Enterprises employ data encryption to protect valuable data from unauthorized access. To ensure the strongest protection against data breaches and theft, organizations must follow best practices in choosing which data to encrypt, how to encrypt it, and who has access to that data.
Identify Valuable Data
A large organization may have sensitive data stored in multiple physical and virtual locations. It is necessary to take an inventory of where the most valuable data is located at all levels of the organization. This includes both data at rest and data in transit across the network.
Once these locations are pinpointed, you need to prioritize the most valuable data assets and storage repositories. This will help you develop the best strategy for encoding the data.
Protect Data at Rest
Data at rest includes all data stored on physical media, whether magnetic, optical, or solid state devices. The most effective way to protect data at rest is through strong encryption controlled by cryptographic keys.
Protect Data in Transit
Data in transit refers to data transferred between locations or components, typically over the network or to/from cloud storage. Data in transit is vulnerable to various types of attacks, including session hijacking and man-in-the-middle attacks, that can gain access to all manner of confidential data and communications. To protect data in transit, use SSL/TLS protocols, virtual private networks (VPNs), and end-to-end encryption.
Choose an Appropriate Encryption Algorithm
There are multiple encryption algorithms in use today. Best practices dictate embracing state-of-the-art encryption that has been properly tested in real-world situations. Consider factors such as memory usage, encryption speed, and cost. You should also make sure the encryption you choose adheres to relevant international and industry standards, including those set by the National Institute of Standards and Technology (NIST).
Manage Cryptographic Keys
Protecting your cryptographic keys is imperative to protecting your organization’s sensitive data, especially any data stored in the cloud. The best secure containers, known as key vaults, help you maintain secure control of the keys used to encrypt and access your data. Key vaults also control and log access to any items stored within, such as certificates.
Your organization’s IT security staff should manage key permissions as necessary. Best practice is to grant access to groups, users, and applications at a specific scope, such as a resource group or subscription.
In addition, you should establish a secure location, separate from your company’s data, to store your cryptographic keys. You should also create backup keys and store them in different locations.
Key management should be centralized to avoid isolation vulnerabilities. Best practice is to use a hardware security module (HSM) that offers hardware-based protection, especially if your firm uses cloud-based data storage.
Control Interface Access
IT staff should also control which users have access to what interfaces. Key vault access is controlled through the management plane and data plane interfaces. In most instances, a user, group, or application needs access to only one of these planes, not both, which increases the level of security.
Store Certificates in Key Vaults
Another best practice is to use key vaults to store high-value certificates. If certificates are compromised, the security of an application or its data can also be compromised. Employing key management to certificate storage helps control who has access to each certificate.
Ensure Key Vault Recovery
If a key vault is accidentally or purposefully deleted, the data stored within may be lost. IT staff should employ a management solution that lets you recover any deleted key vaults and objects.
Practice Scalability
Your encrypted data security solution needs to be able to scale across all your data. It should also automatically adapt to any changes in your storage methods, including especially growth in the amount of data stored.
Integrate with Cloud Systems
According to IDC’s Data Age 2025 report, by the year 2025, 49% of all data will be stored in the cloud. Best practices ensure that data security and encryption are applied to all cloud-based data storage. Your security and encryption should work with your cloud storage provider and any applications that use cloud-based infrastructure.
Use Secure Workstations to Access Data
All access to sensitive data and accounts should be limited to secure workstations. Using a workstation with privileged access minimizes the risk from phishing and other social engineering attacks that compromise user credentials to gain access to sensitive data.
Enable Endpoint Protection
Any device that is used to access data presents a breach risk. This includes not only workstations and desktop computers but also notebooks, smartphones, tablets, and other devices. IT security staff should create and enforce strict security policies for all devices that touch your organization’s data.
Use a VPN
VPNs can help protect data in transit both within and from outside an organization. Use a site-to-site VPN to secure access from multiple on-site workstations or a point-to-site VPN for access from an individual on-site workstation. VPNs also help to secure data transfer and communications from off-site employees connected to public WiFi networks or hotspots.
Use End-to-End Encryption
Simple encryption only encrypts data at rest. To secure communications and data in transit, employ a communications/transfer solution that includes end-to-end encryption. With end-to-end encryption, different keys are used to transmit and receive data and communications; any data or communications intercepted in transit cannot be decrypted.
Wickr – For End-to-End Data Encryption
AWS Wickr is the most robust and secure encrypted messaging solution available today and should be part of your organization’s data encryption best practices. Wickr is fully encrypted, enterprise-ready, and easy to set up and manage. Wickr’s end-to-end encrypted platform enables you to secure text messaging, voice and video calls, and file transfers. Contact us to learn more about Wickr and data encryption best practices.