Encryption is a big topic, much bigger than can be fit into a section of a small, business manual. This article provides enough information about the how, what, and why of encryption that an owner or manager of a SMB knows when it’s reasonable and appropriate to encrypt information.
Very simply, encryption changes readable information (plain text) into unreadable information (cyphertext). Two basic methods are used—symmetric and asymmetric.
In symmetric encryption, both the sender and the recipient of cyphertext share a key. The key, together with an encryption algorithm, is used to both encrypt and decrypt the message or document. Asymmetric encryption uses a key-pair. A key-pair is typically assigned to a person or organization. One of the keys is public, known to anyone who wants to encrypt content and send it to the key owner. The other key is private, known only to the key-pair owner.
Details about how each of these processes works are outside the scope of this section. For more information, see How Encryption Works.
You can apply encryption in a number of ways, including:
- Creating a container. Many encryption products allow you to create an encrypted container on a hard drive or other storage device. Anything placed into the container, which usually looks like a typical drive or folder, is encrypted. Only someone with the proper password can access container contents.
- Full disk encryption. When you don’t to worry about whether your users are placing sensitive information into an encrypted container, consider full disk encryption. Most encryption products supporting full disk encryption allow for both pre-boot authentication (PBA). With PBA, the user must enter a password before the operating system loads. If PBA is not used, the OS loads normally and provides access to the encrypted drive or volume. Full disk encryption with PBA is the best way to protect laptops.
- On-demand encryption. If you trust your users, you might simply provide an encryption solution and allow them to encrypt files and folders as they see fit. As we’ll see later, however, this is usually a bad idea.
- Email encryption. Email messages often contain sensitive information. In-house or hosted encryption services provide both user initiated encryption and auto-encryption. Auto-encryption is based on phrases or patterns in a message. For example, 222-22-2222 is a familiar pattern indicating a social security number.
- File transfers. Like email, many documents or data files contain sensitive information. Also like email, this information should never leave the protection of your network, especially when traveling over the Internet, without being encrypted. Consider either a secure FTP solution or SSL.
- Interactive sessions over insecure media. This is a fancy way of describing an external connection, usually over the Internet, over which sensitive data are passed. Encrypt any session that fits this description. SSL is the most popular solution.
- Wireless network connections. Under no circumstances allow your users to connect to wireless networks, including hotspots in coffee shops, without encrypting the connection. Remember that wireless communication casts your information out into the ether, making it available for anyone with a wireless card in their laptop or handheld device. The best solution for Wi-Fi is VPN, and it doesn’t have to break the bank.