From Edward Snowden to Anthem Healthcare, data security has been a hot-button topic the past couple of years. But between politics and personal data, one thing tying these two massive breaches together is encryption — or lack thereof.
Encryption is effectively scrambling up information and making it only decipherable with a key. This information could be a message, as it was in World War II with the Nazis using the Enigma Machine to mix up their communications, or it could be a computer file, as it should be with personal documents emailed to you by your accountant, for instance. An overly simple example of encryption, says Trent Telford, CEO of enterprise encryption provider Covata, would be a word search game.
“To look at it visually, you would just see a big block of 1,000 letters that meant nothing,” Telford says. “But when you decipher it you can see that there are words hidden in there.”
Take that analogy a step further by looking at an encrypted Word document loaded with personal information. Using complex algorithms, this multi-page file with your social security number, your address, and other data is encrypted, and as a part of that process an encryption key is generated. This key is the password required to unlock the algorithm and de-scramble the information within the computer file.
The key and the file should be kept separate from each other to ensure the data’s safety. For example, if someone breaks into your computer and copies that file, it would be useless without the key — all they would see is nonsensical characters, not the personal data that actually exists there.
So, if encrypting files is as easy as that sounds, why isn’t it done all the time?
“Organizations are either lazy or don’t want to affect change in their business,” says Telford. For instance, imagine a company has millions of files all over the place that are used either by people, computer systems, or applications. These files are useless when they’re encrypted, so the company has to find a way to work with the data while allowing automated business processes to keep workflows moving.
“You would need to enable those systems to have the power within that application to decrypt, use the information, and then let that file stay encrypted,” he says. “Organizations now need to put the projects in place and the priorities in place to do this.”
Recent hacks like the ones at at Anthem, Home Depot, and Target have shown how companies sometimes leave data unencrypted. And, Telford points out, the government data that Edward Snowden snagged wasn’t scrambled up either.
End-to-end encryption is a term that consumers have become more familiar with, especially as they’ve done more banking online. The idea that their data could be intercepted as it criss-crosses the Internet is terrifying, but Telford says data is more at risk when it sits on companies’ servers.
“It’s pretty rare that someone steals information in the transport layer, in the tunnel, moving it from A to B,” he says. “It’s when it’s sitting in the clear at either end that it tends to get compromised or stolen.”
The reason for this is that data is fundamentally stored in two ways. The first is on big file server networks, which are essentially enormous hard drives full of all kinds of data that can be encrypted. The second way is in databases, which in most cases can’t be encrypted. Databases are built to have queries run against them so the systems can go and pick out what information they want, quickly. Moving from a database architecture to a server setup is costly and time consuming, which is why companies haven’t been doing it.
But consumers can protect their own computers very easily by encrypting their data too. Windows users can use the BitLocker application to encrypt their drives, while Apple offers a program called FileVault2 to do the same thing on Macs. Still, with the Internet of Things promising to bring us lots more web-connected devices, this is only the beginning for encryption technologies. With millions if not billions more computing devices coming online — only some of which are encrypting their communications — a lot more data is in danger of being exposed. “There’s a whole other vector of attacks from a privacy perspective,” says Telford.