Everyone talk about encryption these days – whether they understand what it is or not. For more information about what encryption is and is not, check out our other Security posts. But is encryption the last word in security? And if so, why don’t we all just switch it on and instantly be protected from baddies? Encryption Will Save Us All, Won’t It?
What Is Encryption?
We have spoken about encryption before, but let’s just recap. If you write down a message, then write an instruction to scramble and un scramble that message, you’ve basically written an encryption algorithm.
You start with clear text, so maybe “Hello from Beaty Consultancy”. Now let’s say we’re going to replace each letter of the clear text with the letter 2 up in the alphabet. So A becomes C, B becomes D, and so on. For now, let’s not worry about spaces and other special characters. And when we get to Z, we’ll just wrap around and start at A again. To be clear, no (good) encryption algorithms work like this. This is a huge over-simplification so we can all follow along easily.
Therefore the Encryption key could be expressed something like n+2, where n is the letter within the text we’re looking to encrypt or decrypt.
Our message would look like this after our encryption key has been applied to it; “Jgnnq htqo Dgcva Eqpuwnvcpea”. Also, that took me longer to write out than you’d hope 🙂
That means we now have our encrypted message too, otherwise known as Cipher Text. You can apply the Encryption Key to the Cipher Text to get back to Clear Text. And now you understand encryption!
What Is Encryption For?
If we refer to the image at the top of this post – a German enigma machine from World War 2. Operators used these machines to apply encryption to clear text messages. Cipher text would then be transmitted over the air. The Germans knew allied forces could, and were, intercepting the messages, but it didn’t matter, because we didn’t have the encryption key, and so we couldn’t decrypt the cipher text back to clear text.
This demonstrates perfectly what encryption is used for, since we still blast sensitive information across the air now. I bet you’re reading this over a WiFi or mobile network. If we didn’t encrypt these signals, anyone could just receive the signals which were only meant for your device.
To put this more generally, encryption is used when you can’t trust the medium your data is transmitted over, or stored on. This means we can use encryption to secure the data stored on our laptops and devices too – and indeed we do. Whenever I flash my mug at my iPhone, it uses that as part of the encryption key to allow the device to decrypt the data on my device for me.
What Encryption Is Not For
So far, encryption sounds amazing! We just switch it on and all of our security concerns go away, right? Well, not really.
Sure, if someone gets possession of my device, they won’t be able to read the data thereon. If someone gets physical possession of any of the hardware in the AWS datacentres where my EC2 servers happen to be running, they won’t be able to get data out. Great. But that’s now usually how data is stolen.
Just like my face has to be able to tell my device that it’s okay to decrypt data for me now, the applications running on our servers need the same ability. The application will have some form of authorisation to use the encryption key to get clear text data from the server’s storage. If it didn’t, the application just couldn’t work because the data would be gibberish. And that’s the problem – the application layer.
If I know you run Windows Server 2008 on your server, I already know it is unsupported by Microsoft, and doesn’t receive security updates anymore. So there’s a good chance I could use software vulnerabilities to break into the application layer of your server. We already agreed that the application layer needs to be able to decrypt the data stored on the server’s storage, so if I’m making requests through the application layer to your storage, the encryption makes no difference.
In the same way, if you managed to capture a German enigma operator, you could make them decrypt messages received over the air. Well, today’s messages anyway, since the encryption key will change tomorrow.
Also, go and read The Bletchley Park Code Breakers – it’s awesome!
So I Shouldn’t Bother With Encryption?
Oh no, you absolutely should encrypt data in your cloud! Just because it’s not usually how data is stolen doesn’t mean it’s not worth bothering with. Just because the chances of you having a car crash on any given journey is next to zero, it isn’t absolutely zero, so you always put your seat belt on don’t you.
The beauty of encryption in the cloud now is that it’s usually just a tick box. It doesn’t slow anything down, and it doesn’t cost any extra. That being the case, encrypt everything! Why wouldn’t you?
It’s just best to understand what encryption is saving you from, and what it isn’t.