Encryption, a necessary brick in the foundations of GDPR
From the transposition ciphers in Ancient Greece, to the development of rotor cipher machines in World War I and the advent of computers in World War II, the methods used to carry out cryptography have become increasingly complex and its application more widespread. Now, with the EU’s new GDPR legislation, encryption is attracting growing interest.
The number of people affected globally by data breaches in 2017 soared by 88 per cent compared to the previous year, with 2.6 billion records stolen or compromised. This, reinforced by the arrival of GDPR, has seen encryption gain particular prominence because of its ability to render breached data useless to anyone that is not authorized to access it. Indeed, encryption is one of the recommended solution in the context of the GDPR. Of course, encryption doesn’t exonerate the company of its responsibilities but relieves it considerably in case of a data breach to the point that some could see it as a miracle cure.
To be clear, cryptography is only one element among many safety measures that must always be considered as a whole. Although encryption can also be a significant drain on budget (around 15 percent of the IT average security budget) and network performance, it enables organizations to better protect their data and avoid to pay penalties up to 4% of the total turnover, in the GDPR context. Therefore, despite its advantages, it is important for businesses to only use encryption where it is most suitable.
Centralize to manage diversity
In terms of encryption, a centralized hardware platform in its data centre under its own control remains the safest, most convenient and clearest solution in terms of accountability. One of the specificities of encryption in the context of the GDPR is that it concerns many more varied types of data and environments than in the security contexts where it is traditionally used. We will eventually have to encrypt structured and unstructured data, virtualized and archiving environments and applications in the cloud. Another peculiarity is that we will not only encrypt dynamic data, to protect it during transfer, but also static data, "at rest", especially in databases.
To respond to this diversity of situations, the encryption solution must be sufficiently agile and service-independent. In particular, it will rely on technology standards and the entire ecosystem of software vendors so that it can easily fit into the company's computer systems.
To maximize this flexibility, it is better for business leaders to opt for a centralized platform, which will become the sole trusted resource for all information systems because a centralized platform allows the Chief Information Security Officer (CISO) to regain control over encryption.
Cryptography, a future beyond GDPR?
When choosing their tool, the CISO and the company must not lose sight of the fact that cryptography is not a solution quite like any other and that it does not always benefit from the latest technological trends. However the solution is fit to adapt to any kind of IT environment. As far as the increase in cloud computing is concerned, the CISO should be cautious that the encryption and decryption keys and the data that they protect should not be stored in the same place. When delegating to a cloud provider, the management and control of keys is a serious responsibility that can only be exercised in a strictly controlled contractual and operational framework. Furthermore data sovereignty is a key challenge that must be taken into consideration.
By encouraging more data protection, the GDPR, in addition to other sectoral regulations in health or banking are now making cryptography mainstream. While its potential remains largely unexplored, it will take its place in corporate security policy, as a tool that is by no means sufficient on its own, but one that is certainly necessary.