What is Data Encryption?

Modern encryption systems typically use either symmetric or asymmetric encryption, both forms of cryptography.

Symmetric encryption

Symmetric key encryption utilizes a single private key for both encrypting and decrypting data. The way symmetric keys work means that the sender and receiver must both possess the encryption key in advance.

Generally, symmetric encryption is faster and more efficient than asymmetric encryption, which makes it well-suited for encrypting large amounts of data.

Asymmetric encryption

Symmetric encryption uses a pair of public and private keys:

• A public key is a key used to encrypt data that other people send to you. You share this encryption key publicly with your contacts. It does not need to be secret.
• A private key is a key that you keep secret and use to decrypt confidential data that people send to you with the public key.

This system eliminates the need to securely exchange a shared key, which is one of the most significant limitations of symmetric encryption.

Organizations often use asymmetric encryption in the following ways:

• Using digital signatures
• Securing web browsing (HTTPS) sessions
• Encrypting sensitive messages between parties who haven’t previously exchanged keys

Asymmetric encryption is also sometimes called public-key cryptography.

Organizations commonly use encryption to secure sensitive or regulated data.

Financial data

Encryption during storage and in transit is a best practice for securing sensitive financial data, including transactions, account details, and credit histories. In the financial sector, numerous compliance regulations, such as the Payment Card Industry Data Security Standard (PCI-DSS), require strict data encryption rules and processes. Encryption here helps prevent fraud and unauthorized access.

Commercial data

Many organizations will also want to encrypt sensitive business data, such as proposals, customer contracts, service level agreements (SLAs), and supplier contracts. Specific industries and countries require compliance with regulations and laws, such as the General Data Protection Regulation (GDPR), that cover encryption standards. Companies encrypt data to avoid financial or reputational harm in the case of a data breach.

Human resources data

A mix of federal and local laws typically regulates how organizations must secure human resources (HR) data, especially personally identifiable information (PII) of employees. HR data is also commonly shared with third-party platforms, which can create opportunities for it to be revealed or intercepted.

Personally Identifiable Information (PII)

Personally identifiable information (PII) includes data that, if disclosed, could be used to identify an individual. Names, addresses, and Social Security numbers are all examples of PII. Encrypting PII helps organizations prevent identity theft and ensures compliance with global privacy laws.

For example, regulations such as GDPR in the European Union and the California Consumer Privacy Act (CCPA) require organizations to protect PII in their custody. Encryption is a commonly used tool to meet these standards.

Protected Health Information (PHI)

Healthcare providers, insurers, and HR departments handle protected health information (PHI), which includes medical or health-related information that is associated with an individual. Examples of PHI include electronic medical records, treatment histories, and pharmacy prescription data.

Laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the US mandate the implementation of data security measures. These measures protect the confidentiality, integrity, and availability of electronic PHI (ePHI). As with PII, encryption is a common tool used to meet HIPAA and other PHI standards.

Digital signatures are a tool to verify the authenticity of a sender. Digital signatures utilize both public-key data encryption and hashing.

Digital signatures work through the following process:

1. A sender creates a hash of their data to prove it is authentic and unaltered.
2. The sender then encrypts that hash to create a digital signature.
3. The recipient receives the data along with the associated signature. They run the decryption key on the signature and generate a new hash of the data to compare against the decrypted original.

If both hashes match, the recipient can be confident that the identified sender sent the data and that no alteration occurred in transmission.

The data encryption techniques you choose should do more than just secure data. These techniques should align with business goals and comply with regulatory requirements.

Consider these four factors when selecting encryption techniques for your organization.

Evaluate asset sensitivity

Not all data requires the same security. Sensitive data may require full end-to-end encryption. Less sensitive data may need less or no encryption.

Understand the security environment

Some organizations as a whole might be targets, such as financial institutions or government agencies. Others, such as app companies, may have minimal data at rest on their own infrastructure, which could pose a security risk. Select techniques that are appropriate to the risk profile of each set of digital assets within your organization.

Use modern standards

Not all encryption algorithms offer the same level of protection. DES, its derivative 3DES, and other older standards typically cannot protect against modern attacks. Look for encryption services that utilize current standards, such as AES-256 encryption and RSA with 2048-bit keys.

Meet compliance requirements

Many industries and jurisdictions have specific regulations that require encryption for protecting sensitive data. For example, PCI-DSS mandates that organizations securely process and transmit consumer credit card information.