Encryption is a proven and highly effective protection standard for all data types. To provide the best level of protection, deploy encryption across your IT infrastructure, including servers, storage, and networking. Encryption standards vary in complexity, and the sweet spot for excellent protection and firm performance is the AES-256bit cipher.
This article will discuss the top ways to use encryption throughout your IT architecture and discover how Atlantic.Net keeps our customer data safe and encrypted, even in highly regulated industries such as finance and healthcare.
Data Encryption Types
When implementing data encryption throughout your IT infrastructure, three data encryption types must be considered. Each type supports various encryption techniques that can implement in your IT environment. These include:
Encryption at Rest: Data at rest is any static data housed physically on computer storage in any digital form. The data resides directly on the infrastructure, most commonly saved to disk file systems in files, folders, USB sticks, and network shares.
Encryption in Transit: When active data traverses the network, it is in transit. Data moves from one application to another or when sending and receiving data over the Internet. Examples include encrypted corporate VPN traffic, SSL/TLS/DTLS certificates, and isolated encrypted networks.
Encryption When Live: Active data, such as production data processing in real-time, is considered live data. A synchronous database is an excellent example because vast amounts of live data are cached in memory and pagefiles. Unfortunately, in-memory data is threatened by complex vulnerabilities that target the hardware layer of your systems.
What Data Should I Encrypt?
Now we know the type of encryption techniques available, let’s consider the Top 5 places you can use data encryption within your IT architecture to offer the best levels of protection possible.
#1: Encrypt User Data: User data consists of any personal or business files used by your employees. All modern operating systems consolidate user data into a home directory saved locally, such as on a PC, server, or laptop hard drive. Depending on the employee’s location, user data is usually synced to a file server at the head office.
What would happen if the user’s laptop was stolen? Removing and installing the disk elsewhere would allow simple access to your private data if the hard drive is unencrypted. In addition, this approach can bypass operating systems access controls such as user login and file system permissions.
Changing file permissions is simple; however, the data would have been useless if you had encrypted the disk. Unfortunately, there are countless examples of how specific exploits and vulnerabilities can steal user data at rest. Therefore, make encryption of disks, files, and folders mandatory in your working environment.
#2: Encrypt VPN Traffic: Home and hybrid working have become the new normal for millions of workers across the United States. To do this safely, many use a secure transport mechanism and application layer protection to encrypt all traffic routed via a VPN.
Encryption provides confidentiality, integrity, and authenticity to protect data over an IPsec VPN connection. The VPN tunnel captures all traffic sent from point A to point B. The data is encrypted using TLS or DTLS protocols, forcing all VPN traffic to authenticate at both sides of the VPN Tunnel. This approach defends against replay, man-in-the-middle attacks, arp poisoning, and MIB dumps over wired and wireless networks.
#3: Encrypt Cloud Data Using KMS: Data stored in the cloud is well protected because of the enforced use of secret cryptographic keys. KMS products safeguard data at rest and in transit. Keys encrypt and decrypt files, folders, databases, servers, cloud storage, etc.
Have individual KMS keys for each cloud service to avoid using the same key for multiple systems. Ensure a solid security enclave by creating your own keys instead of using the default keys provided by the cloud hosting partner.
To further enhance security, enforce a mandatory key rotation policy by setting a predefined number of days to rotate (change) the key. This process ensures the entire cloud platform is secure and that cryptographic keys will not age extensively over their lifetime.
To further secure cryptographic keys, harden the ecosystem by generating keys on a TPM 2.0 crypto processor. TPM is additional hardware that installs directly into modern server hardware and is used to create complex encryption keys greater than 4096 bits
#4: Compartmentalize Data with Detailed Access Controls: Please classify data to avoid a severe risk to data integrity. For example, if your systems are compromised, a hacker can access all of your data if it’s in a single location. In addition, moving data around the infrastructure introduces a layer of complexity that provides additional security.
Combining this approach with tiered access controls and encrypting data with cryptographic keys introduces further security measures, ensuring that only authorized users and authorized server accounts access approved data. Creating this configuration is complex, but it dramatically reduces the risk to data integrity.
#5: Encrypting Cloud Storage and Data Destruction: Choose a Cloud Service Provider that encrypts data at rest, in transit, and live. Reputable providers will be audited and accredited to ensure these requirements are active. Encryption of shared storage and a policy on handling data destruction is essential. Hard disks fail, but it’s vital they are destroyed ethically and within a security framework.
Servers, laptops, and PCs all have a limited shelf life. Take a moment to consider what happens when you discard the hardware. Is the data encrypted, Is the unique key saved directly to the hardware? Do adequate access controls protect the discarded device? The only way to guarantee this is to invest in certificated destruction services; mobile contractors will shred hard drives and equipment on-site and provide certificates of the secured destruction.
What Encryption Is Offered by Atlantic.Net?
Atlantic.Net is your security-focused hosting partner. In addition to offering enterprise-grade end-to-end encryption in the Cloud, we provide encryption standards that meet and exceed PCI and HIPAA compliance requirements.
Atlantic.Net believes encryption of customer data when at rest should not be an optional feature and is now a requirement of all computing. That’s why our world-class encryption is implemented transparently with no further need for configuration by the user.
Atlantic.Net provides enterprise-grade managed solutions, including our fully-managed Atlantic.Net Firewall and Intrusion Prevention Security services. These are cost-effective options for any hosting environment looking to improve its security and reliability. Contact our Sales team today for pricing and availability of our Managed Security solutions! [email protected] or 888-618-DATA (3282)