Every business must have a data security policy, not only for the IT team but their employees as well. An encrypted application like Cylix or your webmail encryption software will do its bit of putting up a wall against a breach. But to prevent a violation in the first place, your employees need to know how to interact with data and technology securely.
An Encrypted Application and Data Security Guidelines Template
Data security guidelines will apply to end-to-end and endpoint encryption. End-to-end encryption is data secured in transit. Endpoint encryption is self-explanatory – it covers data stored on all your devices.
In general, the document should address the following points of focus:
Requirements: The security guidelines for data should plainly mention that anyone who moves data through a network or anyone who is a custodian of data must use authenticated, secure and industry-accepted encryption mechanisms. Many security policies will have a detailed appendix of the types of data that is covered by the policy.
If there are any exceptions – such as when data is moving between two servers in your data center – the document should mention these. In general, if anyone accesses data from a desktop anywhere in the office premises, you should recommend encryption.
Description of Risk: State the risks to protect against, such as eavesdropping by unauthorized users with malicious intent.
Recommendations: This section will define the scope of encryption. For instance, it should mention that even when the source and target devices for endpoint encryption come within the same subnet, encryption is necessary. Also, indicate the types of data transmissions that should be encrypted. These may include data transfers between third-party and core systems, communication between client and server, or server and server.
Points to Include in Recommendations
• Email is not secure, and only encrypted email tools like S/MIME or PGP should be used when sending sensitive data. Another alternative is to encrypt data with a file encryption tool before attachment to the email.
• Data transmissions on the web must pass through SSL (Secure Sockets Layer) with reliable, industry standard security protocols like TLS.
• Encrypted application solutions should be used for all other data transmissions. If the database lies outside the application server, robust algorithms that are compliant with FIPS should secure the connection between the application and the database.
• If encrypted application solutions aren’t available for data that doesn’t pass through the web, then technologies like SSH tunneling and IPSec can be used to secure networks.
• Let users know about safe alternatives to insecure network protocols, such as HTTPS instead of HTTP, RDP and Radmin for remote desktops instead of VNC, and so on.
Also, include recommendations on secure connections to wireless networks. Users should only connect their devices to wireless networks that use high encryption standards such as WPA2.
A Note for your Security Team
You should make it very clear to your security people that they should not create their cryptography security schemes – they should only choose from accepted standard algorithms. Cylix, for example, is an encrypted application that uses the audited AES and RSA algorithms to secure your notes locally on your system.
Your security people will usually choose the best available tools and protocols for the reinforcement task at hand. For instance, a task to boost the privacy between client and server (for extra protection over HTTPS) can benefit from AES and RSA algorithms. WebSocket is a suitable messaging protocol between backend and frontend.
After choosing tools, your team will also have to choose encryption libraries for the client and server sides. They contain existing algorithms that can be used to secure systems, without having to invest time in developing algorithms from scratch. Your policy can include a note about ensuring that the team uses the same set of encryption modes, algorithms, and key lengths for the server and client libraries.
There can never be enough layers of encryption. If you are using HTTPS, for instance, encrypting the connection between server and client is still a good idea. An encrypted application like Cylix can protect your data locally, but you will still need to make sure that when you share these files or take a backup on the cloud, every possible point of attack is secured.
Are you taking steps to enforce data security compliance in your business?