NUIT HomePolicies and GuidelinesData Encryption

Information Security Policy and Standards:
Data Encryption

In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process of decryption where the encrypted information is made readable again.

Encryption is frequently used to protect the confidentiality of data stored on mobile computing devices such as laptops and desktops. It is also commonly used to protect data on USB flash drives, external hard drives and backup media such as DVD’s, CD’s and backup tapes.

Purpose:

This document provides the University community with the information required to effectively and efficiently plan, prepare and deploy encryption solutions in order to secure Legally/Contractually Restricted Information (Sensitive Data).

The focus is on providing a range of tools for the most common systems that are likely to be deployed in the University environments which store, transmit or process Sensitive Data.

When properly implemented, encryption provides an enhanced level of assurance that the data, while encrypted, cannot be viewed or otherwise discovered by unauthorized parties in the event of theft, loss or interception.

The cost of the encryption technologies and associated controls should be commensurate with the sensitivity and value of the data to be protected. Factors that contribute to the cost of an encryption solution include software licenses and staff resources related to planning, deployment and support.

NUIT’s Information and Systems Security/Compliance department (ISS/C) is available as a resource for consultation at any stage of the deployment of an encryption solution.

Audience:

  • All Faculty and Staff
  • All contractors, vendors and any others (including 3rd parties) entrusted with University Sensitive Data.

Policy Statement:

Schools, departments and business functions are required to employ University-approved encryption solutions to preserve the confidentiality and integrity of, and control accessibility to, University data classified as "Legally/Contractually Restricted" where this data is processed, stored or transmitted using University-approved systems.

Scope:

This policy applies to any commonly used user-level system or device in use at the University that processes, stores or transmits University Sensitive Data (e.g. laptops, desktops, PDAs, etc).

This policy does not currently cover Unix/Linux systems desktop or servers using the Unix/Linux operating system (with the exception of OS X+). Nor does it extend to enterprise-level systems such as servers and databases or network infrastructure systems (i.e. Public Key Infrastructure, PKI).

Standards:

  1. Approved Methodologies

    The Encryption Products detailed in Appendix D are the solutions approved for use in protecting the University’s Sensitive Data.

  2. Data Restrictions
    1. Processing, storage and transmission of Sensitive Data is permitted to departmental servers, network drives and departmental workstations where said data is:
      1. encrypted using an Approved Solution, or
      2. subject to Compensating Controls (See Appendix C. Definitions).
    2. A laptop or PDA is prohibited from processing, storing or transmitting Sensitive Data unless said data is encrypted using an Approved Solution.
  3. Key Construction

    Encryption keys should be easy to remember yet not easily guessed or cracked. The following guidelines should be followed in order to pick a strong key.

    • Consists of at least twelve characters
    • Contains uppercase and lowercase characters
    • Contains at least one number
    • Contains at least one special character (i.e. !, @, #, $, %, ^, &, *). Blanks may also be used.
    • Not a dictionary word, proper name or any tidbit of information that can be deduced about the user (like personal phone number, birth date, children’s names, etc.,

      The use of a pass-phrase is highly recommended, as longer keys are typically stronger keys, if assembled correctly, e.g., avoid repeating characters. A sentence construction is typically effective and easy to remember.

  4. Key Management

    Proper key management is essential to the effective use of cryptography. Keys are analogous to the combination of a safe. Weak or poorly protected keys will compromise any cryptographic system. All keys need to be protected against unauthorized substitution and modification. Secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, and destruction of keys.

  5. Secret Key (Symmetric) Method

    This method uses a single key for encryption and decryption which is shared between sender and recipient. Secret key methods assume that the communications medium between sender and recipient is secure and that the secret key is not subject to compromise in transit. Most stand-alone encryption products use this method.

  6. Public Key (Asymmetric) Method

    This method uses a pair of keys, one private and one public. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key. Public key methods assume that the communications medium between sender and recipient is not secure (e.g. the internet).

  7. Encryption Algorithms

    AES (Advanced Encryption Standard) is the recommended encryption algorithm for all encryption solutions. It has been adopted by the U.S. Government and is used worldwide based on its strength and speed.

    Blowfish is a general purpose encryption algorithm developed as a replacement for the depreciated DES algorithm. It is an acceptable alternative to AES.

Procedures:

Step 1 - Data Classification

Data classification is the process of assigning a level of sensitivity to data and determining to what degree the data needs to be controlled and secured. Differentiating between data of little or no value and data that is highly sensitive is crucial when selecting and deploying an encryption solution.

The process of classifying data is rarely simple. It is most often a collaborative process requiring the active participation of data owners who have the greatest familiarity with the data, and who are indispensable in accurately identifying the value of individual and aggregated data items.

Step 2 - Product Selection & Implementation

Encryption products should be selected based on the type of encryption they offer and the technical details of the system on which they will be installed, such as operating system.Most products are available for only one operating system, some are available for multiple operating systems, some are platform specific and are included as part of a standard installation. Guidelines below and Appendix D include scenarios and product details.Please note that ISS/C recommends the deployment of Checkpoint’s Full Disk Encryption(aka Pointsec) on laptops to take advantage of the full disk encryption and key recovery features provided by the product. NUIT’s Distributed Support Services (DSS) has a defined installation process which takes full advantage of the key recovery feature.

Step 3 - Key Creation

The construction of encryption/decryption keys should follow the established standards detailed above (see Standards, Key Construction).

Step 4 - Key Management

Encryption products use one or more cryptographic keys to encrypt and decrypt the data that they protect. Some products support the use of a recovery key that can be used to recover the encrypted data if the regular key is lost. If a key is lost of damaged it may not be possible to recover the encrypted data. Departments need to ensure that all keys used in a storage encryption solution are secured and managed properly to support the security of the solution.

Extensive key management should be planned which will include secure key generation, use,storage and destruction. Considerations should be made as to how these key management practices can support the recovery of encrypted data if a key is inadvertently disclosed,destroyed or becomes unavailable. Specific technical options should be tied to particular products.

Departments need to ensure that access to encryption keys is properly restricted.Authentication should be required in order to gain access to keys (passwords, tokens,etc.).The keys themselves should be physically secured with at least two upper-level trustees assigned access.

Step 5 - Key Recovery

The technical and procedural processes that are established and followed in order to retrieve or change encryption keys in a controlled and safe manner are referred to as key recovery.In the event of compromise or loss all affected keys must be revoked and/or changed and redistributed. Some products incorporate key recovery as a technical feature.

Guidelines:

The following are recommendations on the use of Encryption Products.

The value of the data that requires protection and the system storing the data need to be considered carefully. Physical security refers to being able to control access to the system’s storage media. All encryption methods detailed in these guidelines are applicable to desktop and mobile systems.

A defense in depth approach is recommended when evaluating and deploying encryption products. In an ideal situation, full disk and/or boot disk encryption would be combined with file/folder encryption in order to provide two “layers” of encryption to protect data in the event the first layer is compromised. This typically involves a combination of boot/full disk encryption and file/folder encryption.

Commercial operating systems such as Windows Vista and Mac OS X provide integrated encryption solutions at no additional cost. ISS/C recommends the use of integrated encryption solutions in combination with preferred third-party products detailed in the following scenarios.

  1. Boot Disk Encryption

    Scenario:
    Mobile systems such as laptops are highly susceptible to theft and frequently contain valuable data. Boot disk encryption requires the key in order to start the operating system and access the storage media. In this scenario the operating system is removed as a vector for attack in the event of physical compromise. Boot disk encryption is typically implemented in conjunction with full disk encryption.

    Product(s):
    BitLocker, Check Point Full Disk Encryption, PGP Desktop, TrueCrypt

    OS-Integrated Product(s):
    BitLocker

    Preferred Product(s):
    Check Point Full Disk Encryption

  2. Email Encryption

    Scenario:
    Email-specific products integrate encryption into the email client, allowing messages and attachments to be sent in an encrypted form transparent to the user. This is most appropriate for departments whose users require frequent and regular encryption of email communications. Most departments can make use of a broader range of file/folder encryption products to encrypt individual files and folders.

    Product(s):
    PGP Desktop

  3. External Devices Encryption

    Scenario:
    External devices such as hard drive, DVDs, CDs and USB flash drives can be encrypted in their entirety. Data on these systems can be considered secure without access to the key and encryption software.

    Product(s):
    Cryptainer LE, PGP Desktop, TrueCrypt

  4. File Encryption

    Scenario:
    Individual or multiple files can be encrypted separate from the host operating system. These encrypted archives can be stored in different locations such as network shares, external hard drives or be transmitted securely via email.

    Product(s):
    7-Zip, Cryptainer LE, Disk Images, EFS, FileVault, PGP Desktop, TrueCrypt, WinZip, WinSCP, WinZip

    OS-Integrated Product(s):
    Disk Images, EFS, FileVault

  5. Folder Encryption

    Scenario:
    Folders containing data can be encrypted separate from the host operating system. These encrypted archives can be stored in different locations such as network shares, external hard drives or be transmitted securely via email.

    Product(s):
    7-Zip, Cryptainer LE, Disk Images, EFS, FileVault, PGP Desktop, TrueCrypt

    OS-Integrated Product(s):
    Disk Images, EFS, FileVault

  6. Full Disk Encryption

    Scenario:
    Full disk encryption encrypts all data on a system, including files, folders and the operating system. This is most appropriate when the physical security of the system is not assured. Examples include traveling laptops or desktops that are not in a physically secured area.

    Product(s):
    BitLocker, Check Point Full Disk Encryption, PGP Desktop, TrueCrypt

    Preferred Product(s):
    Check Point Full Disk Encryption

  7. Mobile Device Encryption

    Scenario:
    Mobile devices such as PDAs and smartphones allow users to exchange, transfer and store information from outside of the office. The extreme portability of these devices renders them susceptible to theft or loss. ISS/C recommends the use of standardized devices such as laptops for storing, transmitting or processing Sensitive Data.

    Product(s):
    BlackBerry Content Protection, PointSec Mobile

  8. Transport-Level Encryption

    Scenario:
    Secure transport client/server products provide transport-level encryption to protect data in transit between the sender and recipient in order to ensure delivery without eavesdropping, interception or forgery. This scenario requires the appropriate configuration of a server in order to allow clients to connect in a secure manner.

    Product(s):
    FileZilla, PSFTP, SCP, WinSCP

Compliance:

All parties as delineated under Audience are required to comply with this policy no later than 180 days after approval (See "9. Date Effective or Suspended").

Individuals who discover or strongly suspect a violation of this policy or standards must promptly notify their management and/or any of the following:

Exception Process:

Contact the policy owner to request an exception to the policy.

Original Issue Date:

August 2008

Revision Dates:

August 2008
October 2008, March 2009
Additional Information:
Support Contact:

NUIT Support Center

Central helpdesk for faculty, staff, and students.
847-491-HELP (4357)
consultant@northwestern.edu

Last Updated: 13 March 2009

Information Technology 1800 Sherman Avenue Evanston, Illinois 60201 | Contact Us

Northwestern Home | Calendar: Plan-It Purple | Online Directory | Search

World Wide Web Disclaimer and University Policy Statements

© 2009 Northwestern University