How does encryption remove risk for auditors?

by Kevin Tunison
Published on 19th Oct 2021

For those in the security space or at C-level, you’ve likely seen a recommendation about how to manage encryption and corresponding keys. Or at least something about encryption needing further consideration.

Chances are, if you’re reading this you have at least an interest in the topic and are researching relevant products. In this post, I’ll run through the role of encryption for your organisation, and how (when it’s implemented effectively) it can remove a significant amount of risk management.

How do public/private encryption keys work?

Stepping back slightly, let’s establish what encryption is. Encryption is a process of encoding information so only those who should see it (those with a key), are able to. It’s important to differentiate this from cryptography, which is a field of study usually based on math and algorithms (that may or may not be mathematical).

When encryption is used, typically it will be asymmetric. This means two keys (a public and a private key) are used for encryption/decryption. To explain this, let’s use a metaphor of a postbox that any member of the public can drop mail into. The public key is the drop and is only wide enough to drop a letter in but not retrieve it once it is through. Only the postal employee has a private key to open the mailbox and retrieve its contents for onward delivery.

This is basic public/private key exchange in practice. We’ll come back to physical proximity shortly, because of its relevance with jurisdictional governance. What should be obvious from this metaphor is that if the mail/postal employee loses or divulges the key, then unauthorised people could see this confidential information. Besides the customer having implicit trust in their post arriving at its destination in a timely manner, there is an expectation it has not been tampered with.

Why encryption removes risk for auditors

What if, for argument’s sake, the letter in our example involved mortgage details with bank account information instructing a transfer of funds? Extending this hypothetical scenario, the customer would have no way to trace their mail once it is 'in the system' and anyone with the inclination and access *could* carry out tampering. It is this possibility of tampering that creates risk.

Encryption when implemented well removes tampering risk entirely. If the letter itself is encrypted and only the recipient has the key to decrypt it, the concern of tampering goes away. However, this is not the only solution in our scenario. This is exactly the sort of thing an auditor would recommend you put in place for sharing confidential information via email. 

The role of an auditor is to help an organisation reduce their risk and in theory, reduce the likelihood of losing their business revenue. For example, does the hypothetical possibility of a government compelling a company to hand over keys exist? In some countries, certainly. This is where auditors can find value in choosing the physical location of encryption keys, and why Egress offers jurisdictional control over the use of our services.

What encryption regulations are in place?

Behind the scenes, there is surprisingly very little in the way of legislation or widely adopted standards, such as ISO 27001 or NIST 800-53, telling us how to implement encryption. Only that it should be documented.

One reason for this is that as technology advances, so does the ability to break encryption. We have seen certain algorithms such as SHA-1 fall to the heap of simplicity like a potato battery. Instead,  standards bodies focus on implementation of various types of encryption. The NIST 800-38 series is a good example often referred to in the FIPS 140-2 draft Annex A.

ISO 27701, alternatively, focuses on the type of information that should be encrypted. This is a helpful bridge for data protection legislation where encryption is mentioned, such as UK/EU GDPR Article 32. With this basic background, it becomes apparent that an auditor needs to consider cryptography to give a good assessment of encryption.

Sometimes, the theoretical possibility of a risk can be heightened beyond what is necessary for most organisations. It is an organisation's responsibility to determine the level of action to take from an auditors’ recommendations.

Looking for an email encryption solution that is easy to use, keeps information safe, and enables a full chain of custody audit? Egress Protect delivers all of this and more – learn more here.