Should the data on my server be encrypted?
Over the last few days I’ve heard a lot of questions in the media asking why TalkTalk didn’t have their customer data encrypted.
While it’s easy to understand why people might ask the question, it’s slightly harder to understand why encryption is not the answer. This blog post will explain the purpose of encryption, and the attacks it prevents, but more importantly, those that it doesn’t.
So why do we encrypt data? Well, encryption is supposed to make the data impossible to read, but not for everyone! Some people will still need to access it, or it would be useless.
So when my laptop has an encrypted disk, and the decryption key is based on a password I keep in my head, that means I can still use it because I know the password, but anyone who steals my laptop will have a very hard time decrypting its data.
The problem with server systems like the TalkTalk customer database, is that they are designed to be read not just by one human user, but by many other computer systems. For example, the website that customers use to check their account details; the call centre staff who use computers to look up your records, or the accounting system which needs to know billing details for customers. And all of these systems need to access the customer data, obviously, unencrypted.
This changes everything. Because now if I hack into the accounting system, then I can use it to read as much customer data as I want. Whether it’s encrypted on the actual customer database or not becomes irrelevant.
For this reason, encryption should be thought of primarily as a protection for assets which you don’t have good physical controls over, such as laptops and other mobile devices.
However, when it comes to protecting data stored on database servers with many connected systems, there are other layers of security you should be thinking of. For example, limiting access to only the required users; penetration testing connected systems to discover weaknesses that hackers might exploit, and intrusion monitoring to detect when hackers or malicious insiders may be stealing large amounts of data.
The more layers like this that you add, the more secure your data becomes. But, unless you are worried about someone breaking into your datacenter and physically stealing your database, then encryption is not the answer.