An Introduction to File Encryption
— Howard Poston —
Cybersecurity and Blockchain Security Consultant and Trainer
Data needs to be protected against exposure and unauthorized access at all times. Protocols like TLS protect data in transit, but don’t do anything for data being stored on a machine. File encryption protects this data by encrypting all files before storing them on a computer’s hard drive or on removable media. The use of strong encryption means that it is impossible for anyone to read the data without access to the appropriate encryption key.
A file encryption solution will also implement a key management solution, which is critical to the security of the system. On the one hand, users need to be able to access these keys so that they can decrypt data and use it for legitimate purposes. On the other, attackers need to be blocked from accessing these keys, which would allow them to decrypt the files and read the data that they contain. A file encryption solution must be designed so that encryption keys are securely stored and only accessible by legitimate users.
Why Use File Encryption?
File encryption is designed to protect data at rest. The use of encryption enables an organization to protect itself against a range of potential attacks and decrease its cybersecurity risk.
User and application accounts are commonly compromised as part of cyberattacks. A cybercriminal may use phishing, credential stuffing, or other means to identify login credentials for a user account. Alternatively, exploitation of an application vulnerability may give an attacker access to an enterprise system with the same privileges as the compromised application. In these cases, organizations’ data security largely boils down to permissions management. If the compromised account has access to a particular file, so does the attacker. In the case of a compromise of a root or administrator account, this includes almost every file on the compromised system.
The use of file encryption can help to provide another line of defense against this type of attack. If a file is encrypted, the attacker needs access to the decryption key as well as the file itself. If encryption keys are well-managed, access is restricted to those who actually need them for their jobs, which is not necessarily the same group as has administrator-level permissions on a system. This provides an additional level of defense against data leaks and decreases an organization’s cyber risk.
Companies are increasingly moving sensitive data and vital applications to the cloud. While cloud-based deployments have a number of advantages over traditional on-premises data centers, they also create security concerns.
Cloud security can be very different from traditional cybersecurity, and the accessibility of the cloud from the public Internet makes the stakes of poor security even higher. As a result, the number of data breaches involving cloud storage has grown steadily with the increase in cloud adoption.
One of the most common mistakes that organizations make regarding their cloud data is failing to encrypt it. This makes the organization’s data security only as strong as the weakest link in the organization’s cloud security.
Leveraging file encryption in the cloud makes cloud data breaches much harder to perform. Even if an attacker can gain access to an organization’s cloud-based data storage, they also need access to the associated decryption keys to derive any value from the data. A file encryption solution with secure key management poses a much more challenging target.
Employees are increasingly using mobile devices for work. This trend has become more common in recent years, and the COVID-19 pandemic created an explosion in telework and the use of personal and mobile devices.
With the increased convenience of these mobile devices comes higher cybersecurity risk. A smartphone, tablet, or laptop is relatively easy to lose or have stolen in a public place. If this occurs, the thief may be able to read sensitive company data off of the device by scanning its hard drive.
File encryption protects against the threat of lost or stolen mobile devices. Each file on the machine is encrypted, and the encryption keys are stored protected by the user’s password. If an attacker doesn’t have access to this password, then they can’t read any useful data off of the stolen device.
In recent years, the regulatory compliance landscape has grown increasingly complex. In the past, organizations largely had to comply with industry-specific regulations like HIPAA and PCI DSS. In the wake of the passage of the EU’s General Data Protection Regulation (GDPR), many governments have passed their own data privacy laws as well, such as the California Consumer Privacy Act (CCPA).
While these laws vary in the details, they have a common focus on protecting consumer data. One of the common requirements is that organizations protect their customers’ data and restrict access based upon need-to-know.
File encryption enables an organization to meet both of these requirements. Encrypting files and restricting access to decryption keys based upon role requirements ensures that no-one can gain unauthorized access to sensitive data.
What to Look For in a File Encryption Solution
File encryption is a valuable tool for data security. However, implemented improperly, it can negatively impact employee productivity or lull an organization into a false sense of security. Some vital features to look for in a file encryption solution include:
- Secure Encryption:
A file encryption solution is only as secure as the encryption algorithm that it uses. For example, Ghostvolt uses AES in GCM mode.
- Granular Control:
Some encryption solutions use a single key to encrypt all data, but this forces an “all or nothing” approach to access management. A file encryption solution should support a variety of different keys, enabling access to files to be granted or denied on a per-user or per-application basis
- Usable Key Management:
File encryption is designed to protect data from unauthorized access; however, it is necessary for legitimate users to be able to access their data in order to carry out their business. For this reason, the file encryption solution’s key management system should be secure, easy to use (enabling granular key management) and highly accessible.
- Easy Sharing:
Employees within an organization need to be able to share internal documents and other files. A file encryption solution needs to make it easy for these users to add or revoke other users’ access to their documents.
Guest author Howard Poston is a cybersecurity and blockchain security consultant and trainer. You can reach Howard at firstname.lastname@example.org