Versions Compared

Old Version 46

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 47

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
Top
Top

Table of Contents

Anchor
Getting Started
Getting Started

Tip
titleGetting Started

In order to implement encryption effectively throughout an institution of higher education, start by developing a strategy that incorporates risk management, compliance requirements, data protection, policies, and standards.

  1.  Develop requirements. The following Guide chapters can help.
    1. Chapter 8, Asset Management, discusses the need to identify and categorize/classify all your information assets. Understanding/knowing where confidential information resides (ex. SSNs, PII) is a critical component in establishing an encryption strategy.
    2. Chapter 9, Access Control, addresses the need to ensure authorized access to information resources. Confidential information needs to be protected throughout its lifecycle (access, process, transmit, store).
    3. Chapter 18, Compliance, provides information in relation to various legal and information security requirements that stipulate the need to protect specific types of information. These types of requirements (ex. PCI DSS, HIPAA) discuss the need to encrypt specific types of data (cardholder data, electronic protected health information)
    4. The Risk Management chapter emphasizes the importance of analyzing risks to information. Risk treatment activities may include deploying encryption solutions to protect confidential information.
    5. Chapter 5, Information Security Policies, stresses that policies provide the direction institutional leadership wants to take in regards to information security goals and objectives. In order to develop an institutional strategy for encryption that will be widely supported and adopted, it’s necessary to gain support of institutional leadership.

  2. Seek to protect data at rest and in motion using Full Disk Encryption (FDE) solutions and transport layer encryption protocols.

  3. Ensure that your encryption keys are sufficiently strong and well protected using professional and open-source vetted encryption products.

  4. Use encryption algorithms that are up-to-date and strong. AES 256-bit encryption is the gold standard for FDE. TLS 1.2 is the current gold standard for transport layer security.

  5. Provide a means for institutional staff to process confidential data while it is encrypted. Ensure secure data transfer environments in internal and external communication channels.

  6. Protect encryption keys by using long, complex passwords with proper access rights to the keys. Maintain audit logs of access to encryption keys.

  7. Develop a key management process that automates the process of verifying identity and access rights. Active Directory ensures only active institutional users can access and authenticate secure resources.

Note: Encryption is often a computationally intensive process and may degrade performance of IT applications or infrastructure if not implemented in an optimal way. Be sure to calculate performance requirements of enterprise services and end users before implementing encryption methods. Develop an implementation strategy, gather requirements, complete test plans, deploy following best practices of products, and effectively manage ongoing encryption solutions.

CryptographyTop of page

Anchor
Overview
Overview

Chapter Summary

This chapter provides a top level overview of cryptography and addresses topics from symmetric key cryptography to public key cryptography, various encryption standards and also various cryptographic libraries. Two sections focus on the two key areas addressed in the ISO document: policy on the use of cryptography and key management.

Overview

In the context of information security, cryptography covers a broad range of topics for securing data. Encryption is the conversion of “cleartext” into “ciphertext”. The reverse process, “ciphertext” to “cleartext”, is referred to as decryption. Applied properly, cryptographic controls provide considerable protection for the confidentiality of data and, when coupled with other related methods, extend integrity and authenticity safeguards for data, both at rest and in transit.    

...

It is important to note that encryption is another layer in the security framework of an institution. Encryption is not a quick fix for all security risks facing organizations. Data is decrypted on servers and stored in memory while being processed. Data can be stolen by an unauthorized person on your server or network. Encryption is added for defense in depth.

Cryptography Top of page

Anchor
Cryptographic
Cryptographic

Cryptographic Controls (ISO 10.1)

Panel
bgColor#FFFFCE

Objective: Describe considerations for an encryption policy ensuring the protection of information confidentiality, integrity, and authenticity (CIA).

When considering cryptographic controls it is often helpful to first consider your institution’s data. This data exists in one of three states: at rest, in transit, or undergoing processing (see graphic below). Data are particularly vulnerable to unauthorized access when in transit or at rest. Portable computers (storing data at rest) are a common target for physical theft, while attackers may intercept data in transit over a network through man-in-the-middle attacks or packet capturing and analysis. Unauthorized access may also occur while data processes, but here security systems may rely on the processing application to control and report on such access attempts. When used appropriately, encryption is a powerful tool to prevent unauthorized access to data.

Data States

3_states_of_data.jpg

Data States and Encryption Methods 
Data StatesExamplesRelevant Encryption Methods
Data In Use/ProcessingCredit card use, W-2 processing, research dataData is decrypted to be used; data masking of particularly sensitive data should be considered.
Data At RestFileserver storage, desktop files, external mediaFull Disk Encryption, Container Based Encryption
Data In MotionSFTP, HTTPS, SMTPSTLS (SSL is deprecated); IPsec

...

(lightbulb) Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
(lightbulb) Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech

Cryptography Top of page

Cryptographic Standards

There are many standards in cryptography that are used for various issues and solutions. The most common standards are listed here.

...

Cryptographic Hash Functions are used for identity verification with digital signatures, file integrity verification, and fingerprinting of messages for authentication. SHA-256 and SHA-512 are examples of a cryptographic hash function.

References:

Cryptographic Libraries

Software developers and vendors usually write cryptographic libraries for various platforms. OpenSSL, the open source secure socket layer library is arguable one of the most popular, as well as most widely used cryptographic library. OpenSSL is used as the default cryptographic library for *NIX systems, including all Linux variants, all BSD variants and in Mac. Microsoft Operating Systems use the Microsoft Cryptographic Provider, which is also the foundation for .NET cryptography.  Other common cryptographic libraries include the Java Cryptographic Library and Wei Dai C++ Crypto library.

...

CryptographyTop of page

Anchor
Resources
Resources

Resources

Panel
bgColor#ADD8E6

Campus Case Studies On This Page
(lightbulb) Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
(lightbulb) Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Cryptography Top of page

Anchor
Standards
Standards

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 10: Cryptography
ISO/IEC 9796-2:2010
ISO/IEC 9797-1:2011
ISO/IEC 9798-2:2008
ISO/IEC 11770-1:2010
ISO/IEC 14888-1:2008
ISO/IEC 18033-1:2005

800-111
800-56A
FIPS 180-4

DS5.8
APO11.02
APO11.05
BAI03.03
DSS01.01
DSS01.02
DSS01.04
DSS01.05
DSS05.01
DSS05.02
DSS05.03
DSS05.06
DSS06.05

Req 3
Req 4

PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

45 CFR 164.312(e)(1)
45 CFR 164.312(a)(1)

CryptographyTop of page

...

(question) Questions or comments? (info) Contact us.

...