Cryptographic Controls
Web Hosting Blog
At CWCS we take security extremely seriously. We have recently passed our ongoing audits to retain our ISO 27001 accreditation. There are lots of element to ISO 27001 that need to be adhered to and our policies and procedures are always being updated to ensure we are meeting the requirements. One of the sections that is covered in ISO 27001 is Cryptographic Controls.
Cryptographic Controls
Cryptographic controls are security measures that use cryptographic techniques to protect data confidentiality, integrity, and authenticity. Cryptography involves the use of mathematical algorithms to convert plaintext data into an unreadable format, called ciphertext, which can only be decrypted with a key or password.
Most businesses will hold some if not all data in digital form, and often this is sensitive or personally identifiable information. If this information is accessed by anyone unauthorised, particularly those with a malicious intention, the loss of business and reputation is potentially huge. So you can see the importance of doing everything possible to prevent access from unauthorised people. The main way to do this is to encrypt the information. Cryptographic controls should be used in any situation where it is necessary to prevent information being accessed by an unauthorised party. The list of situations where this is necessary will really depend on your organisational structure and the type of data you hold. There are many types of control measures so we thought we’d talk about the main ones that we have implemented here at CWCS.
Data at rest
Data at rest is information that is not “moving”. So this refers to any data saved in digital form such as documents, spreadsheets, databases and backups to name a few. So, encryption at rest is simply the protection of this inactive data. At CWCS, all of our internal servers, desktop computers, and mobile devices have encryption at rest enabled. Encryption prevents the physical removal of the medium used to store the data, for example where a hard drive is removed from an office desktop computer the data will not be recoverable
Data in transit
This is where data is moved between devices, and can be over a USB cable, WIFI, Bluetooth, ethernet, etc. Where it is necessary to transmit sensitive data we will use encryption such as SSL to provide in transit encryption. Anyone working remotely connects over a VPN to the internal network. CWCS also uses SSLs on internal systems, to prevent the risk of any data exposed in transit.
Our Microsoft Exchange server is configured to use Transport Layer Security (TLS) to encrypt communication sent within our network. Further to this, when sending external email all staff are required to follow a clearly defined information handling policy to prevent any accidental leakage of sensitive data.
Key management
Cryptographic keys for the storage of data and data in transit such as SSH keys, login details, SSLs and passcodes are stored in a secure location accessible to only those with authorisation and responsibility for their management.
Regulation of Cryptographic Controls
The regulation of cryptographic controls varies from country to country. In the UK, encryption is a widely available measure and the only way that encrypted information can be accessed legitimately by anyone outside of an organisation is under the Regulation of Investigatory Powers Act 2000. Using this, police or security services can apply for a court order to obtain access to encrypted information, either by an organisation or individual having to provide the decrypted information or by providing the key. There have even been discussions in the past over whether encryption should be banned, or at least heavily restricted. The opinion of some is that it’s use hinders law enforcement and counter terrorism agencies in intercepting data pertinent to an investigation and therefore, the theory is that in some cases, the use of encryption could facilitate a national security risk.
However simply banning or restricting encryption in the UK would never work. The array of legitimate business and personal uses and their benefits are impossible to ignore, to the point where you could argue they outweigh the risks. Many, if not most businesses, such as CWCS, rely on encryption to keep their own data, and their customer’s data, safe from unauthorised individuals. You might say that restrictions would also contradict the GDPR requirement that organisations “implement appropriate technical and organisational measures to ensure [they] process personal data securely.”
To summarise…
Hopefully by shedding some light on the definitions on cryptographic controls and sharing a few of our own business practises, we have helped you to further consider the encryption requirements of your own business and the steps that you might take to fulfil these. Remember that by choosing a high security hosting company such as CWCS you can trust that any data you store is protected by the strictest security measures within an organisation formally certified to the internationally accepted global Information Security Management System standard ISO 27001.