What is Encryption and Certificate Management?
Encryption and Certificate Management is broadly about keeping secrets, secret. This is the say that many cryptographic systems exist to maintain the integrity of your information systems, more specifically from external actors who might do it harm.
Encryption here can be used in a variety of ways, from securing files to securing email. For the latter, there is a very useful NCSC tool which can help, and you also have Mail-Tester to confirm it all works on a recipient’s end.
Certificate Management is a little more complex, but think of it as you would a stamp or passport to confirm your identity. As you can imagine, this is both complex and straightforward – but it isn’t complicated. In fact, many systems exist to enable you to readily print off a passport and revoke the previous one should it be lost or stolen, digital certificates offer something similar for digital systems.
If you want to do a deep dive into these security systems, there are a range of resources available and you will most probably enjoy reading about Red Hat, OpenSSL and Let’s Encrypt (who we also touch on later).
Why is Encryption important?
Your business, client relationships and customer data are quite important. In fact the Information Commissioner’s Office makes it quite clear that it is your responsibility to use encryption. This isn’t only for highly regulated bodies, it is considered a widely available and low-cost capability that every business which handles data should have.
Regulation aside, many customers will not consider working with or buying from you if you lack foundational security. We don’t call it ‘basic security’ because expertise is needed to use the tools properly, either that or some persistence.
The ability to produce your own secrets, store them securely and do business with a secure system is critical to functioning as a business. Many hackers will target businesses when they are most vulnerable, and have automated checks constantly scraping internet-accessible applications to see if a known, easy to exploit vulnerability is there.
As just one example, your email if it isn’t signed and encrypted is more likely to be marked as spam, resulting in lost business – and when someone then checks to see if you are a legitimate sender, and your website lacks a certificate to keep it secure? Lost business. simple as that.
What does it cost?
This is a critical question that many service providers will not answer for you, because it is in their interests to obfuscate costs and bill you at a higher margin.
In fact, certificates can now be produced at zero-cost and still be approved by international bodies: Let’s Encrypt was set up by the Internet Security Research Group with the aim of getting every website to be https encrypted.
Their backers are numerous, including the likes of Mozilla, Google, Cisco and the Electronic Frontier Foundation.
Why is it important to know the context of how Let’s Encrypt works? Simply because you can see that there is a public interest here, and that public interest can and will advance your business interests. In essence, when you ask us how much it costs we might verily answer that it is free – even setting up a webserver to run Let’s Encrypt off costs practically nothing.
You can of course have certificates signed by any number of other organisations, at a cost and this often comes with some support and assistance in setting this up. If however you work with a firm such as Hayachi Services, we would likely consider a certificate renewal to be a Business-As-Usual project dealt with by one of our Desktop Engineers.
What business advantage is there?
Aside from not being fined, repeatedly, by the Information Commissioners Office there are numerous advantages. For the sake of brevity we will list a few, but rest assured many more exist and are current issues which give you a competitive advantage:
- Your business is more trustworthy to customers
- Marketing, especially email and web marketing, is more efficient
- Many modern platforms refuse to accept non-encrypted connections, such as Apple devices, Mozilla Firefox, Google Chrome, etc.
- CyberInsurance is far cheaper if you can demonstrate you have a grasp of foundational technologies (also if you have a SOC)
- Emails can be encrypted in transit, preventing snooping by third parties
- Even with data loss, if it is encrypted you are unlikely to be fined a large amount
These above list is simply a list of a few benefits, it will not capture the plethora of benefits securing your business offers.
Running a business which is secure by design
When you intend to design and implement any information system it is important to do the forward-planning. For an email server, how do you secure it and ensure the emails you send and store remain secure? What happens if the email server or database goes down, do you have disaster recovery in place?
Running resilient systems is important for a business which wants to remain in business. Anybody can set-up email, Hayachi Services have on occasion needed to point out the lack of any resilience in an email system because certain extras were not included. In this sense, hosting your own emails at least gives you control over the systems you use.
Being secure by design then is taking security-principles in account from the outset, ensuring that the website, web application, email platform, CRM, database – whatever it is you need doing – has security built-in. This avoids compliance headaches, avoidable costs and fines from regulators for those who get it wrong.
These conversations on security can be doodles on a sheet of paper – so long as the foundational security principles are followed, you will have a system which has security included.
Help is here if you need it
We appreciate that not everybody enjoys security, adding fire-doors in a building, turn-styles at an entrance, these are mundane and yet essentials things to keep things safe and in working order.
The same is true for digital systems, and human ways of working which use information technology. Hayachi Services have helped international law firms, managed service providers and a range of businesses in manufacturing build security into their IT systems.
Encryption and Certificate Management as a discipline is frankly not sexy at all, but it is essential and must be done properly. It must be sustained: security not a one-off thing, but a continuous process of implementing incremental improvements. Hayachi Services are Here To Help, Always.
