Areas Considered

Storage Security

Trusted

Storage systems we generally consider trusted enough that users do not have to worry about encryption of confidential data. Note that the managers of the systems themselves may be using encryption, but that is not a major concern of the users. Some particularly sensitive data may still need to be encrypted (e.g. master password files) by the user.

• NAS
• Departmental file servers
• Departmental backup systems.

Undetermined

• Desktop system

Untrusted

Things a user may carry around with him and on which confidential data should not be stored without encryption.

• Laptops
• USB Keys
• Other removable media a person carries around.

Mail

Files

• Sent as attachments
• Until a formal PKI solution is in place (S/MIME or OpenPGP), OpenPGP symmetric encryption could be used by departments and individuals to encrypt email attachments. An example process:
  1. A department encrypts a sensitive document.
  2. The encrypted doc is attached to an email message and sent to the recipients.
  3. The department then phones the recipients with the pass phrase.This solution would require OpenPGP compliant software on both ends of the transmission. GnuPG is just that. It is GPL'ed software that is available for most all platforms at no cost. This is not considered 'user friendly' software as it can be used in drastically different cryptographic environments and is mostly used for PKI (Public Key | Private Key) encryption. However, there are front ends available and a well-documented API makes writing purpose-built front ends rather easy. This example was written in about thirty minutes. Symmetric encryption would be an easy solution to begin with and GnuPG can grow with the users as they begin to better understand PKI. It's also much less hierarchically than S/MIME (OpenGPG is very decentralized in comparison... no CAs).

Tools

OpenPGP/PGP/GnuPG

S/MIME

Encryption Later

Large-scale projects in process.

• More complete deployment of security devices to all employees.
• Security Task Force: Data At Rest