Recently, as information security needs have increased rapidly, various security techniques and strategies have drawn attention. Encryption is one approach that received the most attention. We received many questions about encryption from people around us as we were the first security company to develop a database encryption product in South Korea.
“Does the system become complicated and difficult to use after encryption?”, “I’ve heard that encryption doesn’t actually affect the level of security.” Many people have proposed questions like these out of fear or confusion about encryption’s usefulness. Are these valid concerns?
When looking at encryption as a security product, the ideal answer should be, “No, that is not the case.” However, when seeing encryption from a limited viewpoint of encoding/decoding techniques, or data processing strategies, the answer could be, “The result will depend on how you go about adopting encryption. Therefore, these concerns could hold water if you adopt the wrong procedures for your data environment.”
Continuing with a business consultation or advertising type answer, one could say, “To address these concerns you should use some special technique we have developed, or product that we provide.” But, we don’t want to give a lecture on Encryption 101. Instead, we want to talk about how to view encryption, which is a very fundamental question for information security.
To get straight to the point, encryption is ‘culture’. This concept is more obvious in an organization or enterprise that requires core IT systems. Encryption is a process that defines information security for people who develop information security products. However, from the view point of those who manage and control the organization’s vital data, encryption is the starting point of a culture centered on secure information management.
In the past, when the town citizens lived together in one community, they could live peacefully without worrying about security. However, security these days is one of the main reasons as to why we prefer living separately in locked apartments, sometimes with additional guards at the front gate. Along that same line of thinking, we are experiencing a different generation, one in which security has become an essential factor in IT systems.
Data security is vital to saving and transmitting data in a controlled state. The first step then becomes distinguishing which information is important and how it must be managed carefully. If this isn’t done, we will then need to make a countless number of virtual locks and doors to manage the vast amounts of undistinguished information. After determining what data is sensitive, what should we do next? Encryption.
Just 3~4 years ago there was no distinction between common information and sensitive information, and everything was stored in the DB without discrimination. Even worse, private information was sometimes used as the DB key. In this case, we’re referring to the term key (e.g. primary key, foreign key, etc.), used when designing the DB, not the encryption/decryption keys. This was our habit during IT system development– our culture of the time. Social Security Numbers were particularly useful types of information for IT system developers. Each Social Security Number is distinguishable in a unique way, with every number having its own citizen identified by the government; so using this type of key ensured integrity.
Today, developers would not dare to attempt in using important private information as a search key. Moreover, they will develop a system which clearly distinguishes between important information, such as personal data and non-vital information. When DB operators discuss how they are going to synchronize with an external system to send and receive data, they cannot help but consider which process to use for decrypting encrypted information, or which processes should be designed to control authority privileges for the encryption key (used when encrypting/decrypting data, not to be confused with the DB key mentioned previously).
From data management changes to technical changes, encryption is the catalyst for starting a cultural revolution in information security. Managers now have no choice but to distinguish whether the system in question utilizes private information or not. Also, the need to encrypt important information brought revolutionary changes in the way that enterprises and organizations manage their data. Starting from the system development step, it is important to change the appropriate guides and protocols to distinguish between the levels of data sensitivity. These examples are only the tip of the iceberg of our emerging security culture. The reason mentioned earlier that encryption should not cause an inconvenience is because encryption is a starting point, not a complete security strategy. Encryption is not only the simple act of data encoding but also protecting data effectively by establishing a procedure for managing encrypted data. Otherwise, it is not a true security, just a technology used during the system building process.
We urge any CPO reading this article to employ data encryption in order to trigger a cultural IT revolution. If you want to encrypt existing system data, including private information, you can solve this problem by discussing with a technical expert. However, changing the culture of development, operation, or management in an organization is not something that can be done by just anyone. IT systems are particularly a major source of competitive power in an enterprise anywhere, and a key necessity. There needs to be a culture that encourages high level of information security different from that of the old days. Therefore, we suggest a slogan, “Information security is a culture. A cultural revolution in information security begins with encryption.”