exciting new developments in data encryption. Other methods will inevitably be investigated as technology progresses.
For now, implementing an effective data encryption solution that fits your unique security needs and is deployed in collaboration with your IT, operations and management teams is one of the best ways to safeguard your data in the modern workplace.
What is Splunk?
This article was written in collaboration with Ailis Rhodes and does not necessarily represent Splunk's position, strategies or opinion.