Otava continues its data security series of videos on data encryption by explaining how encryption fits into the three premises of security.
Encryption helps with mainly the premise of confidentiality – keeping prying eyes off of confidential data.
Aiello explains how the balance of all three premises may be difficult to balance while keeping data confidential.
Identifying critical data, such as protected health information (PHI) for the healthcare industry and credit cardholder data (CHD) for the ecommerce and retail industry, is the first step toward determining what data needs to be encrypted and confidential.
Steven: Encryption fundamentally plays into the three premises of security. The three premises of security, imagine you have a triangle and when we talk about encryption and we talk about security a lot of people think about confidentiality. That’s really where encryption comes into play. That’s one area of security.
You have integrity that means the data that you have, the amount of money in your checking account is accurate. You don’t want somebody to go over and move a zero or half of the money. The data should be as it should. The availability of data also is part of security. If you want your web server to be online and it’s being DDoSsed, that’s not secure, your data isn’t available.
Encryption helps with that confidentiality piece. It keeps prying eyes off of data. You’re going to make a trade off though. It’s the same thing as you’re managing a project, any time you move toward that confidentiality of the data it’s going to be a little bit harder to verify the integrity and a little bit harder to verify the availability.
Where it’s really important is where you have very sensitive data. Think about, for example, the formula to Coca-Cola. There’s only two people in the world that know the formula to Coca-Cola and they’re not allowed to fly on an airplane at the same time. They minimize the availability of the data to make sure that the secret sauce for Coca-Cola is highly confidential. That’s essentially what you’re doing with encryption.
If you have PHI data, if you’re a health care company, if you have credit card numbers, dealing with PCI and business transaction, or anything else, you want to make sure that you identify that data and that you keep it confidential. That is where encryption really comes into play.