Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • IEncrypt Brainstorming Results
Skip to end of metadata
Go to start of metadata


IEncrypt team brainstorming results, July 9th, 2008

 


Technique: brainstorming issues, followed by clustering.
Clusters and issues are in alphabetical order.

 

The question considered was: What are the desired outcome and implemenation considerations?

Availability, lifcycle recovery?

  • Access to info encrypted long ago?
  • Data lifecycle
  • Data recovery
  • Encrypted backups
  • Escrow - can we require it & audit for compliance?
  • Key escrow
  • Legally required records - can we store them encrypted?
  • Who owns the key? Individual? Unit? UW-System?

Buy-in

  • Actual stakeholders (individuals)
  • Can we get provost sponsorship?
  • Faculty buy-in?
  • Faculty involvement?
  • How to engage faculty?
  • System buy-in

Changing regulatory env.

  • Evolving product portfolio
  • mutating environment - policy - technology
  • new threats
  • What is the best mix of policies, procedures, guidelines and standards?

Communications

  • Communications to all needed
  • Communications, who to involve and when?
  • Promulgation of policy

Compliance

  • Audit
  • Compiance, what's the carrot?
  • Consequences of non-compliance
  • Gap in federal timeframe - waiting for fed. regs.
  • How do we know there is compliance?
  • Legal compliance
  • Public records requirements

Exceptions

  • Are there exceptions?
  • Compensating controls (if can't encrypt)
  • Exception procedure? Need one?
  • Exception procedure? Who grants?

Fit into larger data policy

  • What other protective measures need to accompany encryption
  • How can we ensure the policy fits within a larger data policy?

Implementation

  • Addressing concerns about cost
  • Crypto hardware: - Smart cards - eTokens
  • DNS sec
  • Ease of implementation
  • Encrypted hard drives
  • Escrow technology
  • Facilitation by campus: - site licenses - documentation
  • Full disk vs. file by file encryption
  • How to handle technical issues such as encryption keys?
  • Managed and unmanaged machines
  • Need encryption software site license
  • Sharing of encryption keys - can collide with poilicies banning the sharing of passwords
  • Standalone software
  • TPM (Trusted Processing Module)
  • Wireless security (Lopa2

Monitoring

  • Data in transit - do we scan for unencrypted data and block transmission (Vonter (sp?) and similar products "DLP")
  • DLP (Data Loss Prevention) tech interacting with encryption
  • Gap in federal timeframe - waiting for federal regs
  • How to monitor compliance?
  • Hunting for leaked data (compliance)
  • Shared workstations (i.e. student workers) - required encryption (disk and file) to enforce seperation of access rights by different users

Other

  • Digital Signatures

Portable

  • How to encourage folks to not have sensitive info on vulnerable devices?
  • Lost laptop Reporting reqs.
  • Portable devices
  • USB sticks, iPlug, etc. Does policy cover these "non-competers"

Training

  • 8K new students per year to train
  • Cirriculim tie-ins
  • Training issues

What and when to encrypt

  • Calendar entries (type of data)
  • Can we / should we identify where sensitive data is?
  • Data at rest
  • Data classification
  • Data in motion
  • Database columns
  • Definition of Data to be encrypted
  • Do we need to ID all laws?
  • E-mail (type of data)
  • E-mail subjects (type of data)
  • How to define what data is covered?
  • Paper - policy should not unintentionally require encrypted paper copies.
  • Risks during processing
  • Sanitizing data to avoid encryption
  • Under what circumstances is ecnryption required?
  • What is sensitive information?
  • What is the value to the institution of the data?
  • Why include workstations? (or not?)
  • Wiki (type of data)

Why need policy?

  • Avoiding headlines
  • Confidentiality
  • Data integrity
  • Peer-to-peer leaks
  • Physical risks, equipment/media theft
  • UW reputation
  • Why is this issue (encryption) important?
  • No labels

4 Comments

  1. Hello All,

    This is a long list of ideas, many of which we talked about at the first meeting of the group. I don't have any additional suggestions at the moment except to suggest reducing the number of groups. I would suggest that compliance, what and when to encrypt, regulatory environment, parts of access really relate to larger issue of risk assessment. I would add item (and I think this belongs in risk assessment as well)-what is the value to the institution of the data. Pulling those pieces together I think may help to craft a guideline/policy.

    Hope the above is helpful. Thank you.
    Nancy Kunde

  2. Hi,

    This is starting to sound more like policy making. Encryption is just a technology. Protecting data across its lifecycle is a policy. Encryption is likely to play a role.  Data security is one of the reasons we have moved to web-based collaboration environments (not a whole series of disconnected tool). We chose a set of tools that deliver data protection as a part of their design. From start to finish, data stays in the secure environment. Approaching data security as a series of piecemeal technology fixes pretty much guarantee complexity, gaps, and non-compliance.

    Chris

  3. Anonymous

    Hi,
    Just a quick note to mention that I agree with Chris Thorn's comments. I believe that we need to look at data as an asset which needs to be managed over its entire lifetime. Specifically, I am referring to the following:
    1. Determining when and how data will be generated
    2. Deciding who will be authorized to create the data
    3. Determining how you will classify the data using universal campus standards
    4. Deciding how you will credential and authorize individuals who handle data
    5. Deciding the method to audit how this information is transferred and stored
    6. Determining what the useful life of the sensitive data is, based on its classification, usefulness and government regulations related to its retention

    The issue of data encryption is complex and will require some sort of electronic policy enforcement (in my opinion) if we want to have true assurance that policies regarding the handling of sensitive data are being followed. What good is it to have an administrative policy if you can't audit it to ensure that it is being followed? I think it is important ot follow the spirit of the idea, as well as actual letter of the idea.

    In following the spirit of the idea, I think that we should have a comprehensive solution that protects data at rest on end user storage devices, such as desktop computers, CDs, USB drives, laptops, etc, and ALSO data in transit and data stored on servers. Think of all the sensitive data that is transmitted in the body of email, or as attachments and how it is exposed as it travels across a public network, such as the campus network. Additionally, that data in transit, is often stored for long periods on email servers or other servers, prior to making its way to the end user's computer. I believe that we need to protect the data from the moment it is sent, and continue to protect it while it is in storage on servers as well as on the end user's ultimate storage device.

    A lot of the questions that are being asked about who owns the encryption keys, what about escrow, etc, are identical to the challenges we faced with PKI. Ideally, I think it would be nice if we could leverage the existing PKI system to provide the digital certificates which would serve as the basis for encrypting data in all its forms. It does not seem fiscally or operationally prudent to me to rebuild what is essentially and identical system for generation, management and escrow of digital certifictes to be used with end media storage encryption, when we already have that infrastructure with PKI.

    If the Iencrypt team would like my input in the future, please let me know. If not, that is fine too, but I would be remiss if I didn't at least state my opinion.

    Regards,

    Nick Davis

  4. Hi,

    I agree with many of the preceding comments. The evaluating of data, classification, authority to create date etc. are not strictly IT issues nor do they necessarily relate just to encryption. They represent good information management practices. Certainly, Nick's comments about the variety of devices currently used to transport and store data impact records management as well.-- I think Chris makes the critical distinction--we need to consider the data apart from the tools. It is the security and protection of data/records that is important to the institution . –

    Regards,
    Nancy Kunde