Data encryption should be a good thing for security. When your data is encrypted using today’s encryption standards, other people cannot decode your files or your information. Data at rest encryption (DARE) takes care of the data sitting on hard drives, while data in motion encryption (logically DIME – you read it here first!) ensures that it remains confidential while being transmitted from one point to another. However, like the petard or bomb that blows its user up, encryption can sometimes backfire.
Cases of encryption gone wrong include:
- Users losing their own encryption keys and being unable to access their own data (better hope you made some recent backups that you can still use to restart your PC or server).
- Cloud storage providers holding the encryption key for customers’ encrypted data, and giving in to government pressure to hand over both the key and the data.
- Security holes being discovered in trusted encryption standards, like the Heartbleed bug in the SSL protocol used to protect data in motion.
- Malware infecting user systems to then encrypt the users’ data and only unencrypt it upon payment by the users of a ransom to the malware-infection perpetrators (like the CryptoLocker attacks).
Some organisations do not apply encryption to their data, possibly for the reasons above. American health insurance provider Anthem admitted that in its recent data breach compromised patient and employee records had not been encrypted. Yet even if encryption would not have prevented the Anthem attack from taking place, it could have rendered the stolen data unusable to the attackers. There are solutions to all of the four backfiring cases above, whether through applying the right security policies, upgrades or anti-malware protection. Data encryption is still a good idea. Like all good ideas, it also needs to be applied correctly.