The Truth About Encryption
Blog Article Published: 01/20/2015
By Christopher Hines, Product Marketing Manager, Bitglass
Encryption has gotten some much-needed attention over the past few weeks. With the release of a secret US security report unveiling the importance of encryption and how in 2009 private computers were vulnerable to attacks from cyber criminal gangs operating in Russia and China, plus David Cameron’s anti-encryption angle that he hopes to use to influence Obama, the topic is certainly worthy of discussion.
I know some of you may be looking at “2009” and thinking “Chris, it’s 2015 get with it” but the fact is, encryption is even more valuable and necessary than ever. Since 2009, cloud app usage (think Salesforce) and BYOD has expanded significantly. 60% of organizations now utilize cloud apps. Since data now resides outside of corporate firewalls, companies need ways of encrypting their data, making sure that the growing number of cyber-criminal gangs in Russia and China don’t get their hands on it. But what’s the truth about encryption? And how do you know if it truly is as strong as you might think?
Encryption has two main components. The first part is the Cipher. This is the piece that transforms human readable text to something unreadable (ciphertext). It’s the piece you probably think of the most i.e turning “Chris” into “WxoPNHz.” The second piece (the piece often overlooked) is called the Initialization Vector. This piece is an unpredictable random number that ensures that encrypting the same message repeatedly will yield different ciphertexts each time. To ensure sufficient randomness, the length of the Initialization Vector should be the same number of bits as the cipher.
To clarify, a lot of vendors promote AES-256 bit encryption, I am sure a lot of you are reading this now and saying “yes, this is exactly what my vendor says they provide” (think of the biggest vendors in the encryption space, I promise that by the end of this blog you’ll have some questions for them). For the less encryption inclined, AES-256 bit encryption is the de facto standard for strong encryption in the enterprise. It implies that there are billions of combinations that can be made for each piece of plain text (regular name, credit card number, SSN etc.) and that the chance of cyber criminals breaking the encryption is close to impossible. Which would be true, if it were actually what some of the world’s biggest encryption vendors provided. But, unfortunately, there's a good chance that your cloud encryption vendor has you duped.
Remember how I mentioned before that the initialization vectors were crucial? In order to make data searchable once encrypted and placed in the cloud (think Salesforce encryption), vendors have actually begun cutting down on the number of initialization vectors used in their products. This means that instead of the billions of combinations companies think they are purchasing, they are actually only getting 1 million in some cases. This is a HUGE difference! 1 million combinations is insanely less secure than multiple billions of combinations. Put differently, that 256 bit encryption turns into 20 bits. And at 20 bits, you might as well keep your money in your pocket because it’s just as useful as having no encryption at all.
So that’s the truth. Don’t be fooled by vendors claiming to have true AES-256 bit encryption. Yes their cipher will be on point, but it’s the initialization vectors that are also crucial. Limiting the number of these vectors to preserve cloud app operations like search changes your 256 bit super encryption, into a puny 20 bit encryption. Reach out to your encryption vendor now and ask them about their vectors, and don’t be surprised if you hear something you don’t like.