Best practices and resources to protect data across your entire organization.
Protecting data is a multi-layered approach that starts with proper encryption. Data encryption is a straightforward but powerful tool to protect sensitive information. Taking adequate steps at your organization to guarantee your data is protected means, first, knowing where your data is, and, second, recognizing where you need to take actionable steps to enforce encryption both at rest and in transit.
Below, we’ll cover the most common areas of encryption: Endpoint Encryption, Mobile Device Encryption, Backups Encryption, and File Level Encryption — plus why they matter, and how you can ensure they are thoroughly implemented.
Your laptops and desktops. Think of any devices not secured by locked doors.
When we focus on endpoint encryption, we want to ensure that the hard drive itself is encrypted. This is referred to as full disk encryption (FDE). For example, if someone was able to get their hands on a company laptop, a password alone is not a strong enough deterrent from getting key information. If the hard drive is not encrypted, someone can read data directly from the hard drive, bypassing the password on the system. FDE encrypts at the hard drive level and makes the data unreadable if the device is stolen.
Modern day Windows and Mac devices are encrypted by default.
How do you make sure this is enforced and managed? Enterprises should ensure that the encryption keys are managed through a central system to allow for easier device management. This way, if an employee leaves or something goes awry, you’ll always be able to gain full access to the data on the device.
What if we operate cloud-first? If your organization is a cloud native company (you don’t have any on-premise servers), Cloud options exist to manage the encryption keys.
What if we use legacy systems? You can find a specific software solution that can be deployed throughout the environment to help manage backup recovery keys for you.
✏️ Extra Credit | Encrypting Servers: If your servers are located in areas that can easily be broken into (e.g. a closet in your office), you should enforce FDE. For servers that are stored in data centers that have robust physical security controls, it becomes less of a priority. We recommend prioritizing devices that can more easily be stolen or misplaced (laptops and mobile devices).
Mobile Device Encryption
Your cellphones and tablets used to access company resources.
Through both Android and IOS, most phones and tablets are encrypted by default. If a mobile device is lost or stolen, encryption can protect your data.
✏️ Extra Credit | Mobile Device Management: If you want to go beyond the basic controls already in place, you can implement a Mobile Device Management solution. If someone is using a mobile device to connect with your organization’s network, you can require them to meet certain security settings before accessing your organization’s data. For example, you may require employees to have a security pin in place on their mobile device to continue connecting. This also allows you the ability to monitor for and enforce encryption on phones if for some reason encryption is not enabled or has been disabled.
Protecting your backups.
Your backups, when stored on disks, exist as a file. You can access those files and create a replica of your environment, but a threat actor may also be able to access these files and gain access to your data. Encrypting those backups adds an extra layer of security for your organization.
What if we use cloud software to store our backups? Your backups should already be encrypted then, but you should always ask your SaaS providers how they protect your data, including if they are encrypting your data.
File Level Encryption
An extra layer of security.
If a threat actor accesses your data through some sort of backdoor into your environment, hard drive level protection won’t secure your data on a software level. For an extra layer of security, you can start to implement encryption controls on individual files themselves. From Word documents to ZIP files, you can add passwords to prevent anyone unwanted from seeing the contents. More robust solutions exist to manage this at scale and for data stored in applications. Proper implementation of encryption at this level can be a long term project and should be planned and implemented with the help of experts.