Encryption: The good and the bad
Encryption exists to protect data from unauthorised access by translating it into a format that is unreadable without a decryption or secret key. However, the very method used to keep data safe is also being used to compromise it.
The likes of Ransomware is becoming increasingly prevalent, with stories about such attacks flooding newsfeeds on almost a daily basis. Once it has infiltrated a system or network, Ransomware leverages encryption to hold data hostage, demanding payment for the decryption key to release the data back to the owner.
The need to protect data
Data is valuable, and there is an increasing need to protect it. Looming regulations such as the Protection of Personal Information (PoPI) Act, and the EU’s General Data Protection Regulation (GDPR) are driving forces behind having proper mechanisms in place to protect personal information.
It’s also good common sense to ensure that data, particularly sensitive data such as company information, proprietary data and personal data, is protected. Perimeter security and firewalls are no longer sufficient in a connected world where closing all the doors to your information is becoming harder to do.
Many cyber-attacks are unwittingly initiated from within organisations through users accidentally opening an infected webpage or link, heightening the need for proper controls to be in place - controls such as encryption.
How encryption works
Encryption essentially converts plaintext data into something called ciphertext using algorithms and an encryption key. There are two main types of encryption: symmetrical and asymmetrical. Symmetrical encryption uses the same key to encrypt and decrypt data, meaning the key used to encrypt the data must be shared with the recipient to decrypt the file - similar to when your password lock a word document.
Asymmetric encryption makes use of two different encryption keys, a private and public key. The keys are usually large numbers that have been paired together but are not identical. Either of the keys can be used to encrypt a message, however the opposite key from the one used to encrypt the message is used for decryption.
Best practice for better control
Encryption is one of the tools that is used to protect data, but should form part of a data security strategy which defines various controls to keep data safe.
For organisations to protect data, it is important that they understand their data, knowing what data they are protecting and where that data resides. After all, you can’t effectively protect something if you don’t know where it is, and it wastes resources and time to protect data that doesn’t need protection.
There are two main types of data: data at rest and data in transit. From a data in transit point of view, data is encrypted as it traverses various networks. Data at rest, however, requires different levels of protection for maximum effectiveness.
Data at rest - which is data residing in a business’s data centre, backup storage, network and various machines such as computers or mobile devices - needs to be classified in order to define the level of protection required. This includes basic rights management and access control regarding who may access what data, an under what conditions.
More often, organisations are employing controls such as multi factor authentication, which combines two or three of three elements: password, physical card or token and biometrics. Regardless of the controls in place, encryption is still required at every data access point to protect against unauthorised access, use or dissemination. In this way, even if an individual gains access to data, they are unable to read it or, in any way, use or abuse the data.
Ransomware is predicted to escalate in the upcoming years, especially with services such as Ransomware-as-a-Service (RaaS) being offered on the Dark Web. The rise of Ransomware means that organisations need to make plans to protect themselves against attack, while also considering a plan of action for if they are successfully targeted.
Most IT security companies and professionals strongly advise against paying to restore data. Not only does this drive the success of Ransomware, fuelling the rise of cybercrime, but paying the ransom does not guarantee that a business will recover its data. With this in mind, companies need to be prepared in other ways.
Preparation includes introducing a strict and well communicated IT security policy, with aligned security mechanisms, which educates and informs all stakeholders of the dangers of Ransomware and how to prevent infiltration. It also means having a solid backup solution in place which enables multiple data copies to be created and kept, and which shows evidence of strong security and encryption in place as well.
If Ransomware breaches an organisation’s security measures, organisations can fall back on a backup. It is important, however, that the business chooses a backup solution which offers quick data restoration time, as well as the safety net of an offline backup, too. No organisation which uses the Internet (basically every business) is completely immune to Ransomware, and if a business’s backup is also compromised, having an offline backup could be the difference between continuing with business as usual, or shutting up shop.
Simeon Tassev, Managing Director and QSA, Galix Networking
SAS: Improving the British Army’s decision making with data
SAS’ long-standing relationship with the British Army is built on mutual respect and grounded by a reciprocal understanding of each others’ capabilities, strengths, and weaknesses. Roderick Crawford, VP and Country GM for SAS UKI, states that the company’s thorough grasp of the defence sector makes it an ideal partner for the Army as it undergoes its own digital transformation.
“Major General Jon Cole told us that he wanted to enable better, faster decision-making in order to improve operational efficiency,” he explains. Therefore, SAS’ task was to help the British Army realise the “significant potential” of data through the use of artificial intelligence (AI) to automate tasks and conduct complex analysis.
In 2020, the Army invested in the SAS ‘Viya platform’ as an overture to embarking on its new digital roadmap. The goal was to deliver a new way of working that enabled agility, flexibility, faster deployment, and reduced risk and cost: “SAS put a commercial framework in place to free the Army of limits in terms of their access to our tech capabilities.”
Doing so was important not just in terms of facilitating faster innovation but also, in Crawford’s words, to “connect the unconnected.” This means structuring data in a simultaneously secure and accessible manner for all skill levels, from analysts to data engineers and military commanders. The result is that analytics and decision-making that drives innovation and increases collaboration.
Crawford also highlights the importance of the SAS platform’s open nature, “General Cole was very clear that the Army wanted a way to work with other data and analytics tools such as Python. We allow them to do that, but with improved governance and faster delivery capabilities.”
SAS realises that collaboration is at the heart of a strong partnership and has been closely developing a long-term roadmap with the Army. “Although we're separate organisations, we come together to work effectively as one,” says Crawford. “Companies usually find it very easy to partner with SAS because we're a very open, honest, and people-based business by nature.”
With digital technology itself changing with great regularity, it’s safe to imagine that SAS’ own relationship with the Army will become even closer and more diverse. As SAS assists it in enhancing its operational readiness and providing its commanders with a secure view of key data points, Crawford is certain that the company will have a continually valuable role to play.
“As warfare moves into what we might call ‘the grey-zone’, the need to understand, decide, and act on complex information streams and diverse sources has never been more important. AI, computer vision and natural language processing are technologies that we hope to exploit over the next three to five years in conjunction with the Army.”
Fundamentally, data analytics is a tool for gaining valuable insights and expediting the delivery of outcomes. The goal of the two parties’ partnership, concludes Crawford, will be to reach the point where both access to data and decision-making can be performed qualitatively and in real-time.
“SAS is absolutely delighted to have this relationship with the British Army, and across the MOD. It’s a great privilege to be part of the armed forces covenant.”