CHAPTER 14: ENCRYPTION

Encryption is a widely available and powerful tool for protecting information from unauthorised access, particularly when it is at rest or in transit. Encryption is a form of cryptography that uses complex mathematical algorithms to transform data into a coded form that can only be deciphered using a secret key or password. This process ensures that only authorised individuals and applications that possess the decryption key can view and access the data, safeguarding its confidentiality and integrity.

Deciding whether and when to use encryption

Generally speaking, there are two main scenarios in which encryption should be considered: for information storage (at rest) and information transfers (in transit). In both cases, it can prevent unauthorised access and modification, but needs to be deployed correctly to be effective.

When considering whether to use encryption, bear in mind that most processing activities require the information to be unencrypted on either end of a communication or when the processing activity is ‘active’, so encryption will not be a suitable protective measure for every activity. To decide whether encryption is a suitable solution, consider:

• How likely is it that the information might be accessed and/or modified by an unauthorised party?

• If the information is breached, how significant would the consequences be to your organisation and, if applicable, the individuals to whom the information relates?

• Are you legally or contractually required to encrypt the information?

So, for example, portable devices such as laptops have a relatively high likelihood of being breached, as employees may use them in public, so should be encrypted. As another example, since personally identifiable information (PII) that is categorised as ‘special category’ or ‘sensitive’ data under the GDPR (such as health data) could have a severe impact if breached, this should also be encrypted.

Encryption alternatives

For processing activities that are often ‘active’ and require decrypted PII, techniques such as pseudonymisation and anonymisation may be more appropriate than encryption. Both techniques involve de-identifying the information, with one key difference: pseudonymised data can be re-identified, whereas anonymised data cannot.

Anonymisation is generally a good option where the data is used for research purposes. For example, suppose you collected dates of birth or addresses, both of which are considered PII. You could approximate these to just years of birth or the area of residence (e.g. just the county or state). This should make it impossible for the individuals to be identified, yet ought to give you the data you need for your research. That allows you to process the data as required while mitigating the impact of a breach, since the data cannot be re-identified, which reduces its value to an attacker.

Pseudonymisation can also be useful for research where you want to protect individuals’ identity to certain audiences but still need to maintain the ability to re-identify the data when required. This is common in a healthcare context, where you might want to make current data available for research purposes but still need to make it possible for a doctor to be able to access their patient’s medical history. To mitigate the risk of unauthorised re-identification, you should store the identifiable parts of the data set separate from the pseudonymised data, and encrypt the identifiable data.

Choosing the right encryption solution

To choose the right solution, first have a clear idea of what you intend to use it for: to protect data stored on mobile devices? Or information in the Cloud? And where you want to use it for information, whether on your own servers or not, is it to protect information at rest, in transit, or both? For instance, if you want to encrypt laptops, consider hard drive encryption. If you are looking to secure web page communications, consider HTTPS.

Bear in mind that the strength of the algorithm used by the solution is a significant factor in determining how difficult it is for an unauthorised entity to crack the key – and thereby break the encryption. Authorities like the National Institute of Standards and Technology (NIST) regularly retire or restrict the use of encryption algorithms that are no longer deemed secure, typically because they are too easy to break by today’s computers. Before committing to any encryption solution, it is a good idea to check what algorithm it uses, and what relevant authorities say about it.

Key management

Another major factor in the effectiveness and security of your encryption solution is your key management. A strong algorithm to generate the encryption key is of little use if the decryption keys are not kept secure.

There are two types of security breach that could happen with an insecure key. First, if an unauthorised individual accesses both the decryption key and the information it decrypts, the confidentiality and potentially integrity of that information has been breached. Second, if authorised individuals could not access the key for any reason, they will be unable to access the encrypted data, rendering it useless. While less serious than the first scenario, it is still a breach of security, and could be anything from an inconvenience to a finable offence.

A good encryption policy that covers key management is an ideal way of addressing it. Ensure it covers:

• Who is authorised to access the keys, and how access will be controlled;

• How key-related activity will be logged, if at all;

• How keys will be protected when stored or transmitted;

• How frequently keys and logs are reviewed;

• When keys should be revoked, withdrawn or deactivated, and how; and

• What to do if a key is (suspected to be) compromised.

The policy should also address other encryption matters, such as key strength and the process of identifying and implementing the right encryption solution.