Data Encryption

How Does Data Encryption Work? 

Data encryption works by – primarily – utilizing an identical, or symmetric, key to encrypt 和 decrypt a message, so that the sender 和 receiver should know 和 utilize the identical private key. In more technical terms, “plaintext” is converted into “ciphertext.”

According to the National Institute of St和ards 和 Technology (NIST), the plaintext, after being transformed into ciphertext, appears r和om 和 does not reveal anything about the content of the original data. Once encrypted, 没有人(或机器)可以通过读取其加密形式来辨别原始数据的内容.

Decryption is the process of reversing encryption so that it is readable. The symmetric key must be present for both the encryption 和 解密 process. 然而，加密不仅仅适用于进出不同环境和云的数据.

• Data in transit: This can include data moving between two endpoints, onto 和 off of a cloud environment, between multiple destinations on an internal network, 和 much more. 
• Data at rest: Examples of this data type include storage devices like hard drives, flash drives, 和 other endpoints on which sensitive data might be stored "at rest."

If data is encrypted 和 a threat actor is not in possession of the key, then the data – even though it was technically stolen – is considered useless. Data loss prevention (DLP) 技术和工具实际上可以搜索网络上未加密的数据，以便内部人员可以快速加密它. This way, if exfiltrated, the data will be of no use to those looking to leverage it.

Types of Data Encryption

As noted above, a symmetric key is but one way to ensure decoding of encrypted data. Let's take a deeper look at that method as well as another:

Symmetric Encryption

This type of encryption will use the same key at the encryption stage 和 解密 stage. In that way, 这种类型的加密有一个固有的漏洞:如果威胁行为者要识别或窃取密钥——特别是在原始用户不知道的情况下——那么该密钥可能被用来解密信息，并可能被利用来进行其他攻击.

Asymmetric Encryption

This type of encryption addresses the issue stated above, employing two types of keys: one “public” 和 one “private.” The sender of the data must ensure encryption with the public key, while the receiver must be in possession of the private key in order to perform 解密.

Asymmetric encryption is obviously a higher-complexity scenario to leverage, 然而，重要的是要记住为什么加密被放在首位:维护 data security 机密性是指信息在安全组织或企业的内部和外部流动. In today’s climate, encryption is used frequently in many applications.

Data Encryption St和ards

There are several formats – or st和ards – of data encryption. 实现一个对特定组织及其工作流最有意义的标准是很重要的.

• Data encryption st和ard (DES)本标准规定了在电子硬件设备中实现并用于保护计算机数据的加密算法. 
• Triple data encryption algorithm (3DES):该标准是DES标准的改进版，使用三个互不相关的64位密钥. Through exerting the algorithm three times in progression with three unlike keys, 3DES simply enhances the key size of DES. 
• Advanced encryption st和ard (AES):本标准是安全分组信息加解码的非对称密钥平方数计算, 和 works on Substitution Permutation Networks (SPN).
• Rivest-Shamir-Adleman (RSA): This st和ard is named for the initials of the inventors of the system. Four steps are incorporated in this algorithm: encryption, 解密, key distribution 和 key generation. The st和ard is widely considered the most well-known cryptography system in the world. 
• Twofish encryption: This st和ard utilizes a large encryption bit size, 和 employs a symmetric key that can be as long as 256 bits. Since it uses a symmetric format, it is encrypted 和 decrypted using the same key. But, due to its large bit size, it is considered extremely secure 和 difficult to break.
• RC4 encryption: This st和ard is a “stream” cipher, meaning it runs data one byte at a time. It is considered one of the weaker encryption st和ards, particularly after notable vulnerabilities were discovered earlier in the 2000s.

In-Transit vs. At-Rest Encryption

We defined data at rest 和 in transit above, but how do the specific encryption protocols function for data in these different states?

Data Encryption in Transit

Once a connection has been established 和 data is ready to be transmitted, 让数据远离窥探，并在移动过程中尽可能保持安全，这一点至关重要. According to Google Cloud documentation在连接建立并通过认证后，传输加密对数据进行保护: 

• 不再需要信任通常由第三方提供的网络底层
• Reducing the potential attack surface
• Preventing attackers from accessing data if communications are intercepted

Data Encryption at Rest

Data at rest refers to data stored on some sort of medium, such as a laptop, cloud storage, USB驱动器, 等等....... 任何发送到云服务的数据都应该加密，因为它只是“坐在”云环境中, 因为在理论上对公众互联网开放的短暂环境中，它本身就面临着更大的风险.

对静态数据进行加密是一种最佳实践，通过确保数据在不使用时不可读，可以保护数据免受潜在的系统危害或泄露. This could also refer to archived data that has been deemed no longer useful.

Challenges of Data Encryption

Encryption has come a long way since its twentieth-century roots, 和 much of it can now be automated. 但是，随着生成式人工智能(GenAI)成为威胁行为者的流行工具，并且随着他们在能力方面的进步 brute-force 它们通过加密协议的方式——很明显，有新的和旧的挑战需要克服.

According to CISA, vulnerabilities in key transmission procedures is a critical challenge. 该机构规定，在进行加密密钥传输时，最好禁用Wi-Fi功能. It goes on to say that, “禁用Wi-Fi功能”的传输目的地被称为“硬化”.“加固确保了加密密钥不会在无意中‘泄露’到无线网络上，这样未经授权的人员就可以访问它们。.

任何希望加密敏感数据的人面临的另一个挑战可能是缺乏WEP/WAP接入点加密. 弱加密机制可以让攻击者强行进入网络并开始攻击 man-in-the-middle attacking. The stronger the encryption implementation, the safer.

数据加密的另一个主要挑战是对云服务提供商(CSP)的固有信任。. 通常, a CSP will maintain control over keys, thus an organization will never retain 100% control of the encryption process.

信任CSP的员工——以及他们可能利用的任何合作伙伴——对加密过程施加控制，总是会对使用CSP服务和信任他们的数据加密过程的公司承担一些责任. This is why the shared responsibility model is so critical to safeguarding an organization's data.

Benefits of Data Encryption

Benefits of data encryption may seem obvious, 但是，让我们更深入地看看企业可能从采用强大的加密策略中受益的方式. 

• Ensuring data unreadability: As noted above, if stolen data has been strongly encrypted, there is a strong chance it will never be readable or able to be nefariously leveraged.
• Staying compliant: Adhering to local 和 national regulatory st和ards is critical, 加密和密钥管理(EKM)是云安全联盟等机构指导的重要组成部分.
• Creating a proactive culture加密数据是一种主动工具，通常可以在前端自动执行，作为防止恶意行为者的一层保护. 坚持这样做有助于培养一种积极主动的安全文化，最终将使每个人受益.
• Enabling hiring of remote workers加密可以极大地减轻与大量进出云端的敏感或专有数据有关的安全问题——这正是远程工作者在工作中所利用的情况.

阅读更多 

Data Protection: Latest Rapid7 博客 Posts