My first experience with encryption was long ago when I was 12 years old. My friends and I would pass notes in class that used a cipher code so that if the teacher confiscated the note, she would be unable to read it aloud revealing to the entire class who my latest crush was. I did experience the occasional interception of a passing note to which the teacher demanded the decryption key. There were flaws in this encryption method and system.
Encryption is defined as the process of encoding messages in a way that only authorized parties can read it. By the nature of encryption, it does not stop the message from being intercepted but prevents someone who does the ability to see the content. There are three main categories of the state of the data to consider when considering encryption. These are data in motion; data in use; and data at rest. Each category and how encryption is deployed is not dependent on itself nor is fully protected with the data achieved.
Data in Motion
Data in motion refers to data that is fluid or moving through any network or between networks. Back to my school days example, it was the process or action of my note being passed from one student to another to another until it reached my friend. When data is in motion, it is easier to see how it can be stolen or intercepted, which is why it is critical to secure it using encryption if the contents need to remain protected.
"There are three main categories of the state of the data to consider when considering encryption. These are: data in motion; data in use; and data at rest"
There is more to protecting data in motion than simply encrypted it during transit. Even if it is encrypted, it can still be intercepted and once intercepted, the person who took it can take whatever time is needed to break the code. Beyond encryption, additional protections to consider the protection of the flowing data are perimeter security, network monitoring, access controls (local, privileged, remote, etc.), data collection and exchange, and messaging protections.
When I was passing notes in class, I should have considered things like only using carriers that I trusted to pass my note to its intended recipient, taping the note to detect tampering, mirrors to monitor the flow of the note if being passed behind me, and even a thumbs up by my friend upon safe delivery of the note. Yes, it could still be intercepted by the dreaded teacher, but the likelihood would have been decreased.
Data in Use
Data in use refers to non-passive data that is in the process of being created, changed, updated, deleted, or viewed through a variety of tools, applications, methods, etc. It is data that has not been tucked away in a stable location but instead is actively being used within the IT architecture landscape. When data is being used, it is important to secure it not only for the protection of it but also to ensure the integrity of it. Encrypting data, while the data is being used is not easy or practical in many cases; therefore, the use of other protection is integral. These protections include privileged user monitoring; access and usage monitoring; data anonymization; use of test data; data redaction; and export and save controls.
My 12-year-old self did consider additional protections when creating, updating, or deleting my sensitive crush notes. Upon the discovery of a less than a trustworthy friend, I decided to use fake data in my note and reveal my secret crush as someone who was in on the “test.” This way, I was able to tell where the leak of my secrets was stemming from. I was able to use insider threat analysis to determine who in my trusted network could not be trusted. If I had only encrypted the data but allowed this person continued access to it, my true secret crush would have been known by all.
Data at Rest
Data at rest is inactive data that is stored in digital form in a stable location. Data at rest can be archived or reference data that are never or rarely changed. Resting data is just sitting there and is often forgotten, leaving it ripe for the taking (and exploiting). In today’s world, data at rest is becoming more, and more of an issue as the amount of data collected on each person grows each year exponentially. Often the collected data is used for a single moment in time and then kept in perpetuity for “just in case” it is ever needed. The big issue with data at rest can become data out of sight, which leads to data out of mind. Again, encrypting is not enough because you need to remember it is there and can be taken if not secured. Securing at rest includes protections such as endpoint security; host encryption; mobile device protection; network/internet storage protections; physical media controls; disposal and destruction policies and procedures.
Back to my middle school days, I remember a time when proper destruction and disposal of old notes (aka data) came back to bite me. Instead of using a code to write notes to pass to friends in class and then upon receipt and return delivery disposing properly of said notes, I kept them all in my backpack. I hoarded them like old clothes in a closet. I do not know why I held onto the notes, but I did. I never referred back to them. They held no value to me. I was just too lazy to dispose of them properly. One day, I lost my backpack. When I retrieved it from the lost and found, the notes were gone. I came to learn a “friend” had taken the notes and used them as blackmail against me after decoding them (as she knew the code).
Encryption is part of every person’s lives, whether they realize it or not. There are many questions today around the use of encryption. Are we using it when we should and not when we shouldn’t? What is the right level at which to encrypt? What is the totality of protections that need to be in place based on the data, the use of the data, the motion of the data, and the storage of the data?