Symmetric Encryption
Symmetric encryption uses the same secret key for both encryption and decryption. It is fast and efficient for encrypting large volumes of data, making it the standard for bulk data encryption. The primary challenge is securely distributing the shared key to all authorized parties. AES (Advanced Encryption Standard) with 128-bit or 256-bit keys is the most widely used symmetric algorithm.
Example: When you encrypt a hard drive with BitLocker or FileVault, the operating system uses AES symmetric encryption to protect all data on the disk. The same key that encrypts each block of data is used to decrypt it when you unlock the drive.
Asymmetric Encryption
Asymmetric encryption uses a mathematically related pair of keys: a public key (shared openly) for encryption and a private key (kept secret) for decryption. It solves the key distribution problem of symmetric encryption but is computationally slower. RSA and Elliptic Curve Cryptography (ECC) are common algorithms. Asymmetric encryption is fundamental to digital signatures, certificate-based authentication, and secure key exchange.
Example: When you send an encrypted email using PGP, you encrypt the message with the recipient's public key. Only the recipient's private key can decrypt it, ensuring that even if the email is intercepted, it cannot be read by anyone other than the intended recipient.
Hashing
A hash function takes an input of any size and produces a fixed-length output (the hash or digest) that is deterministic, one-way (cannot be reversed to recover the input), and collision-resistant (extremely unlikely for two different inputs to produce the same hash). Hashing is used for data integrity verification, password storage, and digital signatures. Common algorithms include SHA-256 and SHA-3.
Example: When you create a password on a website, the system stores a SHA-256 hash of your password rather than the password itself. When you log in, the system hashes your entered password and compares it to the stored hash. Even if the database is breached, the actual passwords are not directly exposed.
Data Classification
Data classification is the process of categorizing data based on its sensitivity, value, and regulatory requirements to determine appropriate security controls. Common classification levels include public, internal, confidential, and restricted (or top secret). Classification drives decisions about encryption, access controls, storage requirements, retention policies, and handling procedures.
Example: A hospital classifies patient medical records as 'Restricted' (requiring encryption, strict access controls, and audit logging), employee names and department as 'Internal' (accessible within the organization), and press releases as 'Public' (no access restrictions needed).
Personally Identifiable Information (PII)
PII is any information that can be used to identify, contact, or locate a specific individual, either alone or when combined with other data. Direct identifiers include names, Social Security numbers, and biometric data. Quasi-identifiers like ZIP code, date of birth, and gender can identify individuals when combined. PII protection is central to privacy regulations and requires specific security controls.
Example: A dataset containing first name, last name, date of birth, and ZIP code constitutes PII because these quasi-identifiers, when combined, can uniquely identify most individuals in the U.S. population, even though no single field is a direct identifier.
GDPR (General Data Protection Regulation)
GDPR is a comprehensive data protection law enacted by the European Union in 2018 that governs how organizations collect, process, store, and share personal data of EU residents. Key principles include lawful basis for processing, data minimization, purpose limitation, storage limitation, and individual rights (access, rectification, erasure, portability). GDPR applies to any organization handling EU residents' data, regardless of where the organization is located, with fines up to 4% of annual global revenue.
Example: A U.S.-based e-commerce company that sells to EU customers must comply with GDPR by obtaining explicit consent before collecting personal data, providing a mechanism for users to request deletion of their data, and reporting data breaches to authorities within 72 hours.
Key Management
Key management encompasses the policies, procedures, and technology for generating, distributing, storing, rotating, revoking, and destroying cryptographic keys throughout their lifecycle. Poor key management can render even the strongest encryption useless. Key management systems (KMS) and hardware security modules (HSMs) provide centralized, secure key storage with access controls and audit logging.
Example: An organization using AWS KMS generates a master encryption key stored in a hardware security module, then uses envelope encryption: the master key encrypts data keys, and data keys encrypt the actual data. Keys are automatically rotated annually, and access is controlled through IAM policies.
Data Lifecycle Management
Data lifecycle management is the practice of governing data from its creation through storage, use, sharing, archival, and eventual destruction. Each stage has specific security requirements: creation requires classification, storage requires encryption and access controls, use requires audit logging, sharing requires data loss prevention, archival requires integrity verification, and destruction requires secure deletion that prevents recovery.
Example: A financial firm's data lifecycle policy specifies that customer transaction records are encrypted at creation, stored in access-controlled databases, retained for 7 years per regulatory requirements, archived to encrypted cold storage after 2 years, and securely destroyed using cryptographic erasure after the retention period expires.
