A person with a hood over their head looks at two computer screens with numbers and codes displayed.

The Case for Encrypting Everything: A Q&A With PKI Expert Mrugesh Chandarana

Data breaches are a widespread and expensive problem for today’s businesses. I sat down recently with HID’s Director of Product Management, Mrugesh Chandarana, to discuss how organizations can protect themselves — and why comprehensive data encryption is one of the most effective tools for mitigating the cost and impact of a data leak.

Let’s talk about the way that enterprise security paradigms have evolved over the years.

In the old days, people were more focused on defining the network perimeter and securing whatever was inside it. Over the years, that approach shifted, because perimeter security was not strong enough to handle the rise of a remote, global workforce, where employees bring their own devices and connect to enterprise resources from a wide range of different locations.

That’s where the concept of Zero Trust comes in. Zero Trust says you don’t want to trust anything that’s connecting to your network without authenticating and authorizing it. It’s become the key pillar in enterprise security — especially now, when most of the workforce is working remotely.

Can you outline the Zero Trust philosophy and some of its basic concepts?

Zero Trust is about making sure that the people and devices that are trying to connect with your network are, first of all, authorized to access it. Then, if they are authorized, what level of access should they have? Do they have the appropriate roles or permissions they need to access a particular service?

Initially, as you suggest, Zero Trust concepts centered around users’ ability to access network resources. Increasingly, the need for certain extensions to the framework — like encrypting all data that enterprise users produce or interact with — has become clear. Why is that?

Authentication and authorization are certainly one piece of the puzzle. The next one is encryption. In fact, encryption was included in the recent Executive Order on Cybersecurity, which recommended that both government agencies and private enterprises encrypt all data, in transit and at rest, to keep information safe even if it’s stolen or compromised.

Now, encryption has been around for many decades. However, with advances in technology, it’s no longer as hard as it once was to deploy at the enterprise level. Thanks to the threat quantum computing is known to pose to cryptography, enterprises are adopting new cryptographic algorithm such as Elliptic Curve Cryptography (ECC). ECC provides the level of encryption strength that’s equivalent to the Rivest-Shamir-Adleman (RSA) algorithm with a shorter key length. As a result, the speed and security offered by ECC certificates are higher than RSA certificates.

And yet, according to Forrester, only 13% of global firms encrypt all data and half (45%) encrypt little to no data. What’s holding them back?

Many people still think that encrypting everything is too complex and are concerned about the amount of heavy lifting they think they’ll have to do to set up the infrastructure.

For example, one of the best technologies for encrypting data is Public Key Infrastructure (PKI). PKI has been around for many decades, but in the past, organizations had to set it up entirely on corporate premises, which wasn’t feasible for all but the largest enterprises. You needed servers and expert resources who could maintain them. For businesses whose core investments lay elsewhere, it did not make much sense to invest the money that was necessary to create that infrastructure in-house.

We’ll come back to that point in a moment. First, can you explain how PKI works — and how it supports the goal of encrypting everything?

PKI uses a pair of mathematically related keys to encrypt and decrypt information. One key is public and can be accessed by anyone. The other key is private. The keys’ owner gives the public key to anyone they want to send or share information. The private key is never shared and must be stored securely.

PKI support is built into most technologies, and you can use it to encrypt almost everything, whether it’s emails, documents or Internet traffic. You can even use PKI to conduct machine-to-machine authentication for network and IoT devices, and then encrypt whatever data they exchange.

Are there other technologies that organizations have at their disposal for encrypting everything?

At a high level, there are two types of data encryption methods: symmetric and asymmetric. For symmetric key encryption, the sender and the receiver both share the same private key for encryption and decryption. It is a bit faster, but it’s not as secure, because both parties share the secret and that needs to be protected. Asymmetric encryption — the technique that PKI is built on — uses public-key cryptography, which relies on a public and a private key that are mathematically linked.

How can you avoid the complexities you mentioned earlier of installing and maintaining PKI infrastructure? Is the technology really accessible to small- to mid-size enterprises?

Everything is moving to the cloud these days, and PKI is no exception, thanks to the introduction of so-called PKI-as-a-Service (PKIaaS) solutions.

This is not just a matter of convenience. From a security perspective, it makes sense to rely on services and infrastructure that have been built to scale by experts. PKIaaS vendors store your organization’s private keys in ultra-secure data centers and streamline the ongoing task of certificate issuance and management. They enable organizations to outsource the complexities of PKI while retaining visibility and control.

Data encryption helps mitigate both the impact and cost of data breaches. To learn more — and dive deeper into the issues that Mrugesh touched on in this interview — read the eBook, Encrypt Everything with Public Key Infrastructure (PKI) >>

Kym Elizondo-Cowley is the Senior Manager of Content Strategy with HID Global who brings more than 20 years of experience in writing and content marketing to the security industry. Before joining HID Global in 2018, Kym served as a content strategist, blogger, writer and marketer for organizations in the B2B and B2C SaaS and technology sectors, including roles at Blucora and Microsoft. She is based in Austin, Texas.