A User’s Guide to Encryption Part One: Encryption of Data at Rest

Some of the tools which use encryption to protect data while it is “at rest” include:

• Full Disk Hard Drive Encryption – A method of scrambling all of the data on an entire drive so that it is unreadable without the password or key. Unlike piecemeal solutions which address the security of individual files, full disk encryption tools use a program which is installed on the local computer or device to automatically encrypt and decrypt data as it is written to a drive and read back from a drive. Drive encryption has little, if any, effect on speed for most computer users, and can be applied to an entire device (like a hard disk, a solid state drive, or a flash drive) or to one or more partitions (subdivisions of storage space) on a device. Some of the tools which can be used to encrypt storage devices and partitions include Windows Bitlocker, VeraCrypt, and Symantec Endpoint Encryption. I’ve used Windows Bitlocker for years, and while it’s painful when you occasionally have to enter the Bitlocker recovery key (always back up that recovery key where you can find it, or you’ll be sorry!), it has no impact on my use of Windows apps.
• File-Level Encryption – A method of protecting data in individual files using passwords, encryption keys, or authorization servers. File level encryption is used to protect individual files, but the rest of the disk may or may not be protected. Many tools can be used to provide file-level encryption in different scenarios, including Windows Encrypted File System (EFS) (to protect individual files or folders on a Windows hard disk), AESCrypt (scrambles individual files using a separate application), and 7-Zip (a utility which can create and access password-protected archives of files and folders). Some applications, like the Microsoft Office applications and Adobe Acrobat allow users to encrypt a file by protecting it with a file-level password which must be entered when a user opens the file.
• Information Rights Management (IRM) – A variant on file-level encryption, IRM is method of encrypting a file and then only allowing users access based on permissions stored on an authentication server. Readers may recall the early days of digital music, when songs you purchased online were protected with a superset of IRM called Digital Rights Management (DRM) and that music could only be played in a special player application (e.g. iTunes) because the embedded DRM protection in the files made them incompatible with other players or applications. Some IRM solutions used by businesses include Adobe LiveCycle Rights Management ES, Windows Information Protection, and Microsoft Office 365 IRM. IRM creates some issues, but is becoming an important way businesses protect their sensitive data from interception by outsiders, and it permits companies to take away a user’s ability to access data which has been inappropriately removed or stolen from its servers.

With the proliferation of new laws and regulations covering data privacy from California as well as the European Union’s General Data Protection Regulation (GDPR), it’s more important than ever to encrypt sensitive data wherever possible so you can meet your obligation to your clients to keep information transmitted in confidence secure from prying eyes. Next month, we will present part two of this series– how we protect data “in transit” with encryption as we access or retrieve it from a remote location.

=======

Brian F. Tankersley, CPA.CITP, CGMA (@BFTCPA, CPATechBlog.com) advises firms and companies on accounting technology issues. He has served as the technology editor for a major accounting industry publication, and currently teaches courses in the US and Canada through K2 Enterprises for professional accounting organizations across the US and Canada. Brian and his family make their home in Farragut, Tennessee.