IT Security Topic — Encryption Scenarios

Last Updated: 10/19/2012

Notebook user

  • Risk: Private or restricted information is stored on a notebook computer which is lost or stolen.
  • Options:
    • Whole disk encryption provides protection from information disclosure on lost or stolen computers.
    • File and folder level encryption could also be used, but there remains some risk of sensitive information not being encrypted.  Proper protection requires good user education and a strong understanding of how the encryption software functions.

Removable media (e.g. USB thumbdrive)

  • Risk: Sensitive information is stored on a thumb drive, CD, backup tape, external hard drive, etc which is lost or stolen.
  • Options: Like with notebooks, whole disk provides the broadest protection from information disclosure, but might not be applicable to all forms of removable media.  For items like tapes or CDs, it might be appropriate to encrypt information at the file or folder level before copying it to the tape or CD.  Choices will be heavily influenced by how the information will be read (i.e. is the data being sent to another person and do they have the same encryption software).

Email attachments

  • Risk: Sensitive information is sent as an email attachment that may be intercepted in transit or accidentally sent to unintended recipients
  • Options:
    • Use an individual file encryption tool either from an encryption program or an encryption feature integrated into the program that created the file.
    • Use an email encryption program that encrypts both the message and attachment.

File server

  • Risk: Sensitive information is stored on a server in a file that is shared amongst several colleagues.  Information may be disclosed at rest if the file server is accessed by an unauthorized user or in transit when opening the file on the client machine.
  • Options:
    • Use an individual file encryption tool either from an encryption program or an encryption feature integrated into the program the created the file and share the password or key with the other users.  With this approach, each file must be encrypted individually and may have different passwords/keys.
      • Caveat: Be aware that sharing the password or key should be done over secure means as well (phone call or face-to-face communication, not over email).
    • Use a multi-user encryption program that uses asynchronous encryption mechanisms to encrypt the files.  Each user’s public key must be provided to the creator of the encrypted file to allow access to the other users.
      • Caveat:  Public keys must be securely and reliably distributed.

Database

  • Risk: Sensitive information stored in a database may be compromised by unauthorized access or the database file may be stolen.
  • Options:
    • Application level encryption operates on the information before putting it into the database.
      • Caveat: Requires more intelligence at the application level, but no additional database features
    • Database level encryption operates on the entire contents written by the database.
      • Caveat: Limited access control and auditing capabilities.
      • Caveat: Key management

Instant messaging

  • Risk: Sensitive information may be transmitted in clear text across the network in an IM session.
  • Options:
    • Use an encryption program that encrypts your instant messaging session.  Some IM clients have this function built in or there are third party applications that provide this functionality in a process called tunneling.

Online Transactions

  • Risk: Sensitive information may be transmitted in clear text when someone is making an online purchase or participating in a similar activity
  • Options:
    • Be sure that the traffic is secured by https and that the certificate is valid.
      • Caveat: Requires user education.

Learn More