ENCRYPTION IMPLEMENTATION GUIDE

Encryption Implementation Guide

You’ve gone back and forth on encryption, its benefits and challenges, and you’ve made the decision: to keep your data truly safe, your organization needs encryption. So what now? You’ve got options available, but what is the best, safest way to implement encryption without disrupting your users’ workflow and effectiveness?

Step One:

Time to Start Thinking …

 

Let’s face it, every company is different, so it stands to reason that a data protection policy will vary from company to company. The data protection requirements of a small delivery company will be significantly different from a large multi-national organization. But everyone is at risk of a data breach.

 

Data has value. Credit card details, medical histories, financial reports … It all can (and will) be stolen and sold. Data thieves have multiple options available to them: for example hacking, targeted attacks, and malware. At the same time, human error continues to be a major risk factor for causing data breaches, and can be just as hard to prevent as a malicious attack.

 

We are all human, and we all make mistakes. Who hasn’t accidentally emailed a file attachment to the wrong person, or left a phone or device behind at airport security? Phishing scams are successful at stealing someone’s credentials because we’re not totally vigilant all the time. Unfortunately, the tiniest slip-up can easily lead to a data breach. Most people know that it’s time to start looking into a solution to mitigate these risks and to solve these challenges. But, where do you begin?

Step Two:

Audit

 

Do you know where your data lives? In most companies, big or small, the answer is: everywhere, really. On your employee’s laptop/desktop, and increasingly on their smartphone or tablet as well. Employees are collaborating, both internally and externally, using cloud-based solutions like Dropbox and Box. Your employees like the ability to access data from everywhere, so that means your data flows everywhere—to every device that they use. And this is before we even consider the data that resides on your company servers, in-house, or your cloud data centers.

 

When you’re planning your encryption strategy, look everywhere and consider how encryption will impact how your data is stored, accessed, and shared across all of these formats, devices, and platforms. This is a good time to look at internal or regulatory concerns. Does your industry have any specific data protection laws? What about state laws, or country laws? There are also laws such as the European General Data Protection Regulation (GDPR) which spans all member states of the European Union, and applies to any company that holds information about European citizens. The better you understand the regulations and laws you must comply with, the better prepared you’ll be to devise your data protection plan. What about when the unthinkable happens?

 

What do you do if you discover a data breach, or unencrypted data leaves your organization at risk? You’ll need a solution that not only finds the culprit quickly, but also determines what data has escaped.

Key Questions

 

Overwhelmed? It’s understandable. Some consultants recommend workflow reorganization and multifaceted implementation plans before adopting encryption, but there are ways to implement it without forcing additional or unnecessary changes to your users’ workflow. Start by asking these five key questions about how your organization handles sensitive data:

  • How does data flow into an organization? (Is it created internally?)
  • How does data move out of an organization?
  • Where is the data stored?
  • Who has access to the data?
  • How do employees use data in their day to day jobs?a) What applications do they use to create or change content? b) But just as important, on what devices do they create or change content?

A couple of thoughts to help you along the way:

  • Many companies acknowledge that they don’t always secure proprietary and often unstructured data like purchase orders, invoices, or in the case of healthcare organizations, lab test results.
  • Organizations also have a responsibility to understand who has access to what data and why, and whether or not they can and should limit access to sensitive information. Let’s take an example: IT will need access to the HR network share in order to make sure it remains operational, backed up, and secure. Should IT staff be able to access the actual contents of HR’s documents, for example salaries and job performance documentation? Probably not. Multiple levels of access need to be considered.
  • Did you know that more than 72% of IT administrators don’t know the number of shadow IT applications their employees run (Cloud Security Alliance, 2015)? It’s an alarming statistic, but employees don’t have to give up their preferred cloud-based solutions if the appropriate encryption is in place.

The audit doesn’t need to be complicated. The table below provides a good jumping off point for auditing the flow of data in your organization. Also think about other types of sensitive data that is specific to your organization and add that to the list.

Encryption Implementation Audit Table
Encryption Implementation Audit Table

Step Three:

Full Disk Encryption

 

Start with the basics: what happens if your device is lost or stolen? Full disk encryption, sometimes called device encryption, is particularly relevant with the increasing use of mobile devices for business. Most devices come with some sort of built-in protection in the operating system (Microsoft BitLocker in Windows and Apple FileVault in macOS).

 

But most businesses have some mixture of the two operating systems, four if you include iOS and Android for mobile and tablet devices. You’ll want a cross-platform solution that lets you centrally manage keys and recovery functions across platforms, while at the same time offers strong protection and access control of your encryption keys.

You’ll want a cross-platform solution that lets you centrally manage keys and recovery functions across platforms, while at the same time offers strong protection and access control of your encryption keys.

Full disk encryption is important, but it’s also limited in scope – it only protects the device in the case of loss or theft. More important is what it doesn’t do: full disk encryption does nothing in terms of data security for a running device, and does not protect against targeted attacks, hacking, data-stealing malware, other human error scenarios or other threats.

 

Why is this important? Data loss is a different problem than it was in the past. Research shows the most common cause of data breaches is hacking or malware. This is why we urge companies to simultaneously implement file encryption to run alongside full disk encryption.

The most common cause of data breaches is hacking or malware.

Step Four:

File Encryption

 

There’s a temptation when setting up your file encryption process to overcomplicate things, picking and choosing what data is encrypted and how, and who can access what information. Some will argue that you should only protect what is important. But that is a part of the problem: if you only protect what is important, you have to identify what qualifies as important. And what happens when your rules for making that determination fail and leave you exposed to a data breach? We recommend beginning the process by encrypting by default. Assume all data created by your employees has value and it’s safest—and easiest—to protect everything. The trick here is to choose an encryption option that is transparent to the employee’s daily workflow.

 

Transparent means that in the majority of cases it doesn’t require a change in your users’ processes. It also means that they can access encrypted content on all the devices they use to perform their job. Encryption, after all, works best when users don’t realize it’s there. HTTPS is a great example of encryption providing protection with very little to no end user knowledge. Millions of users don’t realize that their browser has swapped from HTTP to HTTPS to protect their order or transaction – it simply works.

When looking to use file encryption, there are a few important choices to make at the beginning:

  • Location-based encryption vs. application-aware encryption
  • Key management: multiple-key vs. one organization key
  • What to encrypt initially
Location-based vs. application-aware

Location-based encryption, often called file and folder encryption, is based on which folders your end users are likely to store important documents in. The challenge with location-based encryption is that it requires your users:

  1. to strictly adhere to structured corporate procedures,
  2. to know and be able to identify what is important, and
  3. to know where they should store these files in order for them to be encrypted.

This opens you up significantly to human error. It requires a lot of employee education and compliance. Inevitably, users will fail to follow proper guidelines or procedures, and sensitive documents will end up unprotected.

 

In contrast, application-aware encryption—also known as “always-on encryption”—lets administrators define a list of trusted applications employees use to create materials. Only these applications have access to the key(s) needed to create encrypted files and access encrypted content. Wherever the trusted applications save a file, it will be encrypted. Location becomes irrelevant at that point, solving the problem of location-based encryption. Ideally the user never notices this process—the files are encrypted, but because they’re using the trusted application, files open and close without an issue. Application-aware encryption provides less chance of a user making an innocent mistake and accidentally leaving data exposed.

 

Multiple-key vs. one organization key

Key management can be one of the most complex parts of managing any encryption solution. Fortunately the level of complexity is fully in your control. Again, we recommend beginning simply and adding complexity as needed. By starting with one shared organization key, you begin your encryption process transparently. Internal collaboration is simple, and external collaboration can be easily controlled.

 

From there, though, there are definitely reasons you might want to assign special keys (or group keys) to select groups. Industry regulations mandate access control based on users’ roles and responsibilities, such as finance or HR departments, which have access to confidential organizational and personal information. A good analogy is ensuring everyone has access to your house, but limiting access to the family safe.

 

IT administrators can quickly get bogged down with too many group keys, so use them sparingly. Remember, if you start with “always-on encryption” and one organization key, you can revisit the model and add layers later.

 

What to encrypt initially?

The simplest approach is, as noted earlier, a “day forward” approach; that is, each time an employee creates or modifies an existing document it will be automatically encrypted. For many organizations, there’s no real need to go back and encrypt older documents. If a user updates an older document, the new version will be automatically encrypted. The right encryption solution will, however, give you the tools you need to encrypt older files and documents if you choose, such as encrypting all existing files by extension (.doc, .xls, etc.).

Step Five:

Employee Education

 

Using an “always-on” approach to encryption will simplify encryption on the end user’s behalf, but employees will still need to be educated on your encryption process, the importance of data security, and their role in protecting your sensitive information. In some cases, this is demanded by regulation or law. In particular, you’ll want to make sure they understand their obligations and expectations handling personal and company data. They should also understand exceptions to your encryption policies—specifically, when dealing with external contacts.

 

Encrypting by default means external contacts won’t be able to view documents created by your users without decrypting them first. The right solution, however, will make decryption easy. If a document—be it a marketing brochure, a whitepaper, or a press release—is determined to be public information, the user should be able to decrypt it with a one-click process. This is a conscious action on the user’s part, and it is a logged event that leaves an audit trail for the IT administrator.

 

There’s another layer of protection you’ll want to consider: sharing confidential data with an external party in a secure manner that is still accessible to them. This generally means a password-protected file. You’ll want to have the option to create password-protected files to share with external contacts. Not only does it protect your data, it also tells those external parties that you take security seriously.

Educate employees on your encryption process, the importance of data security, and their role in protecting your sensitive information.

Step Six:

Choosing the Right Solution

 

There are several encryption programs on the market, but you’ll want to consider closely what you need from the solution you choose before signing on—not just your needs today, but for the future as well.

 

Things to consider:

  • Does the solution work cross-platform and on multiple devices such as Windows, macOS, iOS, and Android?
  • Does the software have centralized management and control?
  • Does it allow for “application-aware” and “always-on” encryption?
  • Where does the solution protect data—in the cloud, on-premise, and on all devices?
  • How complicated is it to share encrypted content with external users?
  • What impact will it have on users’ behavior and workflow?
  • Does it provide you with strong key management?
  • What is its backup and recovery mechanism for encryption keys to prevent you from losing access to encrypted information?

Based on a Sophos Whitepaper