Encryption in and of itself seems somewhat straightforward in the world of Information Technology today. We all realize that we need encryption on our personal devices to protect our information. IT professionals also realize its importance in the Enterprise and in the Cloud. Encryption scrambles (encrypts) stored data (at rest) to become unreadable unless we have a key to decrypt it. It is also used to encrypt data while in transit or “in flight”.
Understanding encryption from the personal device seems straightforward, but once we allow access to our data via email or copying to an unencrypted disk, it may no longer be encrypted when it is transmitted, or lands in a remote location beyond our control.
Encryption is not a silver bullet when it comes to securing data, and it can be quite complicated to deploy from end-to-end… but to what end? What about data that is stored in the Cloud? There is a very good chance that most of our personally identifiable information (PII) can be found in the several cloud providers that service the companies we deal with every day. Concerns remain if more information is stored; such as a medical condition which then becomes protected health information or PHI.
Deployment of encryption and levels of protection can be challenging due to how it is implemented in any scenario. Most encryption is rendered obsolete if the keys are compromised. The inverse scenario occurs when data is unrecoverable if the keys are lost. Accountability becomes a key issue; whoever has access to the encryption keys can essentially unlock all of your data.
We have seen this several times in the news, including the Apple vs. DOJ case, where Apple was pressured to release the algorithm to the iOS operating system that protects every iPhone user around the globe. We have also heard about several cases of ransomware groups encrypting data on critical health systems that block access to electronic Protected Health Information or e-PHI. This is a new problem that can be mitigated with a solid contingency plan by also leveraging a Disaster Recovery Plan
Realizing the capabilities of encryption in the cloud with a provider that offers both Encryption at-rest and in-flight, and a solid contingency plan will allow for your data to be consistently protected and maintain a higher level of confidentiality, integrity, and availability.
Encryption in the cloud does not have to be trivial. It can be tangible and transparent through compliance that is paired with both the customer and the provider, which in a healthcare scenario for HIPAA will be the Covered Entity and the Business Associate respectively.