IT Security: Encryption Methods and Recommended Practices

mountainromeInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 3 χρόνια και 5 μήνες)

53 εμφανίσεις

mountainrome_5bb69122
-
2741
-
405e
-
b15f
-
c4fc39e10554.docx


Page
1

IT Security
:


Encryption

Methods

and
Recommended Practices

B
ackground

The
Information Classification and Handling Standard
, in conjunction with

IT Security Standard: Computing
Devices

,
identifies the requirements for Level 1 data. The most reliable way to protect Level 1 data is to avoid
retention, processing or handling of such data.

Level 1 data must be protected with security controls to adequately ensure the confidentiality, integ
rity and
availability of that data. Data encryption is not a substitute for other information protection controls, such as
physical access, authentication, authorization or network controls.
Data encryption

is a method to reduce risk
,
in conjunction with
other requirements listed in

IT Security Standard: Computing Devices”
.

Data

encryption must comply with applicable laws and regulations.
Any travel abroad, sharing of encrypted
data,
export or import of encryption products (e.g., source code, software, or

technology) must comply with the
applicable laws and regula
tions of the countries involved. This includes

those countries represented by foreign

nationals affiliated with the U
niversity. The United States Department of Commerce provides additional
guidance specific to such encryption export controls,
http://www.bis.doc.gov/encryption/
.

Data encryption involves key codes that mu
st be protected.
In the event of compromise or loss of keys involving
Level 1 data, all affected keys must be revoked and/or changed and redistributed. These incidents must be
reported to
abuse@calpoly.edu
.

Scope

T
his

document

identifies tools that can encrypt data
using methods

sufficient to meet the U
niversity’s
Information Classification and Handling Standard
,
when used in conjunction with othe
r
requirements listed in

IT Security Standard: Computing Devices”
.


All Level 1 data encryption
exceptions
must be documented, reviewed and approved by the Information Security
Officer (ISO).

A
Word of Caution

Encrypting data
makes
it
unreadable
,

unless the software managing the encryption
algorithm

is presented the
appropriate credentials and keys to unlock the encrypted data. This mean
s

that if the appropriate
authentication and/or keys are unavailable or become corrupted, data could be lost.

Example: a laptop has been configured to encrypt the entire hard drive


if
the user forgets the password or
cannot access the key
(
s
)
, the da
ta and
the entire system will not be recoverable.

W
hen transferring data from a device with encrypted data to anot
her device,
it

must remain

encrypted.

Example: encrypted
Level 1 data

that

is copied from a desktop to a USB drive (or external hard drive) will not be
encrypted


unless the storage media is also managed as an encrypted device.

The most reliable way to
protect Level 1 data is to avoid retention, processing or handling of such data.


mountainrome_5bb69122
-
2741
-
405e
-
b15f
-
c4fc39e10554.docx


Page
2

If Level 1 data must be stored, the University

strongly

recommends storage on
enterprise servers


not on
single
-
user devices, such as workstations, laptops, mobile devices,

smartphones, cell phones or external storage
media.


Encryption
Requirements


* Storage Media is

defined as any electronic device t
hat can be used to store data.
External Storage Media

includes but

is not limited to: external hard drives, CDs, DVDs, USB/flash drives,
backup

tapes, SD cards, and
similar technologies.

** The

IT Security Standard:
Computing Devices

and

Information Security Network Standard


require specific
physical and network protection for se
rvers containing Level 1 data.
When meeting these requirements

encryption
of the data contained on the server may not be necessary. In the

event that an exception to the physical or
network requirements is granted encryption of the data residing on the server will be one of the required controls.

Tools


W
hen properly configured,
the following
tools

meet campus encryption standards

for
Level

1
data
:


TrueCrypt.org

(free; open source;

Mac OS X,
Linux
, Windows 7/Vista/XP)



Frequently Asked Questions
-

http://www.truecrypt.org/faq




Beginner’s Tutorial
-

http://www.truecrypt.org/docs/?s=tutorial




Downloads
-

http://www.truecrypt.org/downloads




Screenshots
-

http://www.truecrypt.org/screenshots

(includes Apple, Windows, Linux)



Technical Documentation
-

http://www.truecrypt.org/docs/



Windows BitLocker

(free; via centralized Active Directory services; Win
dows 7, 2008 Server)



Frequently Asked Questions
-

http://technet.microsoft.com/en
-
us/library/cc731549%28WS.10%29.aspx





Beginner’s Tutorial
-

http://windows.microsoft.com/en
-
US/windows7/products/features/bitlocker




Downloads
-

http://www.truecrypt.org/download
s




Screenshots
-

http://windows.microsoft.com/en
-
US/windows7/products/features/bitlocker




Technical Documentation
-

http://go.microsoft.com/fwlink/?LinkId=140225




“To Go” Reader
-

http://windows.microsoft.com/en
-
US/Windows7/what
-
is
-
the
-
bitlocker
-
to
-
go
-
reader

Encrypt
ion Approaches

The following a
pproaches

are used when deciding

what


and

how


to

encrypt

Level 1
data
:

Storage Media

Characteristic
(s)

Level 1

Level 2

Level 3

Servers

Enterprise (many users).

Includes database and application and
web servers; file and print servers.

May be
Required

**

Recommended

Optional

Workstations

Varies (single to many users).
Examples: Offices (private or shared);
open work area
s
; public service areas;
research areas; computer labs.

Required

Recommended

Optional

Laptops,

Mobile Devices

Single
user:

Office, shared area

Required

Recommended

Optional

Smartphones,

Cell Phones

Single user.

Required

Recommended

Optional

Storage Media
external to a
computing device

*

Varies

(single to many users).

Required

Recommended

Optional

mountainrome_5bb69122
-
2741
-
405e
-
b15f
-
c4fc39e10554.docx


Page
3

1) Full Disk Encryption (e
ncrypting all data on the storage media
)

2) C
ontainer or Volume Encryption (d
esignating a specific virtual container/disk vol
ume to encrypt
)

3) File or Folder Encryption (e
ncrypting specific files or folders as needed
)

4)
Application Encryption (u
sing an a
pplication

that

is capable of encrypting the data
)


Considerations

and Trade
-
offs

Full Disk




All information is
automatically encrypted by the installed software.



Loss or corruption of the authentication credentials or keys would result in loss
of the entire system
.



Performance (e.g.
processing overhead

may result in slowness).

Volume




Information is encrypted when

placed on the designated volume/container.



Loss of corruption of the authentication credentials or keys results in the loss
data on the volume only.



Requires manual management to ensure appropriate data is placed in the
volume.

File




Each designated data

file must be managed.



Loss of corruption of the authentication credentials or keys results in the loss
data in the file only.



Requires manual management to ensure appropriate data is encrypted.

Application



Information used by the application is encrypted

based on the application’s
capabili瑩es
.



Loss of corruption of the authentication credentials or keys results only in the
loss data associated with the application.



Only data managed by the application is encrypted.



Users and application administrators mu
st understand the scope of the data the
application encrypts.



Data extracted from the application may not be encrypted.

Responsibilities



Information Security Office Responsibilities
(ISO)

1.

Assess the secure installation and maintenance

of encryption controls at the U
niversity.

2.

Assess the performance and security monitoring for elements of encryption control processes.

3.

Assess key management processes.

4.

Reviews and approves appropriat
e encryption exception requests
.

Key Manager Responsibil
ities
(enterprise, multi
-
user devices)

1.

Adherence to the CSU policies, campus policies, and standards.

2.

Ensure secure installation and maintenance of all respective equipment supporting encryption controls.

3.

Ensure performance and security monitoring for all

respective elements of encryption control processes.

4.

Ensure all related key management processes can be accounted for in detail and, if possible, that no
single key management supporting staff member can individually obtain full access to master keys or C
A
encryption keys (e.g., separation of duties, dual control, etc).

User Responsibilities
(single
-
user devices)

1.

Adherence to the CSU policies, campus policies, and standards.

2.

All users must manage the storage and transmission of data files in a manner which safeguards and
protects the confidentiality, integrity, and availability of such files.

mountainrome_5bb69122
-
2741
-
405e
-
b15f
-
c4fc39e10554.docx


Page
4

3.

All users should establish a key escrow agreement, which will identify the required
esc
row of the
subscriber’s private key.

4.

Questions about the classification of a specific piece of data should be addressed to the department
information security designate.

Management
of Systems with Encrypted Data


1.

Encryption keys used to protect Level 1

data shall also be considered Level 1 data.

2.

Key management processes shall be in place to prevent
u
nauthorized disclosure of Level 1 data or
irretrievable loss of important data.

This includes:

o

Authentication to access encryption keys (e.g. must adhere to

campus password standards)

o

Key generation (e.g. master keys changed once per year; key encrypting keys twice per year)

o

Key destruction (e.g. follow vendor’s user guides)

o

Key recovery (e.g. point of contact identified)

o

System maintenance (e.g. operating s
ystem patching


following vendor’s user guides)

3.

All U
niversity key management infrastructures shall create and implement an
encryption key
management plan
to address the requirements of these encryption guid
elines, other U
niversity and CSU
regulations, and applicable State and Federal laws.

o

The encryption key management plan shall ensure data can be decrypted when access to data is
necessary. Backup or other strategies (e.g., key escrow, recovery agents, etc) shall be
impl
emented to enable decryption; thereby ensuring data can be recovered in the event of loss
or unavailability of encryption keys.

o

The encryption key management plan shall address handling the compromise or suspected
compromise of encryption keys. The plan sh
all address what actions shall be taken in the event
of a compromise (e.g., with system software and hardware, private keys, or encrypted data.)

o

The encryption key management plan shall also address the destruction or revocation of
encryption keys that ar
e no longer in us
e (e.g., the user has left the U
niversity) or that aren’t
associated with a key management program.

Resources


NIST Guide to Storage Encryption Technologies for End User Devices

http://csrc.nist.gov/publications/nistpubs/800
-
111/SP800
-
111.pdf


NIST Special Publication 800
-
57: Recommendations for Key Management

http://csrc.nist.
gov/publications/nistpubs/800
-
57/SP800
-
57
-
Part1.pdf


http://csrc.nist.gov/publications/nistpubs/800
-
57/SP800
-
57
-
Part2.pdf


NIST Cryptographic Algorithms and Key Sizes for
Personal Ident
ity Verification (February 2010)

http://csrc.nist.gov/publications/nistpubs/800
-
78
-
2/sp800
-
78
-
2.pdf


Disk Encryption Software and Comparison Matrix

http://en.wikipedia.org/wiki/Disk_encryption_software


http://en.wikipedia.org/wiki/Comparison_of_disk_encrypti on
_soft ware