Week 10

NIST SP 800-111 “Guide to Storage Encryption Technologies for End User Devices”

Threats are unavoidable but can be minimized. There are many threats to the confidentiality of information stored on end user devices, some are unintentional, and some are intentional.  Unintentional threats caused by human errors whereas the intentional threats are more serious and derived by different motives. These intentional threats could cause mischief and disruption and commit identity theft and other possible fraud. Threats could be in many forms such as: internal when employee involve in misusing his/her position to access critical information; and external, when someone remotely accesses to system or device and attempt to access critical information stored on the system or device which could jeopardize the confidentiality of the organization.  (NIST, 2011)

So, securing critical information and components of end user devices is very critical and requires additional measures to protect from threats from unauthorized users or parties. This publication provides a recommendation for encryption on the basis of storage security, security controls, which allows authorized user or parties to access sensitive information stored on end user devices are encryption and authentication.  

1.  When selecting a storage encryption technology, organizations should consider solutions that use existing system features (such as operating system features) and infrastructure.

Some encryption solutions require that you deploy servers and install client software on the devices to be protected, while others can use existing servers and software already present on the devices or built into the devices, such as Federal Information Processing Standard (FIPS)  (Jackson, 2009). So, the more extensive the changes are to the infrastructure and devices, the storage encryption solution will cause a loss of functionality or other problems with the devices. Therefore, comparing the loss of functionality with gains in security and decide if the trade-off is acceptable and should be used when other solution cannot meet the organization’s needs. (NIST, 2011)

2.  Organizations should use centralized management for all deployments of storage encryption except for standalone deployments and very small-scale deployments.

Centralized management is recommended for storage encryption because it enables efficient policy verification and enforcement, key management, authenticator management, data recovery, and other management tasks. It also can automate deployment and configuration of encryption software, distribution and installation of updates, collection and review of logs, and recovery of information from local failures. ( NIST, 2011)

3.  Organizations should ensure that all cryptographic keys used in a storage encryption solution are secured and managed properly to support the security of the solution.

Storage encryption technologies use one or more cryptographic keys to encrypt and decrypt the data that they protect. If a key is lost or damaged, it may not be possible to recover the encrypted data from the computer, which includes all aspects of key management, key generation, use, storage, recovery, and destruction. So, organizations need to consider how key management practices can support the recovery of encrypted data when a key is inadvertently destroyed or becomes unavailable (NIST, 2011). Also, consider how changing keys will affect access to encrypted data on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed. (Jackson, 2009)

References:

·     NIST 2011, “Guide to Storage Encryption Technologies for End User Devices”, published on NIST SP 800-111, on November 2007. Retrieved From: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

·     Jackson, William. 2009. “Five Encryption tips from NIST”, Published on GCN.com, on April 15, 2009. Retrieved From: https://gcn.com/Articles/2009/04/20/Crypto-best-practices-sidebar.aspx