This message will self-destruct...

Not all security strategies need be as dramatic as those proposed by Mission Impossible, but anyone offering SaaS needs to ensure data is accessible by only authorised users.

One plank in any security strategy is encryption, the transformation of sensitive data into an unintelligible form. This scrambling of data is reversible only by those who have the appropriate key, or at least it should be.

One of the problems with encryption is that it is hard to make bulletproof. Algorithmic weakness and even the simple passage of time can transform an uncrackable cipher into a toy programming project.

For this reason, when the US Government needed a new encryption standard suitable for use by the NSA and the community at large, they worked hard to get it right. The NIST compared fifteen competing designs in a five year standardisation process, soliciting entries from the top security experts and cryptographers in the world. The winner became known as AES or the Advanced Encryption Standard.

As an example of what AES does, imagine a policy or benefit record containing these fields:

Forename FRED
Surname FLINTSTONE
Amount 100
Postcode EH10 4BW
Date of birth 15/11/1929

We might decide that the name and postcode are too revealing, so we push these sensitive fields through AES using a given key and use Base64 encoding to make the results printable:

Forename KoJag278FDmjdW0F3Si2sw==
Surname NAxlNwCAGm3hNriG4icn+g==
Amount 100
Postcode 7NfuiRw32aQ3kP6S5ypouw==
Date of birth 15/11/1929

The identity of the worlds favourite caveman is pretty safe in this latter format: if you don't have the appropriate key, expect to spend longer than the age of the universe on a brute force attack. One downside is that the encrypted data is much longer than the original due to encoding block lengths - encryption has a price both in terms of performance and resource usage.

Open encryption standards such as AES have made data privacy widely available and commonly encountered. For example:

  • The padlock icon on a web browser shows that all communication traffic is encrypted
  • Versions of Windows Vista come with BitLocker drive encryption
  • Multi-platform encryption tools like TrueCrypt are in common use. 
  • Archive tools like WinZip now offer strong encryption options

Such techniques are unfortunately only helpful when they are used. As UK civil servants repeatedly find, unencrypted data might not self-destruct, but it can certainly blow up in your face...

Written by: Gavin Ritchie
Publication Date:
Last Updated:
Tags: security, encryption, technology

Encryption in Longevitas

All files uploaded into Longevitas are encrypted using AES in memory before being written to disk. Data records written to the database for processing have sensitive elements encrypted to ensure policy holders are never identifiable. All application sessions are conducted privately over SSL. 

Previous posts

Parallel processing

A colleague of mine once described parallel processing as the "work of the devil". I don't know if I'd go quite this far — this statement was made in the early nineties, when technology was that little bit less advanced than it is today.
Tags: parallel processing, technology

Mortgages and annuities

Another week, another giant financial institution comes crashing down.  This time it is the turn of HBOS, a large UK mortgage provider.  The problem was not one of leverage as such, since all banks are highly leveraged.
Tags: leverage, mortgages, annuities
View all posts

Add new comment

About text formats

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.