Data encryption malignant fibrous histiocytoma pathology in-transit and at-rest – definitions and best practices

In the latest few years the world wide web has malignant fibrous histiocytoma pathology experienced an exponential growth of hackers, malwares, ransomwares and other malicious software or parties which is constantly malignant fibrous histiocytoma pathology trying to find a way to steal our personal data: given this scenario, it goes without saying that securing your data became one malignant fibrous histiocytoma pathology of the most important tasks that we should prioritize, regardless of the role that we usually play. The general (and urgent) need to prevent unauthorized access to personal, sensitive and/or otherwise critical informations is something that should be acknowledged malignant fibrous histiocytoma pathology by everyone – end-users, service owners, servers administrators and so on: the differences are mostly related to whatwe need to protect malignant fibrous histiocytoma pathology and howwe should do that.

Needless to say, the act of choosing the proper way to protect our malignant fibrous histiocytoma pathology data is often subsequent to a well-executed risk assessment followed-up by a costs-benefits analysis, which is a great approach to help us finding the malignant fibrous histiocytoma pathology appropriate technical and organisational measures to implement in our specific malignant fibrous histiocytoma pathology scenario. This is also the proper way to act according to malignant fibrous histiocytoma pathology the General Data Protection Regulation ( GDPR), as stated in the Art. 32 – Security of Processing:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk malignant fibrous histiocytoma pathology of varying likelihood and severity for the rights and freedoms malignant fibrous histiocytoma pathology of natural persons, the controller and the processor shall implement appropriate technical and malignant fibrous histiocytoma pathology organisational measures to ensure a level of security appropriate to malignant fibrous histiocytoma pathology the risk […]

• At rest: this is the initial state of any digital data: in very short terms, this indicates the data that is stored somewhere without being malignant fibrous histiocytoma pathology used by and/or transmitted to anyone (including software, third-parties, human beings, and so on). From local Hard Drives to Network Attached Storages, from USB pendrives to mobile devices, from system folders to database servers, any physical and logical storage system, unit or device is meant to be used to contain malignant fibrous histiocytoma pathology data at rest… at least for a while.

• In transit: also known as “in motion”. This is relative to the data which is being transmitted malignant fibrous histiocytoma pathology somewhere to somewhere else. It’s worth noting that the concept of “data transfer” can take place between any number of parties, not limiting to just two (the sender and a receiver): for example, when we transfer a file from our desktop PC to malignant fibrous histiocytoma pathology our laptop using our LAN, we’re basically performing a data transfer involving a single party malignant fibrous histiocytoma pathology (us); conversely, when submitting a transaction to a distribuited database, such as a blockchain, we’re enforcing a data transfer between an indefinite amount of malignant fibrous histiocytoma pathology parties (the whole blockchain nodes).

• In use: whenever the data is not just being stored passively on malignant fibrous histiocytoma pathology a hard drive or external storage media, but is being processed by one or more applications – and therefore in process of being generated, viewed, updated, appended, erased, and so on – it’s intended to be “in use”. It goes without saying that data in use is susceptible malignant fibrous histiocytoma pathology to different kinds of threats, depending on where it is in the system and who malignant fibrous histiocytoma pathology is able to access and/or use it. However, the encryption of data in-use is rather difficult to pull off, since it would most likely cripple, hinder or crash the application which is actually accessing it: for this very reason, the best way to protect the data in use is malignant fibrous histiocytoma pathology to ensure that the application will take care of such malignant fibrous histiocytoma pathology job by adopting the most secure development and implementation patterns malignant fibrous histiocytoma pathology within its source code.

If our device is stolen, the encryption at-rest will prevent the thief from being immediately able to malignant fibrous histiocytoma pathology access our data. Sure, it can still try to decrypt it using brute-force or other encryption-cracking methods, but this is something that will take a reasonable amount malignant fibrous histiocytoma pathology of time: we should definitely be able to pull off the adeguate malignant fibrous histiocytoma pathology countermeasures before that happens, such as: changing the account info he might be able to see malignant fibrous histiocytoma pathology or somewhat use via existing browsers password managers, login cookies, e-mail clients accounts and so on; track our device and/or issue a “erase all data” using our Google or Apple remote device management services; and so on. Logical theft

Let alone the physical and/or logical thefts, there are a lot of other scenarios where data encryption malignant fibrous histiocytoma pathology at-rest could be a lifesaver: for example, if we lost our smartphone (and someone finds it); or if we make a mistake while assigning permissions, granting to unauthorized users (or customers) access to files/folders/data they shouldn’t be able to see; or if we forget our local PC or e-mail password in plain sight, thus allowing anyone who doesn’t feel like respecting our privacy to take a look malignant fibrous histiocytoma pathology at our stuff; and the list could go on for a while. How can it help us

• how much we’re willing to sacrifice in terms of overall performance and/or ease of access to increase security: can we ask to all our local (and remote) users to decrypt these data before being able to access malignant fibrous histiocytoma pathology them? Should we use a password, a physical token or a OTP code? Can we make the encryption transparent enough to not hinder malignant fibrous histiocytoma pathology our external users and also to allow our software apps malignant fibrous histiocytoma pathology and tools to deal with the encrypted data whenever they’ll need to deal with it?

• if we’re looking for a way to securely store our E-Mail messages, we can easily adopt a secure e-mail encryption standard such as S/MIME or PGP (both of them are free): although these protocols are mostly related to in-transit encryption, since they do protect data mostly meant to be transferred malignant fibrous histiocytoma pathology to remote parties, as a matter of fact they are commonly used to malignant fibrous histiocytoma pathology perform a client-side encryption, which means that they protect the e-mail messages while they’re still at-rest. Needless to say, since those message will most likely be sent, our destination(s) will also have to adopt the same standard to be malignant fibrous histiocytoma pathology able to read them.

Now, let’s take for granted that both the server and client malignant fibrous histiocytoma pathology have implemented a strong level of data encryption at-rest: this means that the first and the fifth state are malignant fibrous histiocytoma pathology internally safe, because any intrusion attempt would be made against encrypted data. However, the third state – where the data is in-transit – might be encrypted or not, depending on the protocol the server and the client are malignant fibrous histiocytoma pathology actually using to transmit the data.

As we can see, the security issue is quite evident: when the web server processes the incoming request and transparently malignant fibrous histiocytoma pathology decrypts the requested data, the channel used to transfer it to the web client malignant fibrous histiocytoma pathology (HTTP) is not encrypted: therefore, any offending party that manages to successfully pull off a malignant fibrous histiocytoma pathology suitable attack (see below) could have immediate access to our unencrypted data. How can it help us

• Whenever the transmitting device is reachable via web interface, web traffic should only be transmitted over Secure Sockets Layer malignant fibrous histiocytoma pathology (SSL) using strong security protocols such as Transport Layer Security (TLS): this applies to any web site and/or WAN-reachable service, including e-mail servers and the likes. As of today, the best (and easiest) way to implement TLS security and implement the encryption in-transit for any website is by obtaining a SSL/TLS HTTPS certificate: those can either be purchased from registered CA authorities ( Comodo, GlobalSign, GoDaddy, DigiCert and their huge resellers/subsellers list) or auto-generated through a self-signing process, as we briefly explained in this post. Although self-signed certificates will grant the same encryption level of their malignant fibrous histiocytoma pathology CA-signed counterparts, they won’t generally be trusted by the users as their browser malignant fibrous histiocytoma pathology clients won’t be able to verify the good faith of the malignant fibrous histiocytoma pathology issuer identity (you), flagging your website as “untrusted”: for this very reason, they should only be used on non-production (or non-publicly accessible) server/services.

• Any data transmitted over e-mail should be secured using cryptographically strong email encryption tools malignant fibrous histiocytoma pathology such as S/MIME or PGP, which we already covered when we talked about data encryption malignant fibrous histiocytoma pathology at-rest: although these protocols perform their encryption at client level (and therefore at-rest), they’re also great to protect the asynchronous in-transit flow of an e-mail message.

• Any binary data should be encrypted using proper file encryption malignant fibrous histiocytoma pathology tools before being attached to e-mail and/or transmitted in any other way. Most compression protocols, including ZIP, RAR and 7Z, do support a decent level of password-protected encryption nowadays: using them is often a great way to add an malignant fibrous histiocytoma pathology additional level of security and reduce the attachment size at malignant fibrous histiocytoma pathology the same time

Encryption in-transit is really helpful, but it has a major limitation: it does not guarantee that the data will be encrypted malignant fibrous histiocytoma pathology at its starting point and won’t be decrypted until it’s in use. In other words, our data might still be predated by occasional and/or malicious eavesdroppers, including internet providers, communication service providers and whoever could access the cryptographic keys malignant fibrous histiocytoma pathology needed to decrypt the data while in-transit.

Overcoming such limitation is possible thanks to End-to-End Encryption (E2EE), a communication paradigm where only the communicating end parties – for example, the users – can decrypt and therefore read the messages. End-to-end encrypted data is encrypted before it’s transmitted and will remain encrypted until it’s received by the end-party. Reasons to use it

• Suppose that a third party manages to plant their own malignant fibrous histiocytoma pathology root certificate on a trusted certificate authority: such action could theoretically be performed by a state actor, a police service or even a malicious/corrupted operator of a Certificate Authority. Anyone who is able to do this could successfully operate malignant fibrous histiocytoma pathology a man-in-the-middle attack on the TLS connection itself, eavesdropping on the conversation and possibly even tampering with it. End-to-end encrypted data is natively resilient to this kind of malignant fibrous histiocytoma pathology attack, because the encryption is not performed at the server level.

• End-to-end encryption can also increase the protection level among the malignant fibrous histiocytoma pathology user processes spawned by an operating system. Do you remember the recent CPU flaws called SPECTRE and malignant fibrous histiocytoma pathology MELTDOWN? Both of them allowed a malicious third-party (such as a rogue process) to read memory data without being authorized to do so. End-to-end encryption could avoid such scenario as long as the malignant fibrous histiocytoma pathology encryption is performed between user process (as opposed to the kernel), thus preventing any unencrypted data from being put in the malignant fibrous histiocytoma pathology memory.

End-to-end encryption is the most secure form of communication that malignant fibrous histiocytoma pathology can be used nowadays, as it ensures that only you and the person you’re communicating with can read what is sent, and nobody in between, not even the service that actually performs the transmission between malignant fibrous histiocytoma pathology peers. Various end-to-end encryption implementations are already effective on most messaging apps malignant fibrous histiocytoma pathology and services (including Whatsapp, LINE, Telegram, and the likes). In a typical “communication app” scenarios, the messages are secured with a lock, and only the sender and the recipient have the special malignant fibrous histiocytoma pathology key needed to unlock and read them: for added protection, every message is automatically sent with its own unique lock malignant fibrous histiocytoma pathology and key. How to implement it

End-to-end encryption can be used to protect anything: from chat messages, files, photos, sensory data on IoT devices, permanent or temporary data. We can choose what data we want to end-to-end encrypt. For example, we might want to keep benign information related to a malignant fibrous histiocytoma pathology chat app (like timestamps) in plaintext but end-to-end encrypt the message content.

RELATED POSTS