When it comes to encryption and compliance, there are about as many different interpretations and opinions as there are people offering them.
Although there are no known laws that explicitly require organizations to use encryption, I've seen many security vendors hawking their encryption products with this claim. There are, however, many different data protection laws that do direct organizations to use encryption based on the results of risk analysis.
Encryption supports the confidentiality and integrity requirements that are part of many laws. This is a subtle but important difference about which business leaders -- as well as IT professionals who have to support such technology -- should be aware.
It is also important to know that encryption is a significant factor within most -- but not all -- U.S. data breach response laws. In many states, if the personally identifiable information, or PII, stored on compromised computers or storage devices is encrypted, then organizations do not have to notify the individuals connected to the PII. This type of "safe harbor" is a great motivator for business leaders to encrypt PII.
To begin, you have to know when, where and for which files you'll have to use encryption, and that depends on the results of your own risk analysis for PII and other confidential data in your organization. Encryption provides just one of many layers of protection that ensure the confidentiality and integrity of PII.
For example, many healthcare providers have determined that they must encrypt all email messages to meet HIPAA requirements because of the risk they assume for emailing personal information. And lots of organizations have chosen PGP to encrypt such messages, citing that it does not require email recipients to purchase or download anything to be able to decrypt the messages. However, those who want specialized email encryption tools can choose from a range of available products.
A number of healthcare organizations have even realized unexpected benefits of using encryption. It has allowed many of them to expand how they use email to communicate information to patients.
Implementing effective encryption
When discussing encryption with these departments, you will need to accurately describe the risks to data based on the results of your risk analysis. Then you'll have to clearly communicate to them what realistic options exist to protect sensitive data and PII. Encryption will be one of these options. In terms they can understand, explain what is possible as well as what is not feasible among encryption choices.
Make sure you describe how encryption can be used within your organization to protect sensitive data while it is being collected, stored, used, processed and transferred between servers and sites.
Here are some guidelines that tell you when encryption will typically be necessary to mitigate identified risks within a Windows environment:
Encrypt sensitive data and PII in storage, specifically on mobile storage devices.
Encrypt sensitive data and PII when moving data through networks.
Use public key encryption, known as PKE, when collecting PII from -- or transferring PII between -- sites and servers on public networks, such as the Internet.
Encrypt log files that need confidentiality or integrity preserved, which you've determined through your risk analysis assessments. Some possibilities within a Windows server include:
- Account logon and logoff events
- Account management events, such as:
- Creating a user account
- Adding a user to a group
- Renaming a user account
- Changing a password for a user account
- Directory service access
- Object access
- Policy changes
- Privilege use activities
- Process tracking
- System events related to a computer restarting or being shut down
Key for Windows is key management
After you have made the decision to use encryption, you need to address key management. When auditors and regulators learn that you are using encryption, they will look for how you've addressed the following issues with documented procedures and supporting technologies in place:
- User registration processes
- System and user initialization
- Keying material installation
- Tests prior to operational use for keying material
- Key establishment
- Key registration
- Operational use
- Storing and archiving keying material
- Key update
- Key recovery
- Key de-registration and destruction
- Key revocation
Here's something else for Windows administrators to keep in mind: As long as you use only one method or vendor product to encrypt data, the keys for decryption will be relatively easy to manage. However, as more encryption methods and products are used -- each with their own key management system -- key management will become much more complex and difficult.
The U.S. National Institute of Standards and Technology, or NIST, has a great resource, called Recommendation for Key Management. It gives sounds advice and describes critical issues and provides details to incorporate into your organization's documentation and procedures.
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance. She is owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
This was first published in April 2008