Engineers: You’re Doing Encryption Wrong & Your Security is At Risk

Feature Image

The concept of encryption is simple enough. At a basic level, encryption is the process of encoding information so only authorized keyholders can unlock it. 

Implemented correctly, it is all but impossible to break encrypted code. 

All too often, encryption is, in fact, not implemented correctly, leaving companies vulnerable to data breaches. This is true across the board for organizations without dedicated SecOps, from small businesses to enterprise health systems and municipal governments.

While there are many avenues hackers can take to break into networks, often, the issue is as simple (and complicated) as flawed encryption. 

The Increasing Need for Encryption

The nCipher Security 2019 Global Encryption Trends Study revealed that 45% of respondents report the use of an enterprise-wide encryption plan, including backend applications. This number has been increasing steadily in recent years, for several key reasons.

New Tech

New and emerging advances in technology around topics like IoT devices and digital payments require strong cryptography to protect information. The inherent less-secure nature of “new” tech makes it a popular target for data thieves of all types. 

Cloud-based computing is another relatively recent innovation that offers convenience, but with increased security vulnerabilities. Companies must protect sensitive cloud data, preferably with secure encryption. 

Regulatory Changes

Privacy regulations like the GDPR (General Data Protection Regulations) and CCPA (California Consumer Protection Act) require companies to protect shared data in a meaningful way. Often, this means dedicating resources to more secure encryption technology. 

Industry Compliance

Voluntary compliance with industry standards such as those set out by PCI, NIST, and ISO is increasingly important. Business partners and clients have become more selective about working with companies who keep up with the latest industry data security standards.

Contract Compliance

Contracts and agreements often include clauses related to data security. Failing to meet the requirements laid out in this language can directly lead to financial losses and failed partnerships. 

Quick Encryption Solutions Are Not the Answer

DevOps teams are usually not staffed by data security experts. The engineers in these departments are often strapped for time and working under tight deadlines with limited resources. Finding efficient solutions for building and deploying projects is a must. 

Often, these teams will seek out encryption solutions online, where they find thousands of applicable webpages. It may seem sufficient at the moment to grab some encryption code from the web and plug it into a network. Unfortunately, this quick action can lead to a world of trouble when it comes to data security. 

StrongSalt founder Ed Yu has tackled these issues head-on with the launch of the new StrongSalt Privacy API. Yu and his team have put a focus on foundational best practices for encryption that have resulted in a solution engineers can trust with confidence, even for cloud data. 

“When we decided to offer the API,” he explains, “it was to make sure the right primitives are used properly for the right types of data.”  

Sites offering up encryption code are all too often outdated or filled with incomplete, incorrect information. One such resource is StackOverflow, which Yu says is routinely used by engineers who copy and paste code snippets found there until “something works.” 

“I don’t even have to begin to describe how and why that’s a horrible idea,” he says. 

This common quick fix is far too risky when it comes to protecting the sensitive internal and external data stored at organizations of all sizes.

Getting the Details Wrong

It turns out, getting encryption right is, well, hard. 

Here are just a few specific ways developers get it wrong:

– The random use of poorly encrypted, random numbers

– Using AES-ECB mode for 128+ bit data 

– Reusing initialization vectors, nullifying overall encryption

– Not factoring for dictionary attacks by leaving data searchable

There are many more potential encryption mistakes a developer can make that completely negate the intended result of a secure data solution. 

Relying on key rotation as an effective security measure is an especially problematic mistake because the practice creates a false sense of security. 

In reality, key rotation is more than ineffective. It is effectively useless

It’s Time to Do Encryption Right

Protecting sensitive data should be a top priority for any organization in today’s environment. Hacking, phishing, and human error can all lead to devastating financial and even legally problematic results. The solution lies with properly managed encryption.

StrongSalt understands encryption. That’s why the company created a privacy API that goes beyond alleviating the risk of human errors and preventing hackers from gaining access. The StrongSalt Privacy API keeps organizations in compliance with regulations and industry standards while providing keyless, decentralized encryption as a service.

StrongSalt’s innovative service even allows for searching and sharing encrypted data stored in, or shared from, the cloud.

Find out how the StrongSalt Privacy API can improve the way you take care of sensitive data. 


StrongSalt Articles You Might Like

API vs. SDK: Choosing the Best DevOps Tool for your Brand

Is Unsearchable Encrypted Data Holding You Back?

Encryption Key Rotation is Useless — Here’s Why

2020: A Year of Reckoning for Big Business and Data Privacy

It’s time to get real with your EULAs

3 Reasons Why Encryption Sucks For Businesses Today

StrongSalt Raises $3 Million in Seed Funding from Valley Capital Partners