Encryption: Ensuring Information Security Colin Chisholm CISSP, GCIH Information Security Analyst Associate Information Security & Systems / Compliance cchisholm@northwestern.edu
Agenda Encryption - Explanation & History Goals Data Encryption Policy Encryption Scenarios Steps Toward Compliance Takeaways Q & A
What is Cryptography? Cryptography is the practice of protecting written secrets Encryption is the process of transforming information into an unreadable form
Looking Back Historically, cryptography has been the domain of entities such as governments, corporations and banks Data + Resources + Motivation = Encryption Exponential increases in computing power and the development of the personal computer industry has leveled the playing field Strong crypto is now available to all
Today The information age has introduced a vast increase in the amount of data generated daily. More data in more places Common data types include email, documents, spreadsheets, address books, calendars, photos, music, videos Common data locations include desktops, laptops, cell phones, smart phones, PDAs, USB sticks, external hard drives, gaming consoles, digital video recorders Data has become ubiquitous and commonplace.
Encryption Goals Confidentiality Keeping information secret from those who are not authorized to have it Integrity Preventing data from being altered in unexpected ways
Loss prevention Encryption Goals Intellectual property, research, personally identifiable information, HR records, financial information Regulations and compliance requirements to report loss Intangible losses can result from media exposure of data including loss of prestige and reputation
Policy Statement "Schools, departments and business functions are required to employ University-approved encryption solutions to preserve the confidentiality and integrity of, and control accessibility to, University data classified as Legally/Contractually Restricted where this data is processed, stored or transmitted using University-approved systems"
Policy Implementation Data Encryption Policy is available at: www.it.northwestern.edu/policies/dataencryption.html Policy was published October, 2008 Compliance is required by April, 2009 ISS/C is available as a resource for consultation at any stage of the deployment of an encryption solution
Considerations University departments have differing resources (technical staff, budget, etc) Encryption solutions have been selected ranging from commercial to freeware solutions The cost of the encryption technologies and associated controls should be commensurate with the sensitivity and value of the data to be protected
Out of Scope Servers, databases, network infrastructure systems Unix/Linux operating systems (OS X excepted) Student population Student systems are not University property. Students with access to sensitive data should be using University resources which fall under this policy
In Scope Applies to commonly used user-level systems Hardware focus on laptops, desktops, PDAs Operating System focus on Windows, Macintosh and select PDA systems Faculty, Staff, contractors, vendors and others (including 3rd parties) entrusted with University sensitive data
Preferred Solutions OS-Native Solutions BitLocker (Windows Vista) EFS (Windows 2000 & XP) FileVault & Disk Images (OS X) Mobile Device Encryption PointSec Mobile (Palm, Windows Mobile, Symbian) Full Disk Encryption CheckPoint Full Disk Encryption, TrueCrypt (Windows) PGP Desktop (Windows and OS X)
Key Strength The complexity and strength of the key is essential to assuring the protection of data The strongest encryption algorithm can be easily defeated by the use of a weak key NUIT Passphrase / Password Guide www.it.northwestern.edu/netid/password.html 14 11
Physical Security Physical security is vital to information security Controls implemented to protect data are weakened or eliminated with the loss of physical security Physical components to information security include hard drives, memory, backup tapes, CDs, DVDs, networking cable, servers, infrastructure equipment, paperwork, filing cabinets, and offices
Encryption Scenarios Boot Disk / Full Disk Encryption File / Folder / External Device Encryption Mobile Device Encryption Transport Level Encryption
Security as a Process Security is a process, not a product Information systems and the environments they operate in are dynamic Changes in technology, data, users and goals over time affect system security Systems, data, users and policies should be periodically reviewed with regard to information security
Home vs Office University-approved systems may include home machines used to access the NU network Don t store sensitive information on your home machine (e-mails, spreadsheets, documents, etc) VPN (Virtual Private Network) should always be used when connecting to NU from off-site Use encryption products where appropriate
Steps Toward Compliance 1. Data Classification 2. Solution Selection & Implementation 3. Encryption Keys 3.1.Key Creation 3.2.Key Management 3.3.Key Recovery Planning
Takeaways Security is a process, not a product Eliminate sensitive data from portable systems Physical security is king Encryption is a limited solution, not a silver bullet Combine encryption types to provide defense in depth Strong keys (passwords / passphrases)
Q & A