Eight Layers of Security Every Computer Should Have
From using the latest version of your favorite browser to ensuring that your network has monitoring tools in place that send up red flags when they see unusual behaviors, be protected.
Encryption continues to be touted as a key technology for securing sensitive data, not only over encrypted connections such as VPNs but also in storage solutions, removable media and even email clients. With the addition of BitLocker in the Windows OS, encryption is available to most computer users, at least locally.
However, if your organization handles large volumes of sensitive data, you can't rely on local applications to safeguard your info. You need to implement an overall program of encryption for data, both when it is at rest and in transit.
The National Institute of Standards and Technology prepared the article "Encryption Basics" to address the concerns of health care organizations that have to cope with government regulations, such as HIPAA. But the six-page PDF, which is available free to IT Business Edge members here in the IT Downloads library, is an excellent resource for any IT department that wants to educate the rest of the business about the virtues, and complexities, of an overall encryption strategy.
It then lists the common applications of encryption, including two-end systems like IPsec and end-to-end solutions like SSL and TLS, as well and email encryption protocols such as S/MIME.
The heart of the article spells out key issues when implementing any encryption system, regardless of specific protocols. The advice includes:
Use long cryptographic keys: The paper suggests a minimum of the 128-bit Advanced Encryption Standard, but you may well want to consider AES-192 for more complexity in generating your keys. The more bits, the harder the keys are to break.
Back up your keys in a really remote location: If a key gets corrupted during transmission, you need to have a backup so that you can decipher the information. But you must keep those backups as far out of harm's way as possible. Storing them on an entirely different network is not a bad idea, if you have the resources to do so.
Encrypt every copy of sensitive data: Most businesses understand the need to encrypt data while it is in transit (VPNs, etc.) and while it is at rest in a production environment. However, once data moves onto tape or other long-term archiving, encryption tends to be viewed as less of a priority. If the information was sensitive enough to encrypt while it was live, it should either be encrypted or destroyed, if it is no longer needed.
The article also has a tip on transporting keys to separate decoding entities and the best methods for randomly generating keys using a Deterministic Random Bit Generator (DRBG). It's a high-level look at the issues, but it also provides numerous citations to full NIST papers for technical folks who want to dig deeper.