Information security is the process of looking after your data and ensuring your information systems operate efficiently. The CIA triad is made up of the three foundations of information security: confidentiality, integrity and accessibility. Confidentiality means restricting access to information only to those who are authorised to see it. Integrity is keeping information up-to-date and accurate. Whilst accessibility involves enabling all those who have a right to access the data to do so easily and without obstruction. Encryption is the process of reversibly turning information into nonsense to prevent it from being accessed by those who are not authorised to view it. With the encryption key-code, this process can be reversed and the information may be accessed and read as normal. Encryption, therefore, is one way to support the CIA property of confidentiality.
Encryption in more Detail
Encryption is the conversion of data from a readable form to an encoded version. This conversion is performed through application of a key (an algorithm) and cannot be reversed without possession of the correct decryption key. The decryption key is a reverse algorithm of the key initially used. If recipients do not possess the correct decryption key they will be left with the encrypted nonsense message. Encryption protects data from unauthorised access since only permitted personnel should be in possession of the decryption key.
There are a few different types of encryption, but a popular method is public key cryptography. In this process, a public key is issued to everyone and a private key held only by the receiver. Therefore, to send someone an email using this process you would use their public key to encrypt the message and upon receipt they would apply their private key to read it.
When should you Encrypt Data?
Encryption is often used when sending information between a server and a browser. This information frequently includes: passwords, personal information and payment information. It is also a good idea to encrypt any sensitive, confidential information to protect it from unauthorised access.
Vast quantities of information are sent by email every day, both within and between organisations. Unprotected emails are generally transmitted as plain text across local networks and the internet. During this process they are highly vulnerable to interception and unauthorised access by hackers. Encrypting emails ensures that only your intended recipient, who is in possession of the decryption key, can gain access to the information.
Any sensitive information that is going to be saved onto a laptop's hard drive should not be done so without first checking that the hard drive is encrypted. This is because, as a portable device, laptops are vulnerable to loss and theft. This means the information they contain is more at risk of getting into the wrong hands. Similarly, portable storage devices, such as USBs and CDs, are high-risk devices. It is good practice to ensure that sensitive information stored on portable storage devices is encrypted.
In summary, the more sensitive the data, and the more high-risk the device it sits on, the more reason there is to encrypt it. Current encryption technology is quick and easy to use so it is always best to err on the side of caution and encrypt any vulnerable information. Encryption is becoming an increasingly common place practice, its evolution even hinting towards utilisation in machine learning (where computers are able to perform or foreplan tasks without being commanded to by a human).
How Encryption Supports Confidentiality
As one of the CIA triad properties, data confidentiality is a cornerstone of information security. Confidentiality is centred on implementation of secure access control systems. Assigning file permissions or access rights to specific authorised users allows proper access restrictions to be implemented. The restriction of data to those who are authorised to access it (e.g. through issuing a decryption key) upholds the rights of data subjects. Data subjects are those who have data held about them which is out of their control. It also enables compliance with current law i.e. the General Data Protection Regulation (GDPR).
Why is it Important to Support the Three Information Security Properties?
Implementation of good information security practices enables us to get the most out of our data whilst simultaneously ensuring it is protected at all times. Insufficient data protection risks confidentiality breaches, data losses, inaccurate data production, interruptions to service and resource wastage. Additionally, information security breaches can result in disciplinary action, ranging from internal procedures to massive fines and legal action. Encryption is a simple but effective way to safeguard your organisation and employees against these potentially devastating repercussions.