Encryption - What should department heads know? | Office of Information Technology

Encryption - What should department heads know?

Last Updated: 04/03/2017

What is encryption?

In short, encryption is any technique used to transform information into a form that others cannot read or interpret without knowledge of how it was transformed.  The simplest example is the classic “secret decoder ring” which substituted each letter for another (i.e. buffalo might become vyddlki) and you needed to have your own decoder ring to translate the information back to its original form.  Naturally, modern encryption techniques are much more advanced than secret decoder rings and usually employ complex mathematics.

Some encryption vocabulary:

  • Encrypt – the process of transforming readable information into an unreadable form
  • Decrypt – the process of transforming encrypted information back into its readable form
  • Key – the item used, along with the algorithm, to encrypt and decrypt information.  This could be a password, a special file or a hardware device.
  • Algorithm – the mathematical technique used, along with the key, to encrypt and decrypt information
  • “At rest” – information is considered “at rest” when it is saved to a computer or storage device (like a CD, tape or thumbdrive) which is usually in contrast to “in transit”.  Note that data can be considered “at rest” while physically moving like someone carrying a CD with information.
  • “in transit” – information is “in transit” when it is being transferred over a network.  This could be copying a file from a file server, submitting a webpage order form or sending an email.

Other terms you hear a lot in encryption:

Public key, private key, symmetrical, asymmetrical, cipher, AES, DES, triple-DES, 128-bit, 256-bit, blowfish, PGP, token, certificate

When should my department be using encryption?

Encryption is employed when information that you wish to keep private might be exposed to prying eyes.  This includes when sensitive information is transferred over a network, stored on a device that could be easily lost or stolen, or stored on a computer to which an unauthorized person might gain access.

The top places departments should be using encryption are:

  • Authentication (logins) – Most logins are encrypted these days, but we often run across websites that require a login, but do not protect login information with encryption.  Passwords sent over a network are popular targets, so login encryption is essential.
  • Transferring sensitive data over the network – Sensitive data is vulnerable to prying eyes when it is moving between computers, so encrypting this type of information “in transit” is an important aspect of protecting it.
  • Storing sensitive information on portable computers and devices – Portable computers and devices (like thumbdrives and CDs) can readily be stolen or lost, along with the data they contain.  Departments should not store sensitive data on such devices or encrypt the sensitive data stored on them.

Many departments use sensitive data in different ways.  Please contact the IT Security Office for additional information about protecting sensitive data.

What problems might arise because we use encryption?

The biggest problem with encryption is usually losing the keys and losing the ability to decrypt the information.  This is typically not a problem for network forms of encryption like an encrypted website communication, but is often an issue with encrypted files or disks.  Whenever the only, or primary, copy of information is encrypted, one needs to think carefully about how the data can be accessed if a password is forgotten or a key file is lost.  Many encryption programs provide options to address this issue, so make sure you have a “plan B” for getting to your encrypted information.

Encryption generally isn’t free and will likely require purchasing software, devoting time of IT staff and purchasing training for IT staff.

Depending on the situation, encrypting information may complicate other IT management functions and departments should review the potential impact to their IT processes and technologies. 

Learn More