Encryption
Encryption is the process of encoding information in such a way that unauthorized individuals cannot view it. Encryption is needed because there is plenty of information that organizations must ensure is kept private and confidential. Some of this information includes the following:
- Bank-account information
- Credit-card information
- Private correspondence
- Personal details
- Privileged information
- Sensitive company information
- Social Security numbers
- Trade secrets
Encryption is performed by using the science of cryptography. Cryptography is a vast and complex subject. An in-depth understanding of it is beyond the scope of this book. Therefore, this section does not discuss how encryption works. What is important to know is that just about all organizations need to use encryption. Many are already using encryption, but others will wait until they suffer through a bad experience or have to comply with new laws that mandate the protection of personal data. Encryption's role in the organization includes the following:
- Authentication Services such as Challenge Handshake Authentication Protocol (CHAP) and Extensible Authentication Protocol (EAP) make use of authentication.
- Data encryption Information in storage can be encrypted to protect it from prying eyes. Microsoft's Encrypted File System (EFS) is one such example.
- IPSec IPSec can be used to provide confidentiality and/or integrity to information in transit. It is widely used to help implement virtual private networks (VPNs).
- Public Key Infrastructure (PKI) This is a widely used system to verify and authenticate the validity of each individual involved in an Internet transaction.
- Pretty Good Privacy (PGP) PGP is as close to military-grade encryption as a private individual can get, and it works well at securing email. Unlike public key infrastructure (PKI), PGP works by using a web of trust. Users distribute and sign their own public keys. It can be used to encrypt information in storage or in transit.
- Secure Shell (SSH) This application-layer protocol can provide secure communications and is a good replacement for Telnet and FTP.
- Secure Sockets Layer (SSL) An application-independent protocol that was developed to encrypt information in transit.
- Transport Layer Security (TLS) A protocol that guarantees privacy and data integrity between client/server applications.
As shown in the preceding list, encryption can be used at all levels of a security infrastructurefrom protection to network communications over the Internet to encrypting data on a drive. Encryption can provide confidentiality, authentication, integrity, and nonrepudiation for information in storage or in transit.