Data is an organizational asset, the loss or misuse of which could lead to major business losses and could put brand reputation at risk. Protecting the organizational data is therefore of utmost priority.
Encryption is the science of converting data into an un-interpretable format through mathematical algorithms. The encrypted data can be converted back to its original format by use of a secret decryption key. Thus, without encryption, the private and sensitive information of an enterprise is vulnerable to unauthorized access and leakage. As per the recent IBM research report on data breaches, 83% of enterprises have experienced one or more data breaches, with an average cost of USD 4.35 million for each data breach and an average per-record cost of USD 164.
With rapid digital transformation and an increase in the use of multi-cloud and hybrid cloud infrastructure for storing data, it becomes imperative to protect sensitive information using data encryption. This also helps to mitigate risks related to compliance, privacy, or insider threats. The ability of an enterprise to be agile and show continuous innovation in business growth is effectively getting linked to a stronger data security posture and integrated data security controls.
Data-centric security approach is integral for addressing the data security challenges of accelerated digital transformation. Further, the emerging geopolitical spectrum requires a holistic data security approach to address concerns related to digital sovereignty, data localization, privacy, and emerging threats like ransomware attacks.
To address the dynamic changes in technology, compliance, and threat landscapes, enterprises are adopting data security strategies that include discovery, classification, and protection of sensitive data, wherever it resides.
Encryption is an essential aspect of adopting ‘secure by design’ for data security strategy and secures data at rest and in motion. To implement encryption, enterprise security refers to policies for the lifecycle management of cryptographic keys required to protect sensitive datasets. To adequately mitigate the emerging cybersecurity threats, a breadth of encryption procedures, including audit of access requests made to encryption keys and protected data, are required.
Such procedures include:
Discovery and classification of sensitive data: Visibility of enterprise data across on-premise, cloud, and SaaS sources is key to ensuring comprehensive data protection and encryption framework for sensitive and regulated data. Once discovered, the data classification process labels the data elements based on risk and compliance policies defined by the enterprise.
Key management: Encryption requires a comprehensive process for securing and managing the lifecycle of cryptographic keys. This includes ensuring the key is generated, rotated, and deleted as per the sensitivity of protected data and access is granted only to authorized users through a centralized key management infrastructure.
Tokenization and data obfuscation: Data obfuscation and tokenization are methods used to convert sensitive data into unreadable datasets. Access to the keys used for data encryption must be controlled to keep them secure. The unreadable datasets can be converted back to the original form of sensitive data only using the associated keys.
Secure data wherever it resides: Enterprise-grade encryption solution addresses the needs of data security and management of cryptographic keys across on-premise, private cloud, public cloud (single/ multi-cloud), and SaaS environments. Given the management of sensitive data in the emerging threat landscapes with leveraging of cloud capabilities, including 5G, edge computing, and IoT infrastructures, greater emphasis and risk awareness are required for the security of sensitive data in cloud-integrated ecosystems.
Encryption for post-quantum era: We need a focused plan for addressing the encryption needs of the post-quantum era because of new technological advances in quantum computing and the increasing ability of hackers to break traditional encryption models. The use of quantum-safe encryption schemes and digital signatures, like lattice-based cryptography, will potentially become an accepted standard for enforcing Zero Trust and privacy. For example, the National Institute of Standards and Technology (NIST) has been engaging in the implementation of Post-Quantum Computing (PQC) algorithms into OpenSSL.
Thus, as enterprises continue with the digital transformation journey, a comprehensive data security strategy is needed to manage the impact of growing threat landscapes.
Implementation of encryption solutions is an essential security control to protect sensitive information and the reputation of an enterprise. However, given the high velocity of cloud adoption, embracing of new technologies, and challenges posed by quantum computing, it is essential for enterprises to adopt a pervasive, AI & ML enabled and agile encryption strategy. This forms the core basis of data security strategy for protecting enterprises from emerging cyber threats, and navigating to the digital economy of the future.
-- Shambhulingayya Aralelemath, Associate VP and Global Delivery Head, Cyber Security, Infosys.