ENISA issues recommendations for securing data using cryptography
ENISA, the European Union’s “cyber security” Agency, launched a report recommending that all authorities should better promote cryptographic measure to safeguard personal data.
The report addresses ways to protect sensitive and/or personal data that has been acquired legitimately. The clear link between privacy and cryptography is underlined, demonstrating how the latter can play a role in protecting personal data and safeguarding legitimately collected sensitive or confidential data.
The report presents a mapping of security requirements for personal data and basic cryptographic techniques. It is noteworthy that information security measures and mechanisms can be deployed for the protection of personal data. However, information security does not cover all the issues regarding personal data protection and privacy.
Indeed, personal/sensitive data requires different protection measures in different stages of the lifecycle. Therefore, the report presents a short version of such a lifecycle description. The report also identifies security measures and an introduction to basic cryptographic techniques.
The report is complemented with a set of technical recommendations for algorithms, key sizes, parameters and protocols. The target audiences of these recommendations are system developers and maintenance engineers in commercial environments who are faced with the need to deploy or replace protective measures for data.
Amongst the top three findings and recommendations are:
- The cryptographic measures are only one piece of a puzzle when referring to privacy and data protection. However, cryptographic measures can provide an important layer of protection for data protection, which may reduce the impact of breaches. The relevant stakeholders (Data Protection Authorities, EU Member States authorities, and service providers) should recommend users and others to implement security measures for protecting personal data, as well as rely on state-of-the-art solutions and configurations for this purpose.
- Specialised personnel are needed for the correct implementation of updated cryptographic protective measures.