encryption-security

6 June 2024

Drawing upon our extensive Cloud security expertise, we've put together a set of helpful articles covering security best practices that are really important on different subjects. In today's article, we will introduce 5 best practices for encryption operations.

Why is encryption one of the core concepts of cybersecurity?

Cybersecurity is defined by three key points: confidentiality (data is kept secret or private), integrity (no alteration by unauthorized users), and availability (ensuring reliable access to and use of information).

Encryption is the process of turning readable data into unreadable data. It is the most critical process for safeguarding sensitive information.

Cryptography's different mechanisms enable encryption to ensure confidentiality and integrity. Here, we will explore five best practices every cybersecurity engineer should follow to implement the correct encryption workflow.

How can you follow the best practices for encryption?

The best way to have a robust encryption process is to choose the most known and used algorithms, which have been very challenging. You should also cipher all your data at rest and in transit, whether inside or outside your private network.

Encryptions are made using keys that must be well protected and managed according to best practices. Finally, you must alert your employees about the recommendations to ensure secure key and password usage.

I have an encryption implementation suited to my needs

Our Recommendations: To start, following best practices for an encryption strategy that aligns with your organization's unique requirements is essential. You will need to choose the size of the keys, the algorithm used, the operating methods, and the libraries for implementation.

The choice of the algorithm type will depend on what you want to do. For example, if you want to encrypt stored data, you must use symmetric algorithms as they are faster than asymmetric ones. The asymmetric algorithms can be used to exchange keys.

The difference between symmetric and asymmetric algorithms is that symmetric algorithms use the same key to encrypt and decipher data, while asymmetric algorithms use a pair of keys: a private one that only the owner has (used to decipher data) and a public one used to encrypt data and that can be shared, as its name suggests.

Then, you must follow the implementation recommendations for each algorithm to set up the keys.

  • In a symmetric algorithm, you need to use keys of at least 128 bits in length and a block encryption flow, as this is more robust to attacks. For example, the most famous algorithm implementation for symmetric encryption is AES. There are different possible usage modes for this algorithm, but the ones recommended to use are the following: CounTeR (CTR), Cipher Feedback Block (CFB), and Output Feedback (OFB).
  • In an asymmetric algorithm, the size of the keys must be at least 3072 bits by the end of 2030. If the key is that strong, it is because quantum computing can easily break the most famous asymmetric algorithm: RSA. If you use this algorithm, you must use the most prominent option to fit the requirements. However, the computation time and complexity increase a lot depending on the size of the key.
    To address this problem, the NIST (National Institute of Standards and Technology) chose four different algorithms to replace RSA: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+ which are quantum attacks durable and faster than RSA.

To implement the algorithms, you will need to use a library. This is a very sensitive point as you have to choose one that ensures operations are correctly computed and there is no side-channel leakage (such as timing or power leakages) that could lead to key recovery. That’s why you must choose recommended libraries such as OpenSSL or Network Security service.

Risks addressed by the recommendation:

  • Inadequate Protection: An encryption strategy that doesn't match your needs may leave critical data inadequately protected, exposing it to potential threats. Cryptography ensures your data protection. If you use weak configurations, an attacker could recover the information.
  • Resource Wastage: Overly complex encryption can consume unnecessary resources and hinder system performance. Overprotecting some data may increase latency and process computations. This will impact performances.

When following best practices for encryption implementation, consider classifying your data into categories based on sensitivity. This will help tailor your encryption efforts to the specific needs of each data type.

I have encryption for data in transit

Our Recommendation: Data in transit is data transmitted over a network. It must always be encrypted.

To do so, use secure protocols like HTTPS, FTPS, or SSH for network traffic. These protocols implement cryptographic protocols such as TLS. This will create a secure channel between the client and server. Data will not be read during the exchange between the sender and receiver.

It enables protection against famous man-in-the-middle attacks—attacks where the hacker listens to the network to try to exchange data. If the data is not encrypted, it will be readable. That’s why ciphering transited data is recommended even inside a private network. If a hacker is inside the network, it will not be able to get anything as clear data.

The most recommended protocol to use is TLS in version 1.3. Version 1.2 is still accepted, but the other versions (v1.0 and v1.1) are deprecated and defined as not secure. SSLv2 and SSLv3 are also defined as not secure.

It is recommended to use virtual private networks (VPNs) to connect to a private network. This will enable the creation of a secure and encrypted channel to the private network, so you will access it remotely as if you were physically present.

However, this might be costly, and you might be interested in a bastion solution. This is a solution where you connect using SSH to a virtual machine. It works as a ssh rebound and redirects the traffic to the private network.

Cloud providers can encrypt data in transit by using the following services: AWS Certificate Manager (ACM), Azure Key Vault, and Google Cloud VPN. In Kubernetes, you can add a service mesh that provides TLS (such as Istio) or use Cert-Manager to manage your certificates.

Risks addressed by the recommendation:

  • Eavesdropping: Without encryption, data transmitted over networks, whether public or private, can be intercepted by malicious actors. Eavesdroppers can capture sensitive information, such as login credentials, personal data, or intellectual property, leading to data breaches and potential misuse.
  • Data Interception: Intercepted data can be modified or stolen during transmission. Attackers may alter the data to introduce malicious content, inject malware, or manipulate financial transactions. This can lead to financial losses and damage to your organization's reputation.
  • Data Tampering: Not-cipher data is vulnerable to tampering during transit. Attackers can modify the data in transit to execute unauthorized actions or cause disruptions. This can result in corrupted data, inaccurate transactions, or system compromises.

Encrypting data in transit is especially critical for securing communication channels, preventing eavesdropping, and maintaining the privacy of sensitive information.

I have encryption for data at rest

Our Recommendation: Data at rest is data stored in databases that does not move through the network. The best practice here is to ensure that data is encrypted when it's at rest within your infrastructure.

To achieve this, you first need to use full disk encryption (FDE), which enables you to encrypt the entire content of a device. This can be done using tools such as Luks. There are some scenarios where a storage device can be lost or stolen. In the case of an encrypted device, the data cannot be read and are confidential. To get the explicit content of the device, it needs to be unlocked using a password.

Another good practice is to use file-level encryption (FLE), which enables the encryption of some folders or files on a device or a drive. It enables a finer-granulated control of data access. The best practice is to use both FDE and FLE.

For data at rest, you should prioritize encrypting your most sensitive data before storing it in the cloud. This includes financial records, intellectual property, and sensitive and personal data. Encrypting your most critical data before storage creates an additional security barrier, making it significantly harder for unauthorized parties to access and exploit valuable information.

Most cloud providers offer encryption services that can be enabled for your storage solutions, such as databases and object storage, as it is a best practice. You can choose the algorithm to use and create a key stored in your key management system.

Risks addressed by the recommendation:

  • Unauthorized Access: Encrypting data at rest safeguards it from unauthorized access, whether physically or virtually compromised.
  • Data Breaches: Data breaches can occur if a cybercriminal manages to infiltrate your organization's network. Without encryption, the attacker can read sensitive data, leading to data breaches that can result in financial losses, legal consequences, and damage to your organization's reputation.
  • Data Theft or Loss: When data is stored in physical devices like hard drives without encryption, it becomes vulnerable to theft or loss. If a malicious actor or unauthorized individual gains physical access to these storage media, they can easily access it.
  • Non-Compliance with Data Protection Regulations: Many data protection regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), mandate encryption to protect sensitive data. Failing to encrypt data at rest can result in non-compliance and legal consequences.

Encrypting data at rest provides additional protection, ensuring that your data remains confidential, even when it's not actively in use.

I follow strict and strong key management practices

Our Recommendation: Implementing a robust key management system is also a best practice, ensuring that encryption keys are stored securely. To do so, you will need to check the following points :

You might have hundreds or thousands of keys, which can become a massive problem to manage. That’s why you need to get them in a centralized storage. This could be a third-party (more straightforward to manage) stored in-house, such as Vault. These keys must also be stored apart from your encrypted data, so if there is a data breach, your keys are not affected.

You should also get a hardware security module (HSM) for the key storage. It is a dedicated hardware device or appliance designed to securely generate, store, manage cryptographic keys, and perform cryptographic operations. It assures strong physical and software protections.

However, this should only be used on Public Key Infrastructures, Crypto Wallet and very sensitive data as it is challenging to manage and expensive (especially if used outside a cloud provider).

Then, you should add access control on the keys. Using IAM roles, for example, you can add granulated access to the keys and define who can access which key. This is a fundamental principle of key management.

An important point would be to add access logs to keys. The logs can detail the keys' creation, deletion, and last access time. They also give information about who accessed them and the operations made. This ensures compliance with specific standards and facilitates the investigation of compromised keys.

The last thing to implement to follow best practices for encryption is lifecycle key management. You need to create a rotation key policy. Even if this can impact the performance of your services, compromised keys will not be usable anymore. The key is rotated, or the keys that are not used anymore must be deleted permanently.

Risks addressed by the recommendation:

  • Key Compromise: One of the most significant risks is the compromise of encryption keys. If they fall into the wrong hands, attackers can decipher sensitive data, compromising its confidentiality.
  • Data Accessibility: Inadequate key management can lead to accessibility issues. If encryption keys are lost, misplaced, or inaccessible when needed, authorized personnel may struggle to access and decipher essential data.

Strict key management practices are the main point of effective encryption. Safeguarding those is as critical as encrypting the data itself.

Employees are aware of the best practices for key management

Our Recommendation: Educate your organization's employees, including non-technical staff, about best practices for key management and data security. Awareness training can help prevent accidental security breaches. These are recommendations that you should tell your co-workers.

Explain that the authentication keys should not be shared using a text file or on-channel conversations. They should be transmitted using dead drops or encrypted messages (using GPG keys, for example).

A firm password policy to unlock keys must be applied with at least 12 chars, including 1 special char, 1 uppercase, and 1 number. But it’s tough to remember such a password and not forget it. That’s why your co-workers should use password management software.

Finally, there are other basic behaviors to avoid, such as using keys on shared computers or not activating multi-factor authentication when possible.

To raise their awareness, you should organize regular workshops or meetings to remind people of the good practices and the last threats they could face. Implementing a phishing simulation to train your employees to be aware could be interesting.

Risks addressed by the recommendation:

  • Internal Threats: Intentionally or unintentionally, employees can significantly threaten data security. When they lack awareness of key management best practices, they may inadvertently compromise encryption keys or sensitive data, leading to internal security breaches.
  • Social Engineering: Attackers often employ social engineering tactics to manipulate employees into revealing sensitive information, including encryption keys. When employees are unaware of best practices for key management, they are more susceptible to social engineering attacks.

Provide regular training and resources to help employees understand the importance of key management and encryption practices and encourage a security culture within your organization.

Conclusion

By following the best practices presented in this article, you can significantly reduce the risk of poor encryption implementation and encryption key leakage, improving the overall security of your infrastructure.