How do I select a data encryption solution for my business?
It is a mathematical certainty that data is more protected by communication products that provide end-to-end encryption (E2EE).
Yet, many CISOs are required to prioritize regulatory requirements before data protection when considering the corporate use of E2EE communications. Most Fortune 1000 compliance and security teams have the ability to access employee accounts on their enterprise communications platform to monitor activity and investigate bad actors. This access is often required in highly regulated industries and E2EE is perceived as blocking that critical corporate access.
To select a suitable data encryption solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
Liviu Arsene, Global Cybersecurity Analyst, Bitdefender
Selecting a data encryption solution for your business should follow the same principles used for assessing any technology before deploying it within your organization: usability, scalability, cross-platform, adaptability and compliance.
An encryption solution needs to be easy to manage and deployed by your IT team, it needs to scale with your organization’s infrastructure needs, it has to be compatible with all deployed operating systems, it has to be easily incorporated into existing workflows, and it needs to be compliant with industry standards and regulations.
Of course, evaluating a solution based on these criteria may take some time. Independent and third party endorsements from industry analysts, customers and reviewers can help create a shortlist of candidates that best meet your criteria and even benchmark multiple solutions against each other.
Whatever the chosen and deployed encryption solution, an important factor is proof of compliance. In the event of data compromise, data protection regulators will ask for data encryption proof.
While some industry standards and compliance requirements may sometimes stipulate bare minimum data encryption practices, organizations should adhere to more than just best practices. Data protection should not be treated lightly as any data leak breaching customer privacy or exposing intellectual property may result in irreversible brand reputation and financial damages.
Reiner Kappenberger, Director of Product Management for Data Security, Micro Focus
The need for data encryption has grown with the global trend toward privacy regulations and as organizations look to boost their overall cyber resilience in the face of unprecedented challenges and increased cyber crime.
Encryption is an effective tool for compliance and protection. But not all encryption is the same, and data encryption should be part of a broader solution that can find data everywhere in the environment, analyze it, and provide insight to identify the high value data that needs encryption. The solution should provide discovery, insight, and encryption for all data types (structured, unstructured, and email).
The cryptography itself should be based on industry standards (i.e. NIST SP800-38G). In the event of a breach, use of a proven standard defends against questions about the strength of the protection and its security from data re-identification.
To eliminate the opportunity for insider attack, the cryptography should encompass policies that ideally travel with protected data such as files and emails. This also provides usage monitoring and insight to how data is being used (appropriately or not).
Losing encryption keys can have a disastrous impact. Stateless key management safeguards against loss and simultaneously delivers scalability to manage data growth.
Overall, the right criteria and careful selection can not only deliver more than a point solution, but also strengthen the overall cyber resilience of the organization.
Andrea Pfundmeier, CEO, Secomba | Boxcryptor
Used correctly, encryption enables the protection of data in every company. The following criteria are decisive for the selection of an encryption solution for your business data that requires protection.
End-to-end encryption: Sensitive data that leaves the company must be encrypted directly on the employees’ end devices. This is the only way to ensure that the information cannot be viewed in plain text, either in transit or at rest. Furthermore, pay attention to the used encryption methods. The current standard is the public encryption algorithm Advanced Encryption Standard (AES) with a key length of 256 bits.
Flexibility and scalability: The encryption solution should not work solely for a specific storage location. You should be able to encrypt data stored in different cloud storages, file servers and platforms such as Microsoft Teams, as well as local data – with the same software. Besides, the solution should be scalable and adaptable to a changed company situation without major effort.
User-friendliness: Only if the encryption solution ensures intuitive collaboration, it will be accepted in practice within the company. Ideally, it should deviate as little as possible from the familiar process and offer a simple and data protection-compliant mean of collaboration. In addition, the provider should supply suitable materials, webinars, or videos, as well as a fast and reliable support team.
Dan Schiappa, Chief Product Officer, Sophos
Data encryption takes on many roles in today’s sprawling IT world, and in order to have a comprehensive strategy there are many aspects CISO’s need to consider to ensure they are fully prepared from a security standpoint. When thinking about data encryption vendors, rarely can one solution do it all, so CISO’s must ensure they look at various application providers to see if all their specific needs can be met.
The key areas to ensure are covered are full disk encryption for laptops and mobile devices; file encryption for business files that reside on devices and in shared storage; cloud encryption for assets stored in cloud storage; and application based encryption for key information stored inside third party SaaS applications.
The most important aspect is to have comprehensive key management to ensure your organization has total control over encryption keys. CISO’s must plan accordingly as encryption can be complex, especially as it relates to employee experience. But when done properly, it is a capable last line of defense for your data. In the end, thorough planning is a CISO’s best friend.
Zebastian Victorin, CEO, AxCrypt
With today’s digital advancement, it is inevitable to encounter challenges when it comes to your files’ security. One of the best ways to protect your files is by encrypting them. Through the process of encryption, your data is concealed by translating them into codes to keep them hidden from unauthorized users.
So what are the specific elements your company should take into account while selecting a data encryption software?
Encryption algorithm: When selecting an encryption software, you must look into its algorithms to determine how your data will be secured or protected. Since not all codes or algorithms are equal, some perform faster than the others.
Filename encryption: It is crucial that your encryption software has a feature that lets you encrypt file names so your documents and its content stay secret.
Secure deletion: As much as you want to protect all the information from your current files, you might also want to protect the data from the files that you want to discard. Since this information may contain sensitive or relevant content to your other files, it is vital to ensure their protection up to the deletion process.
Key sharing: Typically, employees share relevant and work-related information with each other. With the key sharing feature, you can share files without the need to share passwords. Instead, you can share file keys to specific colleagues to give them access to particular files. Then, they can easily browse or edit the shared file.