Five encryption tips from NIST
Connecting state and local government leaders
A variety of storage formats and devices, in addition to a variety of threats, makes selection of the proper encryption technique and technology necessary when locking down sensitive information.
There are a wide variety of encryption algorithms, techniques and products — and an equally wide variety of user devices and threats against them. So the National Institute of Standards and Technology has provided help in matching the proper cryptography to different devices and the threats they face. Special Publication 800-111, titled “Guide to Storage Encryption Technologies for End User Devices,” offers the following recommendations when selecting an encryption solution.
1. Consider solutions that use existing features and infrastructure of your information technology systems.
Some encryption solutions require that you deploy servers and install client software on the devices to be protected, while others can use existing servers and software already present on the devices. Some operating systems include encryption features approved under the Federal Information Processing Standard (FIPS). Generally, the more extensive the changes required to the infrastructure and devices, the more likely it is that the solution will interfere with functionality or create other problems with the devices. Compare loss of functionality with gains in security and decide if the trade-off is acceptable.
2. Use centralized management for all deployments of storage encryption except for stand-alone and very small-scale deployments.
Centralized management is recommended for storage encryption because it enables efficient policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. It also can automate deployment and configuration of encryption software, distribution and installation of updates, collection and review of logs, and recovery of information from local failures.
3. Ensure that cryptographic keys are secured and managed properly.
Encryption technologies use one or more cryptographic keys to encrypt and decrypt data. If a key is lost or damaged, data stored on the computer could be lost, so you need to thoroughly plan key processes, procedures and technologies. This should include all aspects of key management, including key generation, use, storage, recovery and destruction. Consider how to support the recovery of encrypted data if a key is destroyed or becomes unavailable. Also consider how changing keys will affect access to encrypted data on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed.
4. Select appropriate user authenticators.
Common authentication mechanisms include passwords or personal identification numbers, cryptographic tokens, biometrics and smart cards. Consider using existing enterprise authentication tools such as Active Directory or a public-key infrastructure instead of adding another authenticator for users. This usually is acceptable if two-factor authentication already is being used. Organizations should not use any passwords that are transmitted in plain text as single-factor authenticators for encryption.
5. Take steps that support and complement encryption implementations.
Storage encryption by itself cannot provide adequate security. Select additional controls based on the categories for the potential impact of a security breach on a particular system outlined in FIPS 199 and NIST SP 800-53’s recommendations for minimum security controls. Supporting controls include:
- Revising organizational policies to incorporate use of the storage encryption.
- Properly securing and maintaining user devices to reduce the risk of compromise, including securing operating systems, applications and communications, as well as physically securing devices.
- Making users aware of responsibilities for encrypting sensitive files, physically protecting devices and removable media, and promptly reporting loss or theft.