A Q&A with Winston Krone of Kivu Consulting
Encryption is a best practice that helps safeguard private data “at rest” (in the database). However, most companies don’t deploy encryption. Instead, they might say they use “compensating controls” instead of encryption, which include the tokenization or hashing of data.
To find out more about the differences between encryption, hashing and tokenization and the relative advantages and disadvantages to each approach, we spoke with Winston Krone, Chief Research Officer at Kivu Consulting, which offers investigation, discovery and analysis to businesses facing data breach incidents.
Can you explain the difference between encryption verses hashing or tokens? What are the limitations of the hashing model?
Conceptually, they are three very different things with three very different purposes.
- Encryption is masking or hiding the data by changing the format so that it’s unreadable or indecipherable unless you have the means to decrypt it, so the data remains in place but gets scrambled or hidden. In a situation like a hospital where the organization needs to hold onto the data, this is the obvious method.
- Tokenization is a process where you’re trying not to possess the data, as with merchants who use credit card numbers, so instead of encrypting the information you store it away and assign it a key—think of it as a safe deposit box.
- Hashing means taking the information and running it through a mathematical formula or algorithm. There are different algorithms for different types of hashing, but whether you are hashing single Social Security number or your name or the Gutenberg bible, you will end up with a unique code of numbers to represent the data. As with tokenization, the company doesn’t need to hold the data. The biggest limitation of hashing is that there are certain types of data that shouldn’t be hashed—especially if it’s data you need to access regularly. Data with finite values such as Social Security numbers shouldn’t be hashed because hackers have already created rainbow tables of all of the possible combinations. Another problem we see is that people who use hashing don’t always purge the system of non-hashed data.
Why would some companies choose to use hashing rather than encrypt their data at rest?
Hashing is a cheaper method, and encrypting data is challenging. You can’t just encrypt something and leave it at that. You have to take care of the keys—the term is “key management.” Otherwise, hackers can crack in to the keys, basically giving them access to the bank. The other issue is that encryption is changing over time—methods from ten years ago are now unsafe so if you’re encrypting data you need to keep track of how old it is. Finally, securely encrypting data in databases that are constantly in use is a significant technological challenge.
One benefit of encryption usage is that, should you have a future data breach incident, the data (in theory) is useless to the bad guy and therefore still protected. At the same time, it gives you legal “safe harbor” and license not to report the breach incident. Can the same argument be made for hashing/tokens?
It’s not the same argument. Of the methods, only encryption will help you avoid the state notification laws in a data breach situation. The other issue with tokenizing is that you still have to protect the whole token system under the credit card industry regulations so it’s not a simple alternative to encryption or the cheap panacea people thought it might be.
What else might executives need to know about their data security?
In an era of shrinking budgets and personnel cuts, it’s easy to tell the CEO that the company is encrypting data or using “encryption-like” techniques. The executive needs to ask the hard questions, about what type of encryption is being used because the IT folks might not understand the legal issues at hand. The decision of whether to use tokenization or hashing or encryption is not just a technical or cost issue—it’s very much a legal issue, so it’s a good idea to have counsel involved. The legal reasons for the method you choose may ultimately outweigh the cost.
Going forward, many companies are actively trying to comply with various state and federal regulations to reasonably safeguard the private customer data in their care, custody and control. Unfortunately, it has been our experience that encryption—especially for data at rest—is one of the most challenging areas of data security for most of our clients. Proper encryption—in email, online transactions, backup tapes, laptops and corporate databases—is only deployed by a minority of companies (less than 10 percent), for many of the reasons that Mr. Krone mentioned. The truth is, IT budgets and technological barriers get in the way and clients often avoid best practices and pursue more cost-effective alternatives.
Lastly, if you’re looking for a turnkey solution to help your organization adopt an incident response plan—a key element in any framework for improving critical cybersecurity infrastructure—get more information about Breach Plan Connect® from NetDiligence.