Data encryption is a means of protecting data from unauthorized access or use. Commerce, government, and individual internet users depend on strong security to enable communications. According to the Cybersecurity Infrastructure and Security Agency (CISA), the public safety community increasingly needs to protect critical information and sensitive data, particularly within land mobile radio (LMR) communications, and encryption is the best available tool to achieve that security.
The original Data Encryption Standard (DES) was first developed in the early 1970s, and emerged as a result of the US government recognizing a need to secure and protect data of a more sensitive nature as developing nations were increasingly keen to get their hands on this type of information.
Data encryption is meant to both protect critical information in transit as well as inspire confidence in the user or sender of the data that, if bad actors were to steal/exfiltrate that information, there is a small likelihood they would actually be able to read or interpret it.
As Generative AI (GenAI) adoption becomes more widespread and manipulatable by bad actors, it will become imperative for those looking to protect proprietary data to become superior at leveraging GenAI. Those that do not adopt this technology to accelerate their encryption methodologies will inevitably become more attractive targets for data theft and encryption cracking.
Data encryption works by – primarily – utilizing an identical, or symmetric, key to encrypt and decrypt a message, so that the sender and receiver should know and utilize the identical private key. In more technical terms, “plaintext” is converted into “ciphertext.”
According to the National Institute of Standards and Technology (NIST), the plaintext, after being transformed into ciphertext, appears random and does not reveal anything about the content of the original data. Once encrypted, no person (or machine) can discern anything about the content of the original data by reading its encrypted form.
Decryption is the process of reversing encryption so that it is readable. The symmetric key must be present for both the encryption and decryption process. Encryption isn’t just for data moving in and out of different environments and clouds, however.
If data is encrypted and a threat actor is not in possession of the key, then the data – even though it was technically stolen – is considered useless. Data loss prevention (DLP) techniques and tools can actually search for unencrypted data on a network so that internal personnel can quickly encrypt it. This way, if exfiltrated, the data will be of no use to those looking to leverage it.
As noted above, a symmetric key is but one way to ensure decoding of encrypted data. Let's take a deeper look at that method as well as another:
This type of encryption will use the same key at the encryption stage and decryption stage. In that way, this type of encryption has an inherent vulnerability: if a threat actor were to identify or steal the key – particularly if it was unbeknownst to the original user – then that key could be used to decrypt the information and could potentially be leveraged for other attacks.
This type of encryption addresses the issue stated above, employing two types of keys: one “public” and one “private.” The sender of the data must ensure encryption with the public key, while the receiver must be in possession of the private key in order to perform decryption.
Asymmetric encryption is obviously a higher-complexity scenario to leverage, however it’s critical to remember why encryption is being used in the first place: to maintain data security and confidentiality as information moves around -- both inside and outside of -- a security organization or business. In today’s climate, encryption is used frequently in many applications.
There are several formats – or standards – of data encryption. It’s important to implement a standard that makes the most sense for a specific organization and its workflows.
We defined data at rest and in transit above, but how do the specific encryption protocols function for data in these different states?
Once a connection has been established and data is ready to be transmitted, it's critical to keep the data away from prying eyes and as secure as possible while it is moving. According to Google Cloud documentation, encryption in transit defends data after a connection is established and authenticated by:
Data at rest refers to data stored on some sort of medium, such as a laptop, cloud storage, USB drives, and so on. Any data sent to a cloud service should be encrypted when it is simply “sitting” in the cloud environment, as it is inherently at greater risk being in an ephemeral environment that is theoretically open to the public internet.
Encrypting at-rest data as a best practice protects it from potential system compromises or exfiltration by ensuring it is unreadable while not in use. This could also refer to archived data that has been deemed no longer useful.
Encryption has come a long way since its twentieth-century roots, and much of it can now be automated. But as Generative AI (GenAI) becomes a popular tool for threat actors – and as they make gains in the ability to brute-force their way past encryption protocols – it becomes clear there are challenges new and old to overcome.
According to CISA, vulnerabilities in key transmission procedures is a critical challenge. The agency stipulates that it’s good to disable Wi-Fi capabilities while encryption-key transmission is taking place. It goes on to say that, a transmission destination that "has its Wi-Fi capabilities disabled is referred to as hardened." Hardening ensures there is no inadvertent “leaking” of the encryption keys onto a wireless network where unauthorized personnel could access them.
Another challenge facing anyone looking to encrypt sensitive data could be a lack of WEP/WAP access-point encryption. A weak encryption mechanism can allow an attacker to brute-force their way into a network and begin man-in-the-middle attacking. The stronger the encryption implementation, the safer.
Another major challenge of data encryption is inherent trust of a cloud service provider (CSP). Typically, a CSP will maintain control over keys, thus an organization will never retain 100% control of the encryption process.
Trusting a CSP’s employees – and most likely any partners they may be leveraging – that exert control over the encryption process will always hold some liability for the company using the CSP’s services and trusting their data encryption processes. This is why the shared responsibility model is so critical to safeguarding an organization's data.
Benefits of data encryption may seem obvious, but let's take a more in-depth look at ways businesses might benefit from adopting a strong encryption strategy.