IT Security: Encryption Methods and Recommended Practices

Background

The Information Classification and Handling Standard, in conjunction with IT Security Standard: Computing Devices, identifies the requirements for Level 1 data. The most reliable way to protect Level 1 data is to avoid retention, processing or handling of such data.

Level 1 data must be protected with security controls to adequately ensure the confidentiality, integrity and availability of that data. Data encryption is not a substitute for other information protection controls, such as physical access, authentication, authorization or network controls.  Data encryption is a method to reduce risk, in conjunction with other requirements listed in IT Security Standard: Computing Devices.

Data encryption must comply with applicable laws and regulations. Any travel abroad, sharing of encrypted data, export or import of encryption products (e.g., source code, software, or technology) must comply with the applicable laws and regulations of the countries involved. This includes those countries represented by foreign nationals affiliated with the University. The United States Department of Commerce provides additional guidance specific to such encryption export controls explained in Controls That Use Encryptions.

Data encryption involves key codes that must be protected.  In the event of compromise or loss of keys involving Level 1 data, all affected keys must be revoked and/or changed and redistributed. These incidents must be reported to abuse@calpoly.edu.

Scope

This document identifies tools that can encrypt data using methods sufficient to meet the University’s Information Classification and Handling Standard, when used in conjunction with other requirements listed in IT Security Standard: Computing Devices.

All Level 1 data encryption exceptions must be documented, reviewed and approved by the Information Security Officer (ISO).

A Word of Caution

Encrypting data makes it unreadable, unless the software managing the encryption algorithm is presented the appropriate credentials and keys to unlock the encrypted data.  This means that if the appropriate authentication and/or keys are unavailable or become corrupted, data could be lost. 

Example: a laptop has been configured to encrypt the entire hard drive – if the user forgets the password or cannot access the key(s), the data and the entire system will not be recoverable.

When transferring data from a device with encrypted data to another device, it must remain encrypted.

Example: encrypted Level 1 data that is copied from a desktop to a USB drive (or external hard drive) will not be encrypted – unless the storage media is also managed as an encrypted device.

The most reliable way to protect Level 1 data is to avoid retention, processing or handling of such data. 

If Level 1 data must be stored, the University strongly recommends storage on enterprise servers – not on single-user devices, such as workstations, laptops, mobile devices, smartphones, cell phones or external storage media.

Encryption Requirements

Storage Media	Characteristic(s)	Level 1	Level 2	Level 3
Servers	Enterprise (many users). Includes database and application and web servers; file and print servers.	May be Required **	Recommended	Optional
Workstations	Varies (single to many users). Examples: Offices (private or shared); open work areas; public service areas; research areas; computer labs.	Required	Recommended	Optional
Laptops, Mobile Devices	Single user. Office, shared area	Required	Recommended	Optional
Smartphones, Cell Phones	Single user.	Required	Recommended	Optional
Storage Media external to a computing device *	Varies (single to many users).	Required	Recommended	Optional

* Storage Media is defined as any electronic device that can be used to store data. External Storage Media includes but is not limited to: external hard drives, CDs, DVDs, USB/flash drives, backup tapes, SD cards, and similar technologies.

** The IT Security Standard: Computing Devices and Information Security Network Standard require specific physical and network protection for servers containing Level 1 data. When meeting these requirements encryption of the data contained on the server may not be necessary. In the event that an exception to the physical or network requirements is granted, encryption of the data residing on the server will be one of the required controls.

Tools

When properly configured, the following tools meet campus encryption standards for Level 1 data:

Windows BitLocker (free; via centralized Active Directory services; Windows 7, 2008 Server)

• Frequently Asked Questions
• Beginner’s Tutorial
• Downloads
• Screenshots
• Technical Documentation
• “To Go” Reader

Encryption Approaches

The following approaches are used when deciding “what” and “how” to encrypt Level 1 data:

• Full Disk Encryption (encrypting all data on the storage media)
• Container or Volume Encryption (designating a specific virtual container/disk volume to encrypt)
• File or Folder Encryption (encrypting specific files or folders as needed)
• Application Encryption (using an application that is capable of encrypting the data)

Type	Considerations and Trade-offs
Full Disk	All information is automatically encrypted by the installed software. Loss or corruption of the authentication credentials or keys would result in loss of the entire system. Performance (e.g. processing overhead may result in slowness).
Container or Volume	Information is encrypted when placed on the designated volume/container. Loss of corruption of the authentication credentials or keys results in the loss data on the volume only. Requires manual management to ensure appropriate data is placed in the volume.
File or Folder	Each designated data file must be managed. Loss of corruption of the authentication credentials or keys results in the loss data in the file only. Requires manual management to ensure appropriate data is encrypted.
Application	Information used by the application is encrypted based on the application’s capabilities. Loss of corruption of the authentication credentials or keys results only in the loss data associated with the application. Only data managed by the application is encrypted. Users and application administrators must understand the scope of the data the application encrypts. Data extracted from the application may not be encrypted.

Responsibilities

 Information Security Office (ISO) Responsibilities

1. Assess the secure installation and maintenance of encryption controls at the University.
2. Assess the performance and security monitoring for elements of encryption control processes.
3. Assess key management processes.
4. Reviews and approves appropriate encryption exception requests.

Key Manager Responsibilities (enterprise, multi-user devices)

1. Adherence to the CSU policies, campus policies, and standards.
2. Ensure secure installation and maintenance of all respective equipment supporting encryption controls.
3. Ensure performance and security monitoring for all respective elements of encryption control processes.
4. Ensure all related key management processes can be accounted for in detail and, if possible, that no single key management supporting staff member can individually obtain full access to master keys or CA encryption keys (e.g., separation of duties, dual control, etc).

User Responsibilities (single-user devices)

1. Adherence to the CSU policies, campus policies, and standards.
2. All users must manage the storage and transmission of data files in a manner which safeguards and protects the confidentiality, integrity, and availability of such files.
3. All users should establish a key escrow agreement, which will identify the required escrow of the subscriber’s private key.
4. Questions about the classification of a specific piece of data should be addressed to the department information security designate.

Management of Systems with Encrypted Data

1. Encryption keys used to protect Level 1 data shall also be considered Level 1 data.
2. Key management processes shall be in place to prevent unauthorized disclosure of Level 1 data or irretrievable loss of important data. This includes:
   • Authentication to access encryption keys (e.g. must adhere to campus password standards)
   • Key generation (e.g.  master keys changed once per year; key encrypting keys twice per year)
   • Key destruction (e.g. follow vendor’s user guides)
   • Key recovery (e.g. point of contact identified)
   • System maintenance (e.g. operating system patching – following vendor’s user guides)
3. All University key management infrastructures shall create and implement an encryption key management plan to address the requirements of these encryption guidelines, other University and CSU regulations, and applicable State and Federal laws.
4. The encryption key management plan shall ensure data can be decrypted when access to data is necessary. Backup or other strategies (e.g., key escrow, recovery agents, etc) shall be implemented to enable decryption; thereby ensuring data can be recovered in the event of loss or unavailability of encryption keys.
5. The encryption key management plan shall address handling the compromise or suspected compromise of encryption keys. The plan shall address what actions shall be taken in the event of a compromise (e.g., with system software and hardware, private keys, or encrypted data.)
6. The encryption key management plan shall also address the destruction or revocation of encryption keys that are no longer in use (e.g., the user has left the University) or that aren’t associated with a key management program.

Resources

• NIST Guide to Storage Encryption Technologies for End User Devices
• NIST Special Publication 800-57: Recommendations for Key Management Part 1
• NIST Special Publication 800-57: Recommendations for Key Management Part 2
• NIST Special Publication 800-57: Recommendations for Key Management Part 3
• NIST Cryptographic Algorithms and Key Sizes for Personal Identity Verification (May 2015)
• Disk Encryption Software and Comparison Matrix