File Encryption

What is File Encryption and Why it's Important for your Business

Data needs to be protected against exposure and unauthorized access at all times. Protocols like TLS protect data in transit, but don’t do anything for data being stored on a machine. File encryption protects this data by encrypting all files before storing them on a computer’s hard drive or on removable media. The use of strong encryption means that it is impossible for anyone to read the data without access to the appropriate encryption key.

A file encryption solution will also implement a key management solution, which is critical to the security of the system. On the one hand, users need to be able to access these keys so that they can decrypt data and use it for legitimate purposes. On the other, attackers need to be blocked from accessing these keys, which would allow them to decrypt the files and read the data that they contain. A file encryption solution must be designed so that encryption keys are securely stored and only accessible by legitimate users.

Why Use File Encryption?

File encryption is designed to protect data at rest. The use of encryption enables an organization to protect itself against a range of potential attacks and decrease its cybersecurity risk.

Compromised Accounts

User and application accounts are commonly compromised as part of cyberattacks. A cybercriminal may use phishing, credential stuffing, or other means to identify login credentials for a user account. Alternatively, exploitation of an application vulnerability may give an attacker access to an enterprise system with the same privileges as the compromised application. In these cases, organizations’ data security largely boils down to permissions management. If the compromised account has access to a particular file, so does the attacker. In the case of a compromise of a root or administrator account, this includes almost every file on the compromised system.

The use of file encryption can help to provide another line of defense against this type of attack. If a file is encrypted, the attacker needs access to the decryption key as well as the file itself. If encryption keys are well-managed, access is restricted to those who actually need them for their jobs, which is not necessarily the same group as has administrator-level permissions on a system. This provides an additional level of defense against data leaks and decreases an organization’s cyber risk.

Cloud Storage

Companies are increasingly moving sensitive data and vital applications to the cloud. While cloud-based deployments have a number of advantages over traditional on-premises data centers, they also create security concerns.

Cloud security can be very different from traditional cybersecurity, and the accessibility of the cloud from the public Internet makes the stakes of poor security even higher. As a result, the number of data breaches involving cloud storage has grown steadily with the increase in cloud adoption.

One of the most common mistakes that organizations make regarding their cloud data is failing to encrypt it. This makes the organization’s data security only as strong as the weakest link in the organization’s cloud security.

Leveraging file encryption in the cloud makes cloud data breaches much harder to perform. Even if an attacker can gain access to an organization’s cloud-based data storage, they also need access to the associated decryption keys to derive any value from the data. A file encryption solution with secure key management poses a much more challenging target.

Lost/Stolen Devices

Employees are increasingly using mobile devices for work. This trend has become more common in recent years, and the COVID-19 pandemic created an explosion in telework and the use of personal and mobile devices.

With the increased convenience of these mobile devices comes higher cybersecurity risk. A smartphone, tablet, or laptop is relatively easy to lose or have stolen in a public place. If this occurs, the thief may be able to read sensitive company data off of the device by scanning its hard drive.

File encryption protects against the threat of lost or stolen mobile devices. Each file on the machine is encrypted, and the encryption keys are stored protected by the user’s password. If an attacker doesn’t have access to this password, then they can’t read any useful data off of the stolen device.

Regulatory Compliance

In recent years, the regulatory compliance landscape has grown increasingly complex. In the past, organizations largely had to comply with industry-specific regulations like HIPAA and PCI DSS. In the wake of the passage of the EU’s General Data Protection Regulation (GDPR), many governments have passed their own data privacy laws as well, such as the California Consumer Privacy Act (CCPA).

While these laws vary in the details, they have a common focus on protecting consumer data. One of the common requirements is that organizations protect their customers’ data and restrict access based upon need-to-know.

File encryption enables an organization to meet both of these requirements. Encrypting files and restricting access to decryption keys based upon role requirements ensures that no-one can gain unauthorized access to sensitive data.

What to Look For in a File Encryption Solution

File encryption is a valuable tool for data security. However, implemented improperly, it can negatively impact employee productivity or lull an organization into a false sense of security. Some vital features to look for in a file encryption solution include:

  • Secure Encryption: A file encryption solution is only as secure as the encryption algorithm that it uses. For example, Ghostvolt uses AES in GCM mode.

  • Granular Control: Some encryption solutions use a single key to encrypt all data, but this forces an “all or nothing” approach to access management. A file encryption solution should support a variety of different keys, enabling access to files to be granted or denied on a per-user or per-application basis

  • Usable Key Management: File encryption is designed to protect data from unauthorized access; however, it is necessary for legitimate users to be able to access their data in order to carry out their business. For this reason, the file encryption solution’s key management system should be secure, easy to use (enabling granular key management) and highly accessible.

  • Easy Sharing: Employees within an organization need to be able to share internal documents and other files. A file encryption solution needs to make it easy for these users to add or revoke other users’ access to their documents.

Why Do I Need File Encryption?

Many cybersecurity solutions are geared toward businesses. Most individuals don’t need to perform the same investment in cyber and data security as companies do because they have less personal data and it is often less targeted by cybercriminals. However, that isn’t to say that the average person shouldn’t take any steps to protect their personal data. One of the fundamental cybersecurity protections that every person should have is file encryption.

What is File Encryption?

When using the Internet, most people know to use encryption of data in transit. This is the big difference between HTTP and HTTPS traffic (i.e. whether or not the lock icon shows up in the address bar). Using HTTPS helps to ensure that you’re connected to the right website and that no one can eavesdrop on your connection, which may include personal data like credit card information, your Netflix queue, etc.

However, your personal data isn’t only at risk when it’s traveling over the Internet. Despite your best efforts, there is a chance that your computer will be infected with malware that your antivirus doesn’t catch. If this is the case, the malware may start looking for sensitive data on your computer and send it to the cybercriminal running the malware.

This is where file encryption comes in. Instead of just encrypting data in transit, file encryption ensures that data is stored encrypted on your computer. This means that an attacker or malware with access to your computer can’t read your sensitive data unless they also know your password.

Why Do I Need File Encryption?

The most common argument against implementing good cybersecurity practices is “I don’t have any data worth stealing”. However, this statement is incorrect, and cybercriminals commonly target individuals to steal personal data.

When thinking about your personal data, you might focus on credit card and banking information, which is primarily entered into the browser and not stored on the machine. However, a great deal of personal data can be extracted from files that you may store on your computer without thinking twice about them. Some examples of these files include

  • Tax Return Documents: Most tax preparation software provides an option to store a copy of the return on your computer. A full tax return provides an attacker with all of the information that they require to perform identity theft. Similarly, W2s, 1099s, and other common forms can contain sensitive data.

  • Family Photos: By default, many cameras and smartphones will embed location information in photos, which is why your computer can tell where and when the photo is taken. A picture of a backyard barbecue can reveal a home address, or a birthday photo reveals someone’s name and date of birth.

  • Application Forms: Applications for a loan, rental, etc. often contain sensitive information like a social security number (SSN). This information can be used in identity theft scams.

  • Travel Plans: When booking a vacation, you may store a copy of the booking information on a computer. These confirmations can include financial information, information about your travel plans, and provide a would-be burglar with a list of dates when a house will be empty.

Common, everyday files can reveal a great deal of personal information. Protecting these files with encryption when storing them on a computer can help to prevent this data from getting into the hands of cybercriminals.

Simple File Encryption with Ghostvolt

Implementing file encryption does not need to be complex or expensive. Ghostvolt offers a simple, user-friendly solution that enables users to securely store files on their computers and share them with friends and family.

The Problem with Cloud Storage for Secure File Sharing

In the modern business, the ability to quickly and easily share documents and other files throughout the business is essential. Everyone works in teams, and sharing documents via email or shared file servers is inefficient.

Cloud-based document sharing services, like Dropbox and Google Drive, offer a tempting alternative to traditional methods of document sharing. Tools like Google Docs enable an entire team to edit a document in parallel and track the complete revision history of the document, making it easy to attribute and revert edits.

However, these cloud-based document sharing services also have their downsides. Employees using these services have to make a choice between efficiency and security, and many choose efficiency. As a result, a number of organizations have suffered data breaches caused by employee negligence in configuring and securing cloud-based services.

Security Challenges of Cloud-Based File Sharing

Cloud Service Providers (CSPs) provide built-in security configuration settings for their environments. While the details vary from CSP to CSP, many of them operate on a simple private/public access model.

A private cloud, as the name suggests, is private. In order to access the cloud-based resource, an employee needs to be explicitly invited to access the resource. On Google Drive, for example, this invitation comes in the form of the document owner (or other administrator) sending a sharing link to the person’s email address.

While this system is effective at securing access to the cloud-based resource, it also creates significant overhead for the document administrators. They must explicitly invite every user of the cloud-based resource and manually revoke permissions if access is abused. While Google Docs keeps an edit history, making it possible to detect such abuse, the document administrator would have to manually review this for anything suspicious.

The overhead associated with properly securing cloud-based resources drives many users to go to the opposite extreme. By marking the cloud-based resource as public, the employee can share access to the document simply by sharing the URL of the document with the desired recipient.

The primary benefit of this system is that anyone with access to the link has access to the resource, making it easy to invite new users. The primary downside of this system is that anyone with access to the link has access to the resource, making it easy for unauthorized users to discover and access the document.

Many people incorrectly believe that it is difficult to find the URL of a cloud-based resource if you are not an authorized user of the resource. Even ignoring the possible cases where an authorized user forwards the link to an unauthorized use, cloud URLs are relatively easy to discover. Hacking tools exist specifically for scanning the space of possible cloud URLs (they have a set scheme), checking if a given URL is valid, and checking if it is public. In fact, most known cloud data breaches were discovered in this way. An ethical hacker using these tools identified an unsecured cloud resource and notified the owner.

Beyond the access control issues associated with cloud resources set to “public,” there are also attribution issues. For example, Google Drive maintains a complete edit history for a document, making it possible to determine if a user has made unauthorized edits. However, knowing that “Anonymous Panda” was the one at fault doesn’t help much. Additionally, Google Drive doesn’t track access by anonymous users, so only those trying to modify the data (instead of just stealing it) would be detected.

Secure Document Sharing with GhostVolt

Cloud-based document storage, like Google Drive, has made significant strides toward making it possible to efficiently and effectively share documents within a team. However, these systems also have a ways to go.

However, more effective solutions for secure document sharing are available. GhostVolt Business takes the basic services that Google Drive (and similar services) provide and takes them a lot further.

Encryption of all files by default, whether on a user’s personal machine or in the cloud, with AES-256 ensures the security of business data. Access to these documents can be managed by defining specific user roles and managing permissions to files based off of these roles. This makes it easy to map a user’s access to documents within the organization to their job responsibilities.

However, where GhostVolt really stands out is in the visibility that it provides regarding shared documents. All user activity is logged, and GhostVolt has built-in reporting functionality to summarize raw data into readable reports. This, combined with Ghostvolt’s strong access controls, make it easy to maintain and demonstrate compliance with a wide (and growing) range of data protection regulations, such as the EU’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and HIPAA, SOX, CCPA, and more in the US.

The Importance of Secure Document Sharing

As more regulations like GDPR and CCPA come into effect, organizations are required to strongly protect the data in their possession and to be able to demonstrate that these security controls are in place. On the other hand, the ability to quickly share data throughout the organization is essential to enabling the organization to operate efficiently.

A secure document sharing solution, with built-in encryption and strong role-based access control, is essential to maintaining regulatory compliance. However, it also needs to be intuitive and efficient to use to meet core business needs. When choosing a document sharing solution, an organization should not need to compromise on security, usability, and performance.