Encryption - A Complete Guide to Encoding Sensitive Customer Data

Keeping your customer’s data secure is of the utmost importance, and encryption is one method that can help you achieve that. In this complete guide, we reveal all you need to know about protecting sensitive customer data.

It is good practice for data encryption to exist for all forms of high-risk data, such as sensitive personal information like biometrics and financial information like card numbers and bank account details. Encryption makes data unintelligible, so secures it by design with the only way to unscramble it being a decryption key.

Encryption is necessary to prevent the unauthorised processing of information, should that information be involved in a data breach scenario.

As such, encryption is a method to mitigate the risk of unlawful processing. This makes it a powerful tool to comply with the EU’s General Data Protection Regulation (GDPR) which puts specific obligations on the controller and processor of information to keep data safe, so the rights and freedoms of individuals are not put at risk.

What is encryption?

This is the process of converting data into unreadable, scrambled code so that it becomes unintelligible. Good encryption will render data incomprehensible without the unique decryption key or keys which can unlock and unscramble it.

Is encryption mandatory?

Under the GDPR, encryption is NOT mandatory, but it is mentioned as one of the mechanisms to protect personal data. In many applications such as database design, it is standard practice to use encryption as a security method.

What this means, simply, is organisations are not required by EU or UK law to encrypt sensitive data, but they are required to “maintain the appropriate technical and organisational measures for that type of data.  They have an obligation to ensure processing meets the obligations of the GDPR.  Encryption is one method to achieve this, and it is a very good one at that.

Types of encryption

There are two types of encryption you can use to protect sensitive customer data: symmetric and asymmetric, and there are a wide range of algorithms out there that use either of these types of encryption. Symmetric encryption came first, and most algorithms use this in their design. Symmetric encryption was specifically designed to protect data and information; asymmetric encryption was developed for authentication and verification. You may find algorithms that use both perfectly well.

The key difference is this: symmetric algorithms use one key, with that single key used to both encrypt and decrypt data. Asymmetric algorithms use two keys, one private, one public, with the public key used for encrypting and the private key used for decrypting. One of the characteristics of an asymmetric algorithm is the key lengths are much longer. A good example is RSA, which has 2,048-bit keys.

The importance of the ‘bit’

Perhaps more important than the ‘type’ of encryption is the ‘bit’ of the encryption, which is how the security level of the encryption is expressed.

What you need to know is this - 128-bit encryption is considered logically unbreakable so algorithms that use 128-bit encryption are the minimum standard. These algorithms use a 128-bit key to encrypt and decrypt data or files. Such a key is considered unbreakable because the computation power needed to crack it is enormous.

Even better is 256-bit encryption. This truly is unbreakable without serious computing power and thousands of years to run it over. One of the main encryption algorithms, AES, is available in three key sizes 128, 192 and 256 bits.

Common encryption algorithms

The five most common encryption algorithms are Triple DES (3DES or DES), RSA, Blowfish, Twofish and AES. These are used across a wide range of applications, from securing SSD and HDDs to transfers made through email and even NFC.

Tripe DES (symmetric algorithm)

Key application: Hardware, although it is slowly being phased out.

Triple DES is an open encryption standard that uses three individual keys with 56-bits each. The total key length adds up to 168-bits.

RSA (asymmetric algorithm)

Key application: Internet data.

RSA is the encryption standard for encrypting data sent over the internet. It uses both a public and private key. The keys are 2,048-bit.

Blowfish (symmetric algorithm)

Key application: An upgrade to DES.

Blowfish is designed to replace DES and splits messages into blocks of 64-bits, encrypting them individually. They key ranges from 32 to 448-bits.

Twofish (symmetric algorithm)

Key application: An upgrade to Blowfish.

Twofish is the successor to Blowfish and considered the fastest algorithm. Keys used in this algorithm may be up to 256-bits in length.

AES (symmetric algorithm)

Key application: Hardware, file transfers.

The U.S. Government uses AES which is available in key sizes 128, 192 and 256 bits. Many believe this sets the standard for encrypting personal data.

Enterprise-grade encryption tools

Encryption is carried out using tools which are sometimes free to download, although experience tells us the best ones are usually paid.

We can’t endorse any particular software, so what we’ll do is list what we believe to be the best examples of enterprise-level encryption tools in no particular order:

·      IBM Guardium Data Encryption

·      Check Point Full Disk Encryption Software Blade

·      Eset DESlock

·      Dell Encryption Enterprise

·      McAfee Complete Data Protection

·      Micro Focus SecureData

·      Bitdefender GravityZone

·      Sophos SafeGuard

·      Symantec Encryption

·      Trend Micro Endpoint Encryption

What all these enterprise-ready encryption tools have in common is they meet specific encryption compliance standards, including FIPS and Common Criteria.

This is an important consideration because depending on the type of data you process your tool may need to meet a specific standard. For example, the encryption standard for banks and financial services is FIPS 140-2. An example of a product that offers FIPS, Common Criteria and BITS compliance from the list is Check Point Full Disk Encryption Software Blade, another is Dell Encryption Enterprise.

Should I be encoding sensitive customer data?

The sad reality of running a business is no business is immune from a data breach. In the event this happens, encrypted data will be worthless to the criminal who stole it or indeed the person who ‘finds’ it. Therefore, encrypting data is a method to mitigate risk and ensure your security methods are as robust as they can be.

Your business should encrypt the following types of data where relevant: personal information, personally identifiable information, confidential business information, financial information including reports, research and development data, customer data. The last point is most relevant here, and encryption should cover customer data in its entirety. All reasonable measures should be taken to protect the customer data you hold.