1
00:00:00,000 --> 00:00:01,589
When it comes to data security,

2
00:00:01,589 --> 00:00:03,300
one of the most tried and true methods

3
00:00:03,300 --> 00:00:05,070
is to use data encryption.

4
00:00:05,070 --> 00:00:07,560
Now in this lesson, we're not going to do a full review

5
00:00:07,560 --> 00:00:09,210
of all the different encryption types.

6
00:00:09,210 --> 00:00:11,597
Instead, we're going to focus our efforts on the concepts

7
00:00:11,597 --> 00:00:13,590
surrounding encryption, as opposed

8
00:00:13,590 --> 00:00:15,360
to the specific technical implementations

9
00:00:15,360 --> 00:00:19,650
and algorithms like DES, IDEA, or AES.

10
00:00:19,650 --> 00:00:21,090
We're going to talk about two different types

11
00:00:21,090 --> 00:00:24,240
of data in your systems, unencrypted and encrypted,

12
00:00:24,240 --> 00:00:25,817
and the three different data states

13
00:00:25,817 --> 00:00:27,840
that information may pass through

14
00:00:27,840 --> 00:00:30,630
during its creation, usage, and storage.

15
00:00:30,630 --> 00:00:31,919
First, it's important to remember

16
00:00:31,919 --> 00:00:33,750
that data can be in your systems

17
00:00:33,750 --> 00:00:36,750
and exist as either unencrypted or encrypted data.

18
00:00:36,750 --> 00:00:38,100
Now, unencrypted data is any data

19
00:00:38,100 --> 00:00:41,596
that remains in an easily viewable or accessible format.

20
00:00:41,596 --> 00:00:45,330
This is also known as clear text or plain text data.

21
00:00:45,330 --> 00:00:47,280
This data is stored, transmitted,

22
00:00:47,280 --> 00:00:49,177
or processed in an unprotected format

23
00:00:49,177 --> 00:00:51,380
that anyone can view and read.

24
00:00:51,380 --> 00:00:53,140
For example, if I'm using the network

25
00:00:53,140 --> 00:00:54,720
to transmit my username

26
00:00:54,720 --> 00:00:56,337
and password in an unencrypted format,

27
00:00:56,337 --> 00:00:58,457
such as when I log into a Telnet server,

28
00:00:58,457 --> 00:01:00,857
that is considered open and available to anybody

29
00:01:00,857 --> 00:01:02,740
who happens to be capturing the packets

30
00:01:02,740 --> 00:01:04,916
as they're going across that network.

31
00:01:04,916 --> 00:01:07,039
To secure my data in any of its states,

32
00:01:07,039 --> 00:01:10,110
such as when the data is at rest, the data is in motion,

33
00:01:10,110 --> 00:01:13,119
or the data is in processing, you need to encrypt that data.

34
00:01:13,119 --> 00:01:15,241
Now, data encryption is a security method

35
00:01:15,241 --> 00:01:17,280
where information is encoded.

36
00:01:17,280 --> 00:01:18,450
It can only be accessed

37
00:01:18,450 --> 00:01:21,561
or decrypted by a user with a correct security key.

38
00:01:21,561 --> 00:01:24,297
There are many different ways to encrypt and decrypt data,

39
00:01:24,297 --> 00:01:25,961
but for now, just remember

40
00:01:25,961 --> 00:01:27,620
that encrypted data is scrambled up

41
00:01:27,620 --> 00:01:29,279
and unreadable to anybody

42
00:01:29,279 --> 00:01:32,400
without the proper encryption or decryption key.

43
00:01:32,400 --> 00:01:35,340
This scrambled up data is known simply as encrypted data

44
00:01:35,340 --> 00:01:38,159
or cipher text data when it's in this scrambled form.

45
00:01:38,159 --> 00:01:39,561
When it comes to encryption,

46
00:01:39,561 --> 00:01:41,780
remember, it is a form of risk mitigation

47
00:01:41,780 --> 00:01:44,319
for the access controls used in your system.

48
00:01:44,319 --> 00:01:46,740
If an attacker's able to circumvent your access controls

49
00:01:46,740 --> 00:01:48,439
and gain access to a file,

50
00:01:48,439 --> 00:01:51,359
but that file is encrypted, well guess what?

51
00:01:51,359 --> 00:01:53,241
That attacker still can't read it.

52
00:01:53,241 --> 00:01:54,681
This is what makes encryption

53
00:01:54,681 --> 00:01:56,399
a great risk mitigation to use

54
00:01:56,399 --> 00:01:58,761
in order to protect the confidentiality of your data,

55
00:01:58,761 --> 00:02:00,921
even if other things fail.

56
00:02:00,921 --> 00:02:03,139
There are going to be three different data states

57
00:02:03,139 --> 00:02:05,700
the data and information can continually move between.

58
00:02:05,700 --> 00:02:07,813
Now, when we talk about a data state,

59
00:02:07,813 --> 00:02:09,419
we're talking about the location

60
00:02:09,419 --> 00:02:11,358
of the data within the processing system.

61
00:02:11,358 --> 00:02:14,234
Data can really exist in only one of three places.

62
00:02:14,234 --> 00:02:17,039
You can have data at rest, data in motion,

63
00:02:17,039 --> 00:02:18,677
or data in processing.

64
00:02:18,677 --> 00:02:20,761
First we have data at rest.

65
00:02:20,761 --> 00:02:22,710
Data at rest is any data

66
00:02:22,710 --> 00:02:24,930
that is stored in memory, on a hard drive,

67
00:02:24,930 --> 00:02:26,256
or on a storage device.

68
00:02:26,256 --> 00:02:28,140
For example, if I have data

69
00:02:28,140 --> 00:02:29,817
simply sitting on an external hard drive,

70
00:02:29,817 --> 00:02:32,130
that data could be vulnerable.

71
00:02:32,130 --> 00:02:34,580
To protect that data, I might want to use BitLocker

72
00:02:34,580 --> 00:02:36,360
to perform a full disc encryption

73
00:02:36,360 --> 00:02:37,617
of that external hard drive,

74
00:02:37,617 --> 00:02:39,759
or I might use file level encryption

75
00:02:39,759 --> 00:02:41,880
to protect just the specific files

76
00:02:41,880 --> 00:02:43,257
and folders that I need to protect.

77
00:02:43,257 --> 00:02:45,900
Either way, if I encrypt the critical data

78
00:02:45,900 --> 00:02:46,999
that's stored on that hard drive,

79
00:02:46,999 --> 00:02:48,420
I can ensure that no one can read

80
00:02:48,420 --> 00:02:49,878
that contents of those files

81
00:02:49,878 --> 00:02:52,110
unless they have the decryption key,

82
00:02:52,110 --> 00:02:54,917
and therefore, I'm going to be ensuring confidentiality.

83
00:02:54,917 --> 00:02:57,300
Now, there are many different types of encryption used

84
00:02:57,300 --> 00:03:00,117
to support the confidentiality of data at rest.

85
00:03:00,117 --> 00:03:03,081
This includes full disc encryption, folder encryption,

86
00:03:03,081 --> 00:03:05,919
file encryption, or database encryption.

87
00:03:05,919 --> 00:03:07,733
The second type of data state we have

88
00:03:07,733 --> 00:03:10,715
is known as data in transit or data in motion.

89
00:03:10,715 --> 00:03:12,577
Data in motion is any data

90
00:03:12,577 --> 00:03:14,377
that's currently moving from one computer

91
00:03:14,377 --> 00:03:16,041
to another over the network

92
00:03:16,041 --> 00:03:18,537
or from one part of the computer system

93
00:03:18,537 --> 00:03:20,159
to another part of the computer system

94
00:03:20,159 --> 00:03:21,879
within the same tower.

95
00:03:21,879 --> 00:03:23,999
This could be from the hard disk to the memory

96
00:03:23,999 --> 00:03:25,679
or from the memory to the processor.

97
00:03:25,679 --> 00:03:27,801
All of these are examples of data in transit

98
00:03:27,801 --> 00:03:29,198
or data in motion.

99
00:03:29,198 --> 00:03:31,137
Now, let's take another example.

100
00:03:31,137 --> 00:03:33,497
Let's say I want to access my bank's web server

101
00:03:33,497 --> 00:03:34,900
and I need to log in there.

102
00:03:34,900 --> 00:03:37,410
I need to send them data like my username

103
00:03:37,410 --> 00:03:40,398
and password in order to be authenticated by their systems.

104
00:03:40,398 --> 00:03:43,800
So to secure the communication path between my laptop

105
00:03:43,800 --> 00:03:45,817
and their web server, I need to rely on some form

106
00:03:45,817 --> 00:03:48,239
of a transport encryption protocol.

107
00:03:48,239 --> 00:03:50,180
In the example of logging into a bank account

108
00:03:50,180 --> 00:03:52,315
over their website, I'm likely going to rely

109
00:03:52,315 --> 00:03:54,681
on TLS, transport layer security,

110
00:03:54,681 --> 00:03:57,319
or SSL, secure socket layer.

111
00:03:57,319 --> 00:03:58,958
Both of these are commonly used

112
00:03:58,958 --> 00:04:01,860
to protect the transport layer of a web application.

113
00:04:01,860 --> 00:04:03,815
Now, if I'm connecting my laptop back

114
00:04:03,815 --> 00:04:06,297
to my corporate network over a VPN connection,

115
00:04:06,297 --> 00:04:08,441
I might use something like IPSec

116
00:04:08,441 --> 00:04:10,440
or layer two tunneling protocol.

117
00:04:10,440 --> 00:04:12,361
If I'm trying to secure the wireless connection

118
00:04:12,361 --> 00:04:15,081
between my laptop and my home wireless access point,

119
00:04:15,081 --> 00:04:19,380
I might use WPA2 with AES encryption as my algorithm.

120
00:04:19,380 --> 00:04:21,990
Regardless of the exact technology in use,

121
00:04:21,990 --> 00:04:23,241
our goal is always the same.

122
00:04:23,241 --> 00:04:24,681
We want to protect the data

123
00:04:24,681 --> 00:04:26,120
and maintain its confidentiality

124
00:04:26,120 --> 00:04:28,820
as it's moving from one system like my laptop

125
00:04:28,820 --> 00:04:31,336
to another system like the bank's website

126
00:04:31,336 --> 00:04:32,857
or over to the internet by adding

127
00:04:32,857 --> 00:04:34,614
a layer of encryption to it.

128
00:04:34,614 --> 00:04:36,020
The third data state we have

129
00:04:36,020 --> 00:04:38,921
is known as data in use or data in processing.

130
00:04:38,921 --> 00:04:42,510
Now, data in use or data in processing is any data

131
00:04:42,510 --> 00:04:43,740
that has been read into memory

132
00:04:43,740 --> 00:04:45,199
or is currently inside the processor

133
00:04:45,199 --> 00:04:47,897
and is currently being worked on or manipulated.

134
00:04:47,897 --> 00:04:49,276
This is active data

135
00:04:49,276 --> 00:04:51,999
that is non persistent in its digital state.

136
00:04:51,999 --> 00:04:54,930
Typically, it's being held in random access memory,

137
00:04:54,930 --> 00:04:58,617
or RAM, inside your system, or it's in the CPU's caches

138
00:04:58,617 --> 00:05:00,879
or the CPU's registers.

139
00:05:00,879 --> 00:05:03,619
This is data that's currently being utilized by the computer

140
00:05:03,619 --> 00:05:05,675
and its central processing unit.

141
00:05:05,675 --> 00:05:09,298
So remember, your data state for any piece of data

142
00:05:09,298 --> 00:05:11,940
can be either at rest, in motion,

143
00:05:11,940 --> 00:05:14,520
or in processing at any given time.

144
00:05:14,520 --> 00:05:16,900
And these data states change as the data is created,

145
00:05:16,900 --> 00:05:20,457
processed, and stored within a given system or network.

146
00:05:20,457 --> 00:05:22,281
Let me give you a quick example of this

147
00:05:22,281 --> 00:05:23,641
to tie it all together.

148
00:05:23,641 --> 00:05:25,458
Let's pretend I have a file on my hard drive

149
00:05:25,458 --> 00:05:27,001
with a list of all my students

150
00:05:27,001 --> 00:05:29,079
who have passed their certification exams.

151
00:05:29,079 --> 00:05:31,780
Now I want to maintain the confidentiality of that file,

152
00:05:31,780 --> 00:05:34,975
so I might encrypt it using the AES algorithm

153
00:05:34,975 --> 00:05:38,790
and use a long, strong symmetric encryption key.

154
00:05:38,790 --> 00:05:41,001
This file is now being protected when it's at rest

155
00:05:41,001 --> 00:05:42,660
using data at rest,

156
00:05:42,660 --> 00:05:45,220
and stored in this encrypted cipher text format.

157
00:05:45,220 --> 00:05:47,137
But there is one person on my team

158
00:05:47,137 --> 00:05:49,199
who needs to read the contents of that file

159
00:05:49,199 --> 00:05:51,401
to determine if Jane Doe has really passed

160
00:05:51,401 --> 00:05:53,359
her certification exam or not.

161
00:05:53,359 --> 00:05:55,321
So I enter the decryption key

162
00:05:55,321 --> 00:05:57,641
and that file is converted back to plain text.

163
00:05:57,641 --> 00:06:01,116
Now, I find the line that has Jane Doe's name and status,

164
00:06:01,116 --> 00:06:03,414
and I want to send this securely to a team member.

165
00:06:03,414 --> 00:06:06,660
I can save this line to a file, encrypt that file,

166
00:06:06,660 --> 00:06:07,780
and then send that file over.

167
00:06:07,780 --> 00:06:09,300
But that's a bit cumbersome.

168
00:06:09,300 --> 00:06:11,759
So instead, I'm going to open a direct message

169
00:06:11,759 --> 00:06:13,481
with them using Slack.

170
00:06:13,481 --> 00:06:15,538
Now I'm logged into the Slack website

171
00:06:15,538 --> 00:06:19,300
using the HTTPS protocol, so that data being sent

172
00:06:19,300 --> 00:06:21,140
from my computer to the Slack server

173
00:06:21,140 --> 00:06:24,340
is being encrypted using TLS or SSL,

174
00:06:24,340 --> 00:06:26,100
ensuring that the data is encrypted

175
00:06:26,100 --> 00:06:29,137
as it becomes data in transit or data in motion.

176
00:06:29,137 --> 00:06:31,493
Once that data is received by my team member,

177
00:06:31,493 --> 00:06:33,620
they could put it into a file and encrypt it

178
00:06:33,620 --> 00:06:35,241
and make it data at rest again,

179
00:06:35,241 --> 00:06:37,401
or they can simply delete the message

180
00:06:37,401 --> 00:06:39,495
since they now have the information they needed

181
00:06:39,495 --> 00:06:41,136
and they can get rid of that data.

182
00:06:41,136 --> 00:06:44,420
All the while when I access that file on my computer

183
00:06:44,420 --> 00:06:46,457
or begin to send that information over the network,

184
00:06:46,457 --> 00:06:48,377
that data moved from data at rest

185
00:06:48,377 --> 00:06:50,959
to data in transit, and between those two states,

186
00:06:50,959 --> 00:06:52,457
the data was also in use

187
00:06:52,457 --> 00:06:55,961
because my CPU had to perform the operations on that data

188
00:06:55,961 --> 00:06:58,319
as part of the encryption and decryption process,

189
00:06:58,319 --> 00:07:00,857
as well as the transmitting and receiving process.

190
00:07:00,857 --> 00:07:03,690
To help protect that data while it's being processed

191
00:07:03,690 --> 00:07:07,057
as data in use, AMD and Intel processors involve the use

192
00:07:07,057 --> 00:07:09,810
of secure processing mechanisms with encryption

193
00:07:09,810 --> 00:07:11,657
and integrity checks as appropriate.

194
00:07:11,657 --> 00:07:15,510
So as you can see, data is not just in one state.

195
00:07:15,510 --> 00:07:17,300
It moves constantly between these different states

196
00:07:17,300 --> 00:07:19,241
continually from data at rest

197
00:07:19,241 --> 00:07:21,641
to data in transit and data in use,

198
00:07:21,641 --> 00:07:23,599
and you must consider how it's going to be protected

199
00:07:23,599 --> 00:07:25,653
during each of these data states.