Endpoint Encryption: The Why and How
Defense-in-depth security architecture dictates that we begin securing an organization starting with the most important entity (data) while having an approach of how it traverses through the organization's IT infrastructure to be accessed by internal or external parties. Defense-in-depth takes into account people, processes and technology aspects.
Data can be be at rest or in transit. While this article may focus on data stored or traversing via IT infrastructure, there existed traditional means of encrypting data on print. Reading about WW1 and 2 can give a pretty good scenario of how the Germans, Japanese and the US used these encrypted communication means.
When talking of encryption, we have to consider two factors: the algorithm (a complex mathematical function) in use and a secret key to be used in that algorithm. The strength of the encryption means used is directly dependent on the key strength and complexity of the algorithm. When applied to a chunk of data, it converts it into unreadable text that only the sender and recipient can make sense of.
Encryption can be applied to data at rest (stored in a disk) and data in transit (while sending and receiving data). Encrypting data in transit involves securing the communication session prior to transmitting the data. Usually the sender is the person who initiates the session with the receiving party and the communicating nodes establish a secure session using protocols like SSL, TLS, IPsec, etc. Once the session has been established, transmission of data begins.
Data at rest, mostly on storage systems, hard disks and flash drives, can as well be encrypted to prevent unauthorized access. Take an example of data stored on a Windows PC. When the PC is on or off, the data can still be accessed by anyone with access to the hard disk without the need for the PC user account details. This is dangerous for organizations whose users lose mobile devices that contain sensitive data. The same reflects for organizations that have poor disposal processes for IT assets whose data can be easily recovered (even after deletion) using readily available forensic tools.
When considering encryption for endpoints and mobile devices, the below parameters will be key in ensuring you achieve success:
- Selection of a strong encryption algorithm. Currently AES-256 is one of the recommended as it has proven to be very hard to break within a reasonable time frame.
- Enforcing the need to use a decryption key. This will appear to the user as some sort of password or PIN that will be needed to access the drive. Password creation practices can be applied here.
- Enforce full disk encryption or used disk space encryption. The former encrypts the whole disk and the latter encrypts the used space only with any additional data being encrypted as well.
- Deny read-write operations on disks that have not been encrypted. This enforces the need to have all disks encrypted.
- If encrypting disks that harbor the operating system of the mobile device, enable pre-boot authentication to unlock the disk before the device can boot. However be careful not to encrypt the section of the drive that stores the master boot records.
- Set a means of recovery in case the user forgets the password or PIN. This is mostly via recovery keys which can be stored at a central secure location only accessible by system admins or the device owner.
Other parameters and controls can be set specific to the platform of the mobile device to make it work in a more robust way. I am currently conducting data-at-rest encryption for Windows endpoints for my organization using BitLocker and so far it satisfies the confidentiality factor in the CIA triad.
TechNet (Microsoft's repository for tools and resources) has a detailed guide on implementing Windows BitLocker. I will make a follow-up to this article on the weaknesses and attack surfaces of encrypted devices for a wholesome view on the risks around it.
