Week -10 “Guide to Storage Encryption Technologies for End User Devices”

Week 10

November 6, 2015

NIST SP 800-111 “Guide to Storage Encryption Technologies for End User Devices”

Threats are unavoidable but can be minimized. There are many threats to the confidentiality of information stored on end user devices, some are unintentional, and some are intentional.  Unintentional threats caused by human errors where as the intentional threats are more serious and derived by different motives. These intentional threats could cause mischief and disruption and commit identify theft and other possible fraud. Threats could be in many forms such as: internal, when employee involve in misusing his/her position to access critical information; and external, when someone remotely access to system or device and attempt to access critical information stored on the system or device which could jeopardize the confidentiality of the organization.  (NIST, 2011)

So, securing critical information and components of end user devices is very critical and requires additional measures to protect from threats from unauthorized users or parties. This publication provides recommendation for encryption on the basis of storage security, security controls, which allows authorized user or parties to access sensitive information stored on end user devices are encryption and authentication.   

1.  When selecting a storage encryption technology, organizations should consider solutions that use existing system features (such as operating system features) and infrastructure.

Some encryption solutions requires that you deploy servers and install client software on the devices to be protected, while others can use existing servers and software already present on the devices or built into the devices, such as Federal Information Processing Standard (FIPS)  (Jackson, 2009). So, the more extensive the changes are to the infrastructure and deices, the storage encryption solution will cause a loss of functionality or other problems with the devices. Therefore, comparing loss of functionality with gains in security and decide if the trade-off is acceptable and should be used when other solution cannot meet the organization’s needs. (NIST, 2011)

2.  Organizations should use centralized management for all deployments of storage encryption except for standalone deployments and very small-scale deployments.

Centralized management is recommended for storage encryption because it enables efficient policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. It also can automate deployment and configuration of encryption software, distribution and installation of updates, collection and review of logs, and recovery of information from local failures. ( NIST, 2011)

3.  Organizations should ensure that all cryptographic keys used in a storage encryption solution are secured and managed properly to support the security of the solution.

Storage encryption technologies use one or more cryptographic keys to encrypt and decrypt the data that they protect. If a key is lost or damaged, it may not be possible to recover the encrypted data from the computer, which includes all aspects of key management, key generation, use, storage, recovery, and destruction. So, organizations need to consider how key management practices can support the recovery of encrypted data when a key is inadvertently destroyed or becomes unavailable (NIST, 2011). Also consider how changing keys will affect access to encrypted data on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed. (Jackson, 2009)

4.  Organizations should select appropriate user authenticators for storage encryption solutions.

Storage encryption solutions requires users to authenticate successfully before accessing the information that has been encrypted such as passwords, personal identification numbers, cryptographic tokens, biometrics, and smart cards (NIST, 2011). Organization should consider using existing enterprise authentication tools such as Active Directory or a public-key infrastructure instead of adding another authenticator for users. This usually is acceptable if two-factor authentication already is being used. Organizations should not use any passwords that are transmitted in plain text as single-factor authenticators for encryption. (Jackson, 2009)

5.  Organizations should implement measures that support and complement storage encryption implementations for end user devices.

Sometimes storage encryption will not be adequate security for stored information, so selecting additional security controls based on the categories for the potential impact of a security breach on a particular system outlined in FIPS 199 and NIST SP 800-53 recommended for minimum security control. (NIST, 2011).

Supporting controls includes:

·               Revising organizational policies as needed to incorporate appropriate usage of the storage encryption solution.

·               Securing and maintaining end user devices properly, which should reduce the risk of compromise or misuse. This includes securing device operating systems, applications, and communications, and physically securing devices.

·               Making users aware of their responsibilities for storage encryption, such as encrypting sensitive files, physically protecting mobile devices and removable media, and promptly reporting loss or theft of devices and media. (NIST, 2011).

 

References:

·               NIST 2011, “Guide to Storage Encryption Technologies for End User Devices”, published on NIST SP 800-111, on November 2007. Retrieved From: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

·               Jackson, William. 2009. “Five Encryption tips from NIST”, Published on GCN.com, on April 15, 2009. Retrieved From: https://gcn.com/Articles/2009/04/20/Crypto-best-practices-sidebar.aspx