Last time, we provided an overview of the AWS Virtual Private Cloud and some of its key components (see here). Now we turn our attention to a term which we hear quite often in the data security space: encryption. But what is it actually, and how is it used to protect data?
 
In this post, we’ll break down and explain the basic components of data encryption:

  1. Encryption algorithm – the set of rules by which readable data is made unreadable to protect against unauthorized usage, interception, etc. An example of a very basic encryption algorithm is taking each letter in your message and shifting it to the next letter in the alphabet – so ‘Dear Abby’ becomes ‘Efbs Bccz’. Obviously, the encryption algorithms used to protect sensitive data are much more sophisticated; a few examples of such algorithms include AES 256-bit and Blowfish 128-bit. An excellent overview of encryption basics is available here.
  2. Encryption keys – the encryption key describes the rules by which the data is encrypted (and therefore how it can be decrypted), and drives the inherent security level of the algorithm. It consists of the encryption type (symmetric encryption where both sender and recipient have the same key vs. asymmetric encryption where the sender encrypts the data with a public key, and the recipient decrypts it with a private key), as well as the bit length of the encryption key (for example, 256-bit is longer and therefore more difficult to “crack” via brute force vs. 128-bit).
  3. Key storage – if your encryption key(s) fall into the wrong hands, your encryption is essentially powerless against security threats. The “hackers” can simply apply the key to the encrypted data and make it readable again. Therefore, it’s critical that you store your keys in a place which is also secure – something like a special folder or vault which is encrypted/password-protected itself. Obviously, you’ll need to remember this “master” password, which reminds me of a funny segment from the Ellen DeGeneres show where she talks about this issue and the “password minder protector minder”…you’ll have to check it out for yourself to see what I mean.
  4. Key rotation – not only do you have to store your keys securely, you should also “rotate” them periodically (this is a fancy term for changing them). Key rotation ensures that even if someone intercepts your key, they have a limited window of time during which they can use it to gain access to your data. A good rule of thumb is to rotate encryption keys annually, and all other passwords/keys every 90 days (sounds daunting, I know…but a tool such as LastPass can be very helpful in managing that complexity).
  5. Encryption candidates – what do you actually need to encrypt? At a high level, this really breaks down into 2 categories – data in transfer and data at rest. Encryptions applied to data in transfer provide assurance that the communication between the sender and recipient cannot be intercepted, as well as validating the intended recipient of the data. Encryptions applied to data at rest protect from security breaches in cases where the physical disk containing the data is removed from the data center.

This one was short and sweet. Please come back next time to get to the good stuff – the part where it all comes together with best practices, tips and tricks – many learned “the hard way” from experience!