Encryption

In BFSI or for that matter any Industry, without encryption you just cannot run or host your applications, it’s a very basic requirement that all your applications or to be precise I should say data, it should be always encrypted while its stored-on disk (Data at rest) or while its travelling over the network (Data in Transit), here we would try to understand what exactly encryption is and how it works

In simple terms encryption is something where the data is not in a readable format for an unauthorized user, so for an example can you tell me the meaning of this word "IHOMQ", don’t stress too much, there’s no such word its actually an encrypted form of the word "Hello" using a very basic encryption key "13212". So, using the word "HELLO" and the key "13212" I just shifted the alphabets of the word forwards using the numbers in the key so H shifted 1 alphabet and becomes "I", E shifted 3 alphabets and became "H" and so on, looking at the small table below you can understand

So, when you are actually storing that word "Hello" in a secured storage you will be actually storing it as "IHOMQ" and if you want to retrieve the actual value you need to have the key which is "13212". So, without the key the data "IHOMQ" is of no use for a hacker.

This was a very basic example which I gave you based on Ceaser-Cipher but in reality the algorithms and techniques used are far more complex, but I am sure by going through the above example you can easily understand what encryption is and what I meant when I say "Encryption is something where the data is not in readable format for an Unauthorized user”, basically there are 2 broad categories of encryption:

Data in Transit

The data which is being transferred from one system to another such as accessing an Internet Banking website where data is transferred between the hosting internet based application server and the Laptop, this data should be encrypted, for e.g. if you are entering your username and password on the Internet Banking website and if that channel is not encrypted someone can hack that connection and eavesdrop (capture) the username and password, hence you would always find that the secure websites are not hosted on Http but rather hosted on Https so that the connection is encrypted

Data at rest

Similarly if you have data stored in a database and ofcourse this database is hosted on some hardware at some location on which you have security controls such as cameras and access but still if someone is able to breach that and get hold of the physical disks then he should not be able to read any data from the disks, this is only possible if you are encrypting the data when it’s stored on the disk, this type of Encryption is called (Data at rest encryption)

We talked about the broad categories of encryption, now let’s talk about some standards for encryption which are being used industry-wide:

Data at rest standards

For encrypting any data to be stored in a database or files to be encrypted while storing on file systems / folders the following standards to be followed:

• AES 256 bit encryption should be employed for data at rest encryption

• The keys used for encryption should be kept in a separate tamperproof Secure Key vault

• The encryption keys should be used by the application in memory and should follow a tear down process once the encryption / decryption is done, which means the servers which use this key for encryption / decryption should not store it anywhere on the local storage.

Data in transit

• For data travelling on the public network channel-based encryption should be deployed such as:

o SSL based encryption (public private key combination)

o Customized PKI based encryption following the below standards:

· 2048 bit Asymmetric key size

· 128 bit session key size

• Payload based encryption should be deployed for sensitive information, for e.g. if you are passing a password on the network then the password should be encrypted at the source before it gets transmitted on the wire

Note: Encryption for applications such as credit card and debit card type transactions there is a specialized key management device called HSM (Hardware Security Module) which is a specialized tamperproof solution which has all the required controls for Key lifecycle management