Cybersecurity is defined by three key points: confidentiality (data is kept secret or private), integrity (no alteration by unauthorized users), and availability (ensuring reliable access to and use of information).
Encryption is the process of turning readable data into unreadable data. It is the most critical process for safeguarding sensitive information.
Cryptography's different mechanisms enable encryption to ensure confidentiality and integrity. Here, we will explore five best practices every cybersecurity engineer should follow to implement the correct encryption workflow.
The best way to have a robust encryption process is to choose the most known and used algorithms, which have been very challenging. You should also cipher all your data at rest and in transit, whether inside or outside your private network.
Encryptions are made using keys that must be well protected and managed according to best practices. Finally, you must alert your employees about the recommendations to ensure secure key and password usage.
Our Recommendations: To start, following best practices for an encryption strategy that aligns with your organization's unique requirements is essential. You will need to choose the size of the keys, the algorithm used, the operating methods, and the libraries for implementation.
The choice of the algorithm type will depend on what you want to do. For example, if you want to encrypt stored data, you must use symmetric algorithms as they are faster than asymmetric ones. The asymmetric algorithms can be used to exchange keys.
The difference between symmetric and asymmetric algorithms is that symmetric algorithms use the same key to encrypt and decipher data, while asymmetric algorithms use a pair of keys: a private one that only the owner has (used to decipher data) and a public one used to encrypt data and that can be shared, as its name suggests.
Then, you must follow the implementation recommendations for each algorithm to set up the keys.
To implement the algorithms, you will need to use a library. This is a very sensitive point as you have to choose one that ensures operations are correctly computed and there is no side-channel leakage (such as timing or power leakages) that could lead to key recovery. That’s why you must choose recommended libraries such as OpenSSL or Network Security service.
Risks addressed by the recommendation:
When following best practices for encryption implementation, consider classifying your data into categories based on sensitivity. This will help tailor your encryption efforts to the specific needs of each data type.
Our Recommendation: Data in transit is data transmitted over a network. It must always be encrypted.
To do so, use secure protocols like HTTPS, FTPS, or SSH for network traffic. These protocols implement cryptographic protocols such as TLS. This will create a secure channel between the client and server. Data will not be read during the exchange between the sender and receiver.
It enables protection against famous man-in-the-middle attacks—attacks where the hacker listens to the network to try to exchange data. If the data is not encrypted, it will be readable. That’s why ciphering transited data is recommended even inside a private network. If a hacker is inside the network, it will not be able to get anything as clear data.
The most recommended protocol to use is TLS in version 1.3. Version 1.2 is still accepted, but the other versions (v1.0 and v1.1) are deprecated and defined as not secure. SSLv2 and SSLv3 are also defined as not secure.
It is recommended to use virtual private networks (VPNs) to connect to a private network. This will enable the creation of a secure and encrypted channel to the private network, so you will access it remotely as if you were physically present.
However, this might be costly, and you might be interested in a bastion solution. This is a solution where you connect using SSH to a virtual machine. It works as a ssh rebound and redirects the traffic to the private network.
Cloud providers can encrypt data in transit by using the following services: AWS Certificate Manager (ACM), Azure Key Vault, and Google Cloud VPN. In Kubernetes, you can add a service mesh that provides TLS (such as Istio) or use Cert-Manager to manage your certificates.
Risks addressed by the recommendation:
Encrypting data in transit is especially critical for securing communication channels, preventing eavesdropping, and maintaining the privacy of sensitive information.
Our Recommendation: Data at rest is data stored in databases that does not move through the network. The best practice here is to ensure that data is encrypted when it's at rest within your infrastructure.
To achieve this, you first need to use full disk encryption (FDE), which enables you to encrypt the entire content of a device. This can be done using tools such as Luks. There are some scenarios where a storage device can be lost or stolen. In the case of an encrypted device, the data cannot be read and are confidential. To get the explicit content of the device, it needs to be unlocked using a password.
Another good practice is to use file-level encryption (FLE), which enables the encryption of some folders or files on a device or a drive. It enables a finer-granulated control of data access. The best practice is to use both FDE and FLE.
For data at rest, you should prioritize encrypting your most sensitive data before storing it in the cloud. This includes financial records, intellectual property, and sensitive and personal data. Encrypting your most critical data before storage creates an additional security barrier, making it significantly harder for unauthorized parties to access and exploit valuable information.
Most cloud providers offer encryption services that can be enabled for your storage solutions, such as databases and object storage, as it is a best practice. You can choose the algorithm to use and create a key stored in your key management system.
Risks addressed by the recommendation:
Encrypting data at rest provides additional protection, ensuring that your data remains confidential, even when it's not actively in use.
Our Recommendation: Implementing a robust key management system is also a best practice, ensuring that encryption keys are stored securely. To do so, you will need to check the following points :
You might have hundreds or thousands of keys, which can become a massive problem to manage. That’s why you need to get them in a centralized storage. This could be a third-party (more straightforward to manage) stored in-house, such as Vault. These keys must also be stored apart from your encrypted data, so if there is a data breach, your keys are not affected.
You should also get a hardware security module (HSM) for the key storage. It is a dedicated hardware device or appliance designed to securely generate, store, manage cryptographic keys, and perform cryptographic operations. It assures strong physical and software protections.
However, this should only be used on Public Key Infrastructures, Crypto Wallet and very sensitive data as it is challenging to manage and expensive (especially if used outside a cloud provider).
Then, you should add access control on the keys. Using IAM roles, for example, you can add granulated access to the keys and define who can access which key. This is a fundamental principle of key management.
An important point would be to add access logs to keys. The logs can detail the keys' creation, deletion, and last access time. They also give information about who accessed them and the operations made. This ensures compliance with specific standards and facilitates the investigation of compromised keys.
The last thing to implement to follow best practices for encryption is lifecycle key management. You need to create a rotation key policy. Even if this can impact the performance of your services, compromised keys will not be usable anymore. The key is rotated, or the keys that are not used anymore must be deleted permanently.
Risks addressed by the recommendation:
Strict key management practices are the main point of effective encryption. Safeguarding those is as critical as encrypting the data itself.
Our Recommendation: Educate your organization's employees, including non-technical staff, about best practices for key management and data security. Awareness training can help prevent accidental security breaches. These are recommendations that you should tell your co-workers.
Explain that the authentication keys should not be shared using a text file or on-channel conversations. They should be transmitted using dead drops or encrypted messages (using GPG keys, for example).
A firm password policy to unlock keys must be applied with at least 12 chars, including 1 special char, 1 uppercase, and 1 number. But it’s tough to remember such a password and not forget it. That’s why your co-workers should use password management software.
Finally, there are other basic behaviors to avoid, such as using keys on shared computers or not activating multi-factor authentication when possible.
To raise their awareness, you should organize regular workshops or meetings to remind people of the good practices and the last threats they could face. Implementing a phishing simulation to train your employees to be aware could be interesting.
Risks addressed by the recommendation:
Provide regular training and resources to help employees understand the importance of key management and encryption practices and encourage a security culture within your organization.
By following the best practices presented in this article, you can significantly reduce the risk of poor encryption implementation and encryption key leakage, improving the overall security of your infrastructure.