What is end-to-end encryption, and how does it affect SOC 2 compliance?
While standard layers of defense, such as network firewalls and antivirus software are critical for maintaining a good security posture, they’re far from fail-proof. Determined attackers can and will exploit a multitude of potential vulnerabilities in your network. And, given the fact most organizations now use a dizzyingly complex and disparate range of computing resources, they have many such opportunities.
One of the favorite attack vectors for cybercriminals is to intercept sensitive data in transit. For example, hackers often listen in one unsecured wireless networks, like those found in public places and often used by remote workers. Even if your network and endpoints themselves are safe, threats like wireless eavesdropping and man-in-the-middle attacks can result in disaster. This is why data encryption is critical for all data at rest or in transit.
What is end-to-end encryption?
End-to-end encryption enables secure and private communication between two endpoints. It’s a critical layer of security for all digital communications, and you should avoid using channels that don’t support it. End-to-end encryption turns data in transit into something that hackers will be unable to make sense of, even if they do manage to intercept it.
End-to-end data encryption applies encryption to all outgoing communications before they can leave the device, and only the target device or user account can decipher it. For example, this means messages sent via WhatsApp or conference calls on Zoom, are encrypted for transit, since both these platforms now apply end-to-end encryption by default.
Although encryption is now standard in business communications, it’s important to remember that many systems still don’t support it. For example, SMS messages aren’t encrypted, which means they can theoretically be intercepted by anyone with the right tools. The most common form of end-to-end encryption is TLS security, which websites use to protect data being sent via them. TLS-protected websites are marked by a padlock icon beside the URL in the address bar.
SOC 2 and data encryption
SOC 2 compliance addresses data encryption in section CC6 – Logical and Physical Access. The five trust services criteria addressed in SOC 2 audits include security and privacy. These things can only be achieved if your communications are secured. CC6 also covers endpoint encryption and logical access controls to software, services, and infrastructure.
Specifically, section CC6.8 mandates that organizations implement controls to prevent, detect, and remediate the injection of malicious or unauthorized software. Cyberattackers often target unsecure communications to inject malicious code or exfiltrate sensitive data directly. End-to-end encryption makes this impossible.
When scanning your network for vulnerabilities and preparing for a SOC 2 audit, the auditor will search for any outdated security protocols, as well as unencrypted communications. For example, if it detects a web-hosted asset that uses an outdated security protocol, like SSL or TLS 1.0, it will immediately flag it for review. This will give you a chance to bolster security to reduce risk and meet the requirements necessary for a successful SOC 2 audit.
An overview of encryption standards
Much like cyberattacks themselves, encryption protocols regularly evolve to protect against new and emerging threats. For example, the current standard for protecting communications over the web is Transport Layer Security (TLS) 1.3, which was introduced in 2018. On top of securing data at rest, it must be transmitted whilst being protected by TLS. Be aware, however, that TLS is often confused with SSL, which was a much earlier standard. SSL contains several vulnerabilities, and security experts recommend against using it.
Modern security protocols follow the advanced encryption standard (AES), typically using the 256-bit (AES-256) key size. This means there are 2256 possible key combinations, which would take an immeasurably long period of time for any current or foreseeable future hardware to crack using a brute-force attack. That said, key size is not the only thing that’s important, and some algorithms have other known vulnerabilities hackers might exploit. This is why you must always keep up to date with encryption protocols and follow the current standards.
Why you need to encrypt endpoints too
SOC 2 section CC6 also specifies the need to secure and encrypt data at all times, including when it’s at rest. Regardless of the physical safeguards put in place to protect servers or other computing assets, every storage device and system must be encrypted too. For example, you can protect your Windows workstations by using Bitlocker, which is included in Windows 10 Professional.
All other data-bearing systems should be encrypted too. Endpoint encryption is especially important for mobile devices like smartphones and laptops, since there’s a much higher risk of them getting lost or stolen. The same applies to portable storage devices, such as USB drives. Finally, don’t forget about cloud-hosted assets like virtual machines and online storage services, which may only offer end-to-end encryption but don’t encrypt data at rest by default. For example, the popular Microsoft OneDrive online storage service does not encrypt data at rest unless you’re using the Personal Vault feature.
Charles IT provides end-to-end encryption services to ensure your assets are always safe from cyberattackers and ready to pass a SOC 2 audit. Call us today to schedule a consultation.