The importance of encryption in your environment

Encryption of information at rest and in transit is not only a control in ISO27001 but also PCI-DSS. It is vital to ensuring that if there is a compromise that the attacker cannot easily decipher your confidential information, be it credit card information, staff salaries or similar.

Having a policy to guide your teams on when and how to setup encryption can reduce your risk as well as having effective key management to prevent unauthorized persons decrypting it.

Security category – 10.1. Cryptographic controls

10.1.1. Policy on the use of cryptographic controls.

Cryptography is a great way to ensure confidentiality that all companies can make use of. With the industry standard symmetric encryption being the free to use AES standard that can be used by any organization to encrypt all its data, effectively locking it to prevent unauthorized people reading its contents. By using a single key to lock and unlock that data it can play an essential role for any organization that deals with PII or other sensitive data. A more complex encryption type can be found in asymmetric encryption, such as RSA which uses one key to encrypt and another to decrypt and provides the additional functionality of non-repudiation and integrity checks.

As you can see encryption should play a major role in your security posture and your documentation should require its use if you deal with data you need to keep private. Any security policy you write that deals with the storage or transmission of data should have the use of encryption worked into it and described I procedural documents.

A good summary of encryption can be found in the Security+ training videos by Professor Messer found here;

10.1.2. Key management.

If you decide to use symmetric or asymmetric encryption then key management plays a large part in how secure you are. With Symmetric encryption, you have a single key that needs to be distributed to anybody who has a legitimate need to decrypt and view data. For asymmetric encryption, we only must worry about one of the two keys, the private key. The other, our public key, should be managed in a way that ensures anybody can access it. In all cases we need to have policies in place outlining the entire lifecycle of the keys, from the creation, distribution, use, storage and disposal.

Also, important to note when creating your policies is if you will use some form of key escrow, where we store the keys we should keep safe with a third party as a safeguard. This can allow your keys to be accessed in certain circumstances such as if a court order is issued.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s