Developing a data encryption strategy

As companies are experiencing a higher number of regulations on handling data, at the same time the demand for data volume storage is increasing. Organisations are investing in hybrid multicloud environments to store volumes of data ranging from gigabytes to petabytes.

Regulations including the General Data Protection Regulation (GDPR) enforced the importance of ensuring an adequate strategy for encryption is implemented. A set of technical and non-technical measure are required to protect data in a manner which preserves confidentiality and privacy.

An encryption strategy that is well documented can overcome data protection issues. Additional security measures provide enhanced protection in unforeseen circumstances preventing mishaps and safeguarding business interests

  • Phase one: Designing and planning of the data encryption strategy.

To create a positive impact any data encryption strategy requires the complete involvement of senior executives who must lead from the forefront with plans and a financial resource package. A top-down collaborative working approach for data encryption can strengthen cyber security as well as raise awareness among employees.

The importance of involving database administrators, network analysts and security experts at an early stage cannot be understated. Any personnel involved in work with data, systems, networks should provide an input by participating in the formulation of the data encryption strategy.

To level understanding and awareness create a consensus on how data encryption is aligned with the greater enterprise mission or objectives. At this stage, set priorities giving precedence to critical functionalities.

Attribute different responsibilities according to the work undertaken by each team and from each team nominate a member who would be accountable for data protection at a team level. The key to defining a good data encryption strategy is separating roles and delegating duties on a team level at an early stage.

  • Phase two: Mapping of data that requires encryption.

In the mapping phase, review organisational data to scope what data is collected by the business, identifying sensitive data and outlining what storage spaces hold the critical data. Highlight the data which is maintained on premise and that which is stored on any cloud spaces. Differentiating between the different storage spaces can be a lengthy process depending on the volumes of data, however the long-term benefits are highly rewarding.

The focus of this phase should remain on high-value assets, reviewing access controls and existing policies to determine how much additional work is required. When mapping high-value assets concentrate on information that is essential to the functioning of the business. Examples of critical business information is trade secrets, business plans, policies, governance documents and intellectual property.

Sensitive information refers to data that is regulated for instance customer and employee information. Any disclosure of personal data that violates the privacy of a person for example, personal information – names, addresses, payroll details, banking details or health records.

  • Phase three: Selecting and implementing encryption techniques.

Encryption techniques vary and are dependent on the type of technology stack deployed by the organisation. For effective encryption, typically four areas are assessed application security, database security, full disk security, media security and file system security.

Most enterprises evaluate file encryption as a critical component when deploying a data encryption strategy. Another important aspect of this phase is delineating how encryption keys will be managed. The best practice is that each business should manage their encryption keys privately including those used for cloud data.

Select a reputable encryption provider by conducting elaborate market research and thoroughly evaluating each provider against a compact criterion. Purchase an encryption product that provides an option for centralised policy and key management.

Once the encryption measures are implemented, continue monitoring your business infrastructure to evolve your data encryption as and when required.

10