Imagine an IT universe where encryption is complete and secure, and parameters are changed on the fly based on factors such as network conditions, traffic patterns, and the threat level to an IT system. This means resiliency against ever-evolving cyberattacks to ensure data confidentiality and integrity and achieve optimum performance and maximum agility. Adaptive payload encryption (APE) is the solution, and while it hasn’t been fully attained or embraced yet, it may be on the horizon in the not-too-distant future.
What is APE?
APE uses mathematical algorithms to transform sensitive information into an unreadable format. While there is a standard layer of encryption for the data transmitted between clients and servers known as the secure sockets layer and transport layer security (SSS/TLS), with adaptive encryption, extra cybersecurity protection is provided for non-encrypted traffic. Where most of the traffic across a network is expected to be encrypted to keep it secure, encrypting those sessions that are not already in that state ensures all payload traffic sent over a network (the actual information or message being transmitted) is secure, even in untrusted environments. Adaptive encryption adjusts in real time to threats, including those outside the typical client-server path and even from someone on the inside who may be a cybercriminal.
How to adopt adaptive payload encryption
Hypertext transfer protocol secure/transport layer security or HTTPS/TLS is an industry standard for securing data between clients and servers on the internet, but it does not guarantee the complete security of all data. HTTPS/TLS can expose data to hackers at either endpoint if they are compromised, such as when vulnerabilities are in the server, a client’s device, or the network infrastructure. Attackers can also target the metadata (which provides a trove of information about the actual data being stored), allowing access to details about user behavior and interactions. HTTPS/TLS cannot entirely prevent attacks involving the “man in the middle,” who can intercept and even alter the communication between two parties. Encrypting the entire payload provides an additional layer of end-to-end security. Attackers who get past the HTTPS/TLS security layer will find it difficult to decrypt the data with APE due to its adaptive nature and ability to adjust the encryption algorithm, key length, and other parameters dynamically.
There are several ways to encrypt the entire payload:
- End-to-end encryption (E2EE). Data is encrypted on the sender’s device and decrypted only when it arrives at the recipient’s device. Even with data sent over HTTPS/TLS, where there can be weak security points, that information remains secure due to the extra layer of protection.
- Application layer encryption. WhatsApp and other messaging apps use application layer encryption to encrypt data before transmitting it over the network. With consumers so reliant on their phones, this extra layer of security and the app’s technological sophistication are selling points.
- Payload encryption. This type of encryption is employed for web applications, where specific data within a payload can be encrypted before it is transmitted via the standard HTTPS/TLS layer of protection.
- Internet protocol security (IPsec) or virtual private networks (VPNs). These encrypted protocols protect the entire communication and add another level of cybersecurity on top of HTTPS/TLS. The average user can purchase a VPN service to secure their transmissions over the internet.
A compelling reason to consider APE is to establish a more complex defense strategy to fend off cyberattacks even when the encryption is compromised and not detected via HTTPS/TLS. Sorting through the various APE methodologies and matching them to an organization’s specific needs and the type of data being transmitted or received are vital decisions to be made at the highest management levels.
Other challenges include developing and managing an adaptive encryption system compatible with existing or legacy encryption methodologies. Creating more uniform standards for encryption within the business ecosystem can help minimize future cybersecurity risks.
Symmetric versus asymmetric encryption
There are different ways to encrypt sensitive information, and several options exist for how that data can be encrypted. Symmetric key encryption is faster and uses the same key to encrypt and decrypt the message transmitted, making it easier to use but somewhat less secure as someone could intercept that key. On the other hand, asymmetric key encryption uses different keys to encrypt and then decrypt as opposed to the symmetric option, but the encryption process is slower, and adoption is considered more costly.
Symmetric is preferred when large amounts of data must be transferred and is more efficient, while asymmetric is used to transfer smaller amounts of data and is deemed less efficient. It is essential to match the method used to the payload requirements within a specific company and where the data it transmits is headed. It is also a determinant when developing the software packages that send and receive data.
Adaptive payload encryption as an industry standard: a work in progress
Digital data transmission that contains personal, health, financial, or other sensitive information places a great deal of responsibility on the IT systems accepting that data and the hubs and routers it passes through on its journey. End users trust that this information will arrive securely when they transmit it via an online form, an app, email, or other methods. When it arrives and is stored on a server, in the cloud, used during a transaction, or is traveling from one hub to another, they want to be assured that any threats to the security of their data are thwarted at lightning speed and that the entity receiving that information can adapt quickly to any change in threat conditions. For these reasons, the long-term goal of true APE is to develop IT systems and software packages that are agile and proactive, ward off any cyberattacks as they continue to evolve, and encrypt data safely in real time, regardless of their origins.
About the Author:
Raja Chattopadhyay is a technology leader at a leading financial company and has 20 years of expertise in financial technology (fintech), data management, API development, analytics, and operations. With additional expertise in cloud infrastructure/computing and NoSQL databases, he has spearheaded numerous critical initiatives throughout his career. An active volunteer, Raja mentors STEM students, serves as a judge for prestigious international industry awards, and writes blogs for other experts. Raja received his master’s degree in applied geophysics from the Indian Institute Of Technology, ISM Dhanbad, India. Connect with Raja on LinkedIn.
