To Encrypt or Not to Encrypt?
Read our tips on when to use encryption and other steps you can take to protect sensitive data.
Many organizations want to leverage encryption in their environments. This usually starts off with encrypting data and devices that physically leave the organization. External USB drives with encryption or internal drive encryption on laptops using BitLocker for example. We have all heard stories of secret government documentation being left behind on the train or a laptop with employee information being left in a Taxi while traveling. This small step helps to minimize exposure (and potentially heavy fines) when traveling with sensitive data and this is a smart way to limit this potential security issue.
In addition, organizations attempt to encrypt data in motion, specifically as it moves across the physical boundaries of the office via SSL on websites, VPN, email etc. Then they look at encrypting data at rest throughout the organization, usually in a one-off methodology for specific, highly sensitive files.
The Downside of an Encrypt it all Approach
However, doing this ‘piecemeal’ encryption and protection strategy starts to become unwieldy. Eventually, organizations often look at encrypting data at rest throughout the organization. This is a logical way to look at data security but encryption on a large scale does have some downsides.
- High Resource Utilization – Blanket encryption of all of your data can result in a significant amount of computational overhead, especially in large organizations with a significant amount of data. The data has to all be encrypted and then selectively decrypted whenever an authorized user wants to use it. It then needs to be re-encrypted when the document has been modified by an authorized person.
- Potential loss of encrypted data – Changing a user’s password or even removing a laptop from a domain can make the data stored by the user or on that device non-recoverable if you don’t have a copy of the key. Making the data so secure that you are no longer able to access your own information is obviously not helpful.
- Complexity – Needing to push out encryption keys and determining who can access your data. Large scale encryption programs can be challenging to roll out.
Encrypting all the data throughout the organization probably doesn’t make sense, because of these downsides. So, we can go through and encrypt some of the data, the data that is most important to us: intellectual property (IP), healthcare data (PHI), Payment card data (PCI), etc. If you have healthcare information, Credit Card data or other personally identifiable information (PII) from your users or customers, this is a lot more important than your standard company memo’s, policies and procedures and where your Christmas Party is going to be held this year.
Using Classification to Aid in Determining What to Encrypt
How do you determine what’s sensitive and need to be encrypted? Data classification is not just importance for governance, it can also be used to add security trimmings to sensitive data such as encryption and more.
There are 2 main methodologies used to classify data as sensitive, Manual and Automated Classification.
- Manual classification simply means that the user is responsible for determining if a document is sensitive. This can be done through a third party tool or the manual addition of a metadata tag or a SharePoint Column value, a sensitivity label or an MPIP label that’s been added to the document. There are a few downsides to this approach, including having to potentially go through a significant volume of existing documents. Militaries tend to prefer Manual classification because a document may contain unclassified information (people, places, things) that when combined due to a specific event, are now considered classified. This type of classification is can be difficult to automate.
- Automated classification works very well for existing documents and takes the need for user interaction (and mistakes) out of the equation. Automated classification works much better with items that are easy to quantify. For example, Credit Card numbers, National ID numbers and easily recognizable strings of data that can be found using Regular expressions or lists of key words.
Combining these two mechanisms can provide a highly customized experience, especially if you have more complex classifications. It ensures a high degree of classification and tagging accuracy that can be leveraged to dynamically protect to your documents.
Reaping the Benefits of Automated Encryption
Ensure that your organization’s business-critical data is classified and protected according to your business regulations and applicable regulatory policies. NC Protect adds granular access and protection controls to business-critical content in Microsoft 365 applications. It has its own built in Classification engine to automatically determine if the data is sensitive or not. Further, if you have been tagging data manually (or even leveraging another data classifier) then NC Protect can leverage that existing data, or a combination of the two. Finding and protecting personally identifiable data while still adding protections (possibly different levels of protection) to data that has been manually classified as sensitive can provide a very secure result.
NC Protect can leverage Microsoft RMS encryption and can apply this encryption only to the specific documents or types of documents (i.e., documents marked as sensitive, CAD drawings, financial documents, etc.) that you want to encrypt. NC Protect also offers an encryption tool if you would prefer not to use Microsoft’s encryption or want to manage your own keys.
With NC Protect, encryption can be applied to specific types of data at rest in a very granular manner. However, it can also add additional access and security controls to data accessed under specific conditions. For example, you may not consider it necessary to encrypt data that is accessed by trusted users, internally, from a company issued laptop. However, you may want to provide additional protections when that same user, accesses that same data from their phone, or from outside of the country. NC Protect is powerful enough to leverage that user’s attributes to provide dynamic protection, tailored to the situation, including encryption and watermarking on the fly. So, when in the office the users can access the document normally with no restrictions, but on the go they can be presented with an encrypted file that’s watermarked with their user information when opened.
In the screenshot above, you can see that you can add access and usage restrictions to users when they access sensitive data from outside of the country, or when the data is being accessed (or attempted access) from a different device type, from an unauthorized browser type or even by different IP addresses. This can help prevent accidental data loss or data exfiltration if an employee is working in a public location versus a more secure location.
Data Protection Beyond Just Encryption
While this post concentrates on encryption, NC Protect can provide additional protections such as forcing read-only access that prevents print, download copy and paste, to obfuscating sensitive data from users, such as Guest users, or users from other countries if you’re dealing with ITAR restrictions. Encryption does not need to be applied to files if people can’t see that they exist.
I hope this post gives you some ideas of how you might be able to leverage Encryption and other security mechanisms to protect your data, no matter where it resides in your environment. If you have any additional questions or are curious if this solution is right for you, please reach out to us.
