Analecta Cyber Company Blog: Data Encryption Compliance with the NIST Cybersecurity Framework

2018-04-01

Data Encryption Compliance with the NIST Cybersecurity Framework

NIST Cybersecurity Framework - data encryption compliance Many businesses today have a compliance obligation to a regulatory agency to ensure customer data stored by the business is protected against confidentiality, integrity or availability breaches. Implementing a data encryption program on all in-house devices helps meet this requirement and can be quick and painless with most modern operating systems. In this article, we discuss the benefits and easy application of encrypting data that resides on your systems, and specifically, how to keep data confidentiality in tact.

Understanding the benefits of encryption on data at rest 


If a hacker has gained access to your networks or devices, they have the potential of gaining full access to all of your company data if no other security measures are in place. This “data at rest,” which is stored on your company’s systems is vulnerable, even if it is not being exchanged with external parties.

The National Institute of Standards and Technology (NIST) states that data should be managed consistent with your organization’s risk strategies to protect the confidentiality of information. Using strong full disk encryption ensures the confidentiality of a multitude of data types:
  • Important business records or internal information that may be embargoed, restricted or classified.
  • Customer account information such as credit card, banking and other personal identification info (PII).
  • Employee information such as Social Security, benefit, health or beneficiary information.
Even if encrypted data is compromised and falls into the hands of malicious actors, it’s confidentiality remains intact.

What is Full Disk Encryption (FDE)?


Full disk encryption, also known as whole disk encryption (WDE) is a common way to apply security to data at rest. FDE converts data into a unintelligible form that cannot be read without the proper key to unlock the information. This encryption is applied to everything on the hard drive, including user data, the operating system, temporary files, and even deleted files that still existing on the hard drive. Reminder that when a file is deleted, the delete action only removes the pointer in memory to where the item is located, leaving it open to discovery by malicious actors with the proper tools and motivation.

Full disk encryption is available for desktops, laptops, iPhones, Androids, and even removable media like thumb drives. It’s never been easier to use FDE to protect your business information on all of your devices. Consider systems and drives that are decommissioned, recycled or go into e-waste. Poorly handled decommissioning means you could be leaking data. Some external agencies will even charge extraordinary additional expense to sanitize or destroy your drives. Start encrypting all data at rest when it is in house and you will never have to worry about unprotected data falling into unintended hands.

Encryption implementation for data at rest


Most modern operating systems (Windows, macOS, Chrome OS, iOS and Android) offer integrated encryption tools for one or more versions of the OS. Windows 10, for example, includes BitLocker with the Windows 10 Professional edition. For Apple OS X Lion and later, FileVault 2 is available. Both of these options employ full disk encryption. Although the encryption mechanism itself is highly complex, the set-up procedures are easy to follow and can be protecting your device in no time.

Data Encryption Compliance
The underlying mechanism of encryption/decryption is transparent to most users who will not notice anything different during system authentication. For more information on full disk encryption or other cybersecurity measures, visit www.analecta-llc.com.

Most encryption software can be pushed to the end-user’s system via a managed software delivery system. This approach works best when all of the organization’s systems are at a centralized location and working on the same network. If your organization is geographically spread out to multiple locations, the best approach is to work in phases, accomplishing the encryption deployment fully at one location before beginning another.

For Windows machines, BitLocker Drive Encryption is managed by group policy settings, although it can also be deployed and configured via a script. Administrators with devices running macOS can deploy and configure FileVault using Jamf Pro, (formerly Casper Suite). Both have very detailed administrator guides to help IT support set up protections to minimize risk from confidential information falling into the wrong hands.

Encryption software will take some time to deploy, especially when enabling on large-volume drives. A good rule of thumb is to allow about 3 hours for a 100 GB office drive although performance drives will usually run faster. If scheduling downtime for an encryption installation will impact company business, consider FDE software systems that allow for a background deployment.

Beyond the system disk


Full disk encryption also provides the ability to encrypt removable storage devices such as USB drives or external hard drives. When connecting the removable storage device to the computer, the user will be prompted to input a passphrase. Once authenticated, access to the drive is granted.

FDE is best employed as a part of the security posture of an organization, but definitely not as the only security posture. Data is still at risk when in transit or in use. FDE only protects your files when the encrypted device is turned off or locked. If an authorized user accesses the device but then leaves it unattended, anyone with physical access to the machine will also have access to the files. For this reason, company driven security policies should require that users secure their devices when left unattended.

How Analecta is sharing the message of cyber responsibility


As we’ve shown here, data encryption is a great start to protecting your data. If you are looking for expert advice on implementing encryption on your company’s system or wish to consider a more complete cybersecurity program for your company, contact us.

Analecta Cyber brings decades of expertise implementing secure information systems based on the NIST Cybersecurity Framework guidelines. Using a holistic approach and industry-standards, the Analecta Cyber Risk Assessment enables you to see how to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. A 96-point assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Email us at info@analecta-llc.com. We are here to help!

Further resources

  1. Microsoft BitLocker Device Encryption in Windows 10
  2. Microsoft Federal Information Processing Standard Publication FIPS 140-2
  3. Product security certifications, validations, and guidance for macOS
  4. FIPS Cryptographic Modules v7.0 for macOS Sierra 10.12