What is Encryption
Watch our full webinar covering the ins and outs of encryption!
.jpg?ext=.jpg)
What is Encryption in Cybersecurity?
With CMMC completing the rulemaking process, companies will now need to truly understand many things about IT that may have been foreign just a year ago. One such item is encryption. What exactly is encryption and what does it have to do with CMMC? First, let’s start with a simple definition.
What is Encryption?
Do you remember playing with codes and codebreaking when you were a child? That essentially is what encryption is. If you are encrypting a message that says, for example, “good morning,” you will input the words “good morning,” but the recipient will receive a bunch of letters and numbers that looks like nonsense. In order to receive your “good morning” message, the recipient will need a key to unlock the code.
The same process applies to top-secret data or Controlled Unclassified Information (CUI) that needs to be processed. In order to actually see the data, the recipient needs to have the key to unlock the code.
Two Types of Encryption
There are two ways data can be encrypted. The first way is called Symmetrical. This means the same key is used to both encrypt and unencrypt the data. In this type of encryption, the key must be shared, and it must be kept secret.
The second type of encryption is called Asymmetrical. In this process, there are two different keys. The first key is public and the key used to unlock the code is private.
The Symmetrical process should be used for large, closed systems. Using the same key means information can be unencrypted faster, but using just one key also can increase the risk. The Asymmetrical process is better for online transactions, emails, and digital signatures.
Three States That Call for Encryption
There are three scenarios that call for encryption. The first is when data is at rest. This refers to data that rests online, in the cloud, on a hard drive, or on a USB.
The second state that calls for encryption is data in process, or data in use. This is any data that a database uses or that an application uses. This category of data, where it is actually in use, is the most difficult to protect.
Finally, data in transit must have protection through encryption. This could mean data moving from one local machine to another or from one physical site to another.
Don’t Overdo Encryption
Encryption can provide many benefits, but not all scenarios require aggressive protection. It is important to determine your company’s risk tolerance. There are potential challenges when encryption is in use so it is not something that should be used unless it is needed. Also consider customer, industry, and legal requirements when determining whether to encrypt data or not.
Questions?
What questions do you have about encrypting data? Are you wondering what this has to do with ISO 27001or CMMC? We would be happy to help you talk through these questions. Just click this link to set up a meeting at a time that works for you: https://calendly.com/robert-mcvay/cybersecurity-initial-engagement