What is Encryption?
The most reliable way to protect confidential or sensitive data is to avoid handling sensitive data. Sensitive data should be retained or handled only when required.
Encryption can be an effective information protection control when it is necessary to possess confidential data.
Encryption is the process of concealing data by using a code. After encryption, in order to read or use the concealed data, the code used during encryption must be known. This process is called decryption. Encryption and decryption are used to allow access to data only to those who have the code. To those who do not have the code, the data is unusable.
In computing, encryption is primarily used to protect data in one of two instances. The first is to protect data at rest. An example of data at rest is a spreadsheet with data located on the hard drive of a desktop or laptop computer. The second is to protect data in motion. An example of data in motion is using a web browser to get data from a remote server.
Methods for encrypting data at rest
Whole Disk Encryption
Encryption of data stored on portable computing devices (e.g., PDAs, tablet PCs, laptops, and smart phones), as well as storage media, (e.g., CDs, DVDs, and USB drives) should be provided through the use of a whole disk encryption tool or one that can at least be configured to encrypt all Confidential data.
File Encryption – File by File
Encryption of Confidential data should be provided to facilitate the secure transport of individual files over a network without transmission encryption or to off-line storage devices (e.g., CDs, DVDs, or USB drives.)
Encryption of Confidential data contained in a database server should be provided through the use of whole disk encryption or through features native to the database server software. Encryption capabilities native to database server software may allow for encryption of specific tables or columns of a database and may also be required to segregate access rights among multiple applications that utilize a single database server.
Methods for encrypting data in motion
Encryption of Confidential file transfers can be achieved via the use of an encrypted transmission protocol or network service (e.g., scp, sftp, etc) or by transferring a confidential file that has been encrypted prior to the transmission.
Confidential content transmitted in e-mail messages should be encrypted prior to the transmission, presented via a secure web application, or encrypted in a secure message format, given e-mail is exposed to the possibility of unauthorized access at a number of points throughout the delivery process.
Encryption of Confidential data, including login passwords, transmitted during remote login sessions (e.g., Telnet, TN3270, and remote control software for PCs) should be provided through the use of secure applications or protocols.
Encryption of Confidential data communicated between a user's browser and a web-based application should be provided through the use of secure protocols (e.g., HTTPS, TLS/SSL, etc.) The display of confidential data should be limited to only what is required by the user's authorized use of the application.
Remote File Services
Encryption of Confidential data transmitted by remote files services should be provided through the use of encrypted transmission protocols (e.g., IPSec, ISAKMP/IKE, SSL/TLS) to prevent unauthorized interception.
Encryption of Confidential data transmitted between an application server and a database should be implemented to prevent unauthorized interception. Such encryption capabilities are generally provided as part of, or an option to, the database server software.
Encryption of Confidential data transmitted between cooperating applications should be provided through the use of commonly available encrypted protocols (e.g., SOAP with HTTPS) to prevent unauthorized interception.
Virtual Private Network (VPN)
A VPN connection offers an additional option to protecting confidential data transmitted via the network when other alternatives are not feasible. The use of VPNs should be carefully considered so that all security and networking issues are understood. ITS-Telecommunications and Networking staff should be consulted prior to any VPN implementations.
Encryption Use-Cases and suggested tools for securing data
How do I protect my data stored on my laptop against possible theft?
Whole Disk Encryption / Full Disk Encryption (FDE) - should be used to protect against theft. If your desktop or laptop should be stolen or misplaced, the computers data will not be accessible. This protects the individuals who may have their sensitive information stored on your computer system, and protects the University by ensuring sensitive and confidential data are not released to unauthorized personnel.
Examples of tools that can be used for FDE
- Mac OS X via FileVault 2
- Microsoft Windows – Bitlocker
- WinMagic SecureDoc (UCI OIT )
How do I encrypt my data for compliance?
Although there are many distinct types of data of importance to regulators, most of them fall into several broad categories and each may have specific compliance requirements:
Financial data: The types of financial data are numerous, but commonly include credit card account numbers and tracking data, bank account numbers and associated financial information, and a variety of credit-related data on individuals and businesses. Several regulatory standards, particularly Sarbanes-Oxley in the Unites States, are concerned with reporting financial data for public companies.
Personal health data: Sensitive patient health data can include insurance-related data, actual medical information, and personal data about patients, such as social security numbers, addresses, and other sensitive information, which should not be publicly available.
Private individual data: Such data includes social security numbers, addresses and phone numbers, and other personally-identifiable data that could potentially be used for identity theft and other illicit activity.
Military and government data: Data specific to government programs, particularly those related to military departments and operations is carefully regulated.
Confidential/sensitive business data: Data that has to be kept secret including trade secrets, research and business intelligence data, management reports, customer information, sales data, etc. falls into this category.
FIPS Compliant software for Whole Disk Encryption / Full Disk Encryption (FDE)
- Windows Bitlocker FIPS Mode
- WinMagic SecureDoc Software encryption
How do I protect the data on my USB thumb drive?
In order to encrypt the USB or container we need to start off with a blank USB drive to ensure that ALL files going forward are encrypted. After we encrypt the drive you can then move the unprotected data to the newly encrypted USB drive to protect the files going forward.
- Mac Users: Finder Can Encrypt it For You
- Open the Disk Utility app, select your USB drive, and pick Erase. Choose the MacOS Extended (Journaled) format and erase the drive, formatting it with the proper filesystem.
- Windows Users: Try BitLocker or Veracrypt
- Windows features its own built-in file encryption software, dubbed BitLocker and Bitlocker-to-Go it’s found in Pro, Ultimate, or Enterprise versions of Windows 8 and onward.
I create or work with confidential files and save these files on my department shared drive or server repository. How do I encrypt the files stored on these department shared network drives?
Secure File/Folder share encryption (SFS) - should be used to protect against unauthorized read access to a file stored on a department network share drive. The Folder encryption allows users to move or save files in specific folders where they are automatically encrypted
- Check with your Server Administrator as there are multiple ways and requirements in order to secure that data. Securing data either by the entire volume or individually are two methods of protecting the data but have different requirements and fulfill different protection gaps.
- Folder/file encryption requires an additional mechanism in order to support provisioning of the encryption keys to “unlock” the file and be able to read these files.