Encryption at the Software Level: ‘It’s Not Always Cut-and-Dry’

Encryption is a hot topic at Online Tech during the month of June, and we hope we’ve offered some valuable insight into the complex topic through our ongoing series of free educational webinars.

The latest was presented by guest co-host Mark Stanislav, Security Evangelist at Duo Security, and our own Software Development Manager, Farooq Ahmed. Together, Stanislav (a Linux expert) and Ahmed (a .Net developer) tackled how encryption can be applied at various levels of the data-sharing process from the software application code in the webinar Encryption at the Software Level: Linux and Windows.

“The topic of cryptography is very involved, very complex,” Stanislav told attendees during the one-hour presentation on Tuesday, June 18. “What we want to do is operationalize your knowledge so that you feel comfortable knowing what these terms mean, how to get started with some of these issues and … step beyond being the everyday, end-user type of consumer of cryptography.”

The webinar is a follow-up to the June 11 presentation on the value of encryption for HIPAA, PCI and other regulatory frameworks, and a precursor to a hardware and storage-focused webinar scheduled for June 25.

Stanislav said one goal of the webinar was to define “how to employ and where to employ cryptology, because it’s not always cut-and-dry in terms of when and where to use it.”

He outlined the differences between encryption and encoding, gave an in-depth comparison of symmetric key cryptography with asymmetric key cryptography and defined cryptographic hashing.

“There’s a lot of big math, a lot of very technical details, and some brilliant people that have put these algorithms together over the years,” Stanislav said. “But when it comes down to it, we utilize this stuff every single day and it has really revolutionized how we do information security.”

Stanislav also outlined what he called the three most common cryptography misconceptions:

1. Encryption algorithms need to be secret to be secure. False: Security should depend entirely on the key and not on security through obscurity.
2. Public-key cryptography means that my data can be read by anyone with my public key. False: Public-key cryptography (asymmetric cryptography) allows for data to be encrypted with a public key and then only read using the private key.
3. The government puts backdoors into all algorithms. False: If you can prove this, tell someone!

To give the concept of effective software encryption a real-life feel, Stanislav and Ahmed worked through an example scenario. In it, they followed data for a hospital through its various connections and discussed the appropriate related encryption.

Why, for instance, does Stanislav recommend a vendor connecting to the hospital through the internet via a virtual private network (VPN) still send patient data through an SSL website?

Or why, once the uploaded file is encrypted to the hospital server, should the Windows application server pull the file via SFTP rather than FTP?

And once the encrypted data is over to the web application server, what should continue to be encrypted, how should the hospital store that data long-term (encrypting data vs. encrypting databases) and how should the hospital interact with that data to keep it secure?

All those questions, and more, were answered by our experts. To learn more, both the slides and a video replay of the webinar are available here.

“It’s good to think about the bigger picture of how we secure data,” Stanislav said. “The reality is, levels of security in general have a certain scope of what it protects and how it protects. It’s important to think about things bigger.”

Don’t miss the last encryption webinar in the series, next Tuesday at 2PM ET: Encryption at the Hardware and Storage Level.