Skip Navigation Links
By Howard Draper, Information Security Analyst
Introduction to UNT Data Encryption Recommendations
News reports of identity theft and sensitive data loss are becoming all too common. As recently as June, a Kent State University employee's laptop with over one thousand faculty Social Security Numbers was stolen from a car in a department store parking lot. Also in June, University of Connecticut discovered that a server containing 72,000 student, faculty, and staff records had been hacked since 2003. On July 7th, University of Southern California announced that a programming error in their online application system allowed potential disclosure of 320,000 users' personal information.
Strong password requirements go a long way to thwart hacking attempts, but all passwords can be cracked over enough time. Encryption of sensitive data provides an extremely helpful layer of security.
According to UNT Information Security Policy 3.6,“Encryption techniques for storage and transmission of information shall be used based on documented agency security risk management decisions.” Justification for encryption should always be preceded by another question, “Is it absolutely necessary for this sensitive data to be stored here.” The most effective theft deterrent in any situation is to remove the items of enticement; “what doesn't exist can't be stolen.” In the case of UNT laptop computers, this topic is of utmost importance. If a UNT laptop computer is lost or stolen, given a low chance of recovery, UNT would have to assume responsibility for the compromise of all information stored on the stolen laptop.
UNT has a significant number of computer users who access data remotely, carry laptops, and deal with sensitive data. When using unfamiliar non-UNT networks, accessing data remotely, and using wireless internet access, risk of security incidence is much higher than an on-campus UNT-managed computer. In short, data encryption is highly recommended and perhaps should be required in many cases. An ounce of prevention is worth a pound of cure.
Scope of Coverage
Encryption can be used on every popular operating system, but in the case of UNT, Microsoft Windows and Macintosh OS X are most common, and therefore these operating systems are the context for these encryption recommendations.
Entire hard disks need not be encrypted; the System Administrators can specify how much or how little data they wish to encrypt. Typically, the home directory is a likely target for encryption, as are any folders which contain sensitive data. Integration of native Windows and Macintosh encryption is transparent, and there is no perceivable increase in lag when encryption is used. The encryption/decryption key is associated with specific user accounts, which means that the initial login authentication is all that's necessary for users to access their encrypted documents.
All UNT laptops should use encryption to protect sensitive data. Because encryption implementation is simple, encryption of data on desktop computers is also highly recommended, particularly those computers used in any capacity to manage sensitive data.
Remote communications and remote data access should also use encryption protocols. Users should never access campus computing resources via unencrypted connections. Unencrypted transmission of data over any network connection (including wireless) can be intercepted and examined quite easily.
Specific Implementation Areas
A high percentage of UNT computers use Microsoft Windows 2000 and 2000 Server, which having reached their End-of-Life cycles, are not ideal for continued use with encryption implementation. UNT Information Security recommends upgrading all Windows computers to Windows XP or Windows 2003 Server (depending on the need), both of which feature significant security improvements over Windows 2000 and 2000 Server.
Windows XP and 2003 Server both provide native 128-bit encryption, which can be applied to folders manually. When used in conjunction with Active Directory, System Administrators can serve as recovery agents in case users lose ability to view encrypted documents. The NTFS hard drive filesytem is required since FAT32 does not support the native Windows encryption.
Manually encrypting a folder in Windows XP/Server 2003 is quite simple. Per the Microsoft Instructions (http://support.microsoft.com/default.aspx?scid=kb;en-us;308989&sd=tech), the user can simply right-click on a folder or file, click the "advanced" tab in the "general tab", and select the "Encrypt contents to secure data check box."
Macintosh OS X
Macintosh OS X provides native encryption called “File Vault," which uses 128-bit encryption. File Vault encrypts the contents of a user's home directory, in which sensitive data should be stored. File Vault is extremely simple and very easy to use: The Apple official instructions (found at http://www.apple.com/macosx/features/filevault/) show that the user need only open System Preferences, click on Security, and click on "Turn On File Vault."
Third Party Encryption Software
There are many alternatives to native Operating System encryption, two popular options being PGP (Pretty Good Privacy) and GPG (Gnu Privacy Guard). PGP-style encryption is used to both authenticate communication and protect stored data. It is commonly used to encrypt email, most of which has no inherent security during transmission. The Gnu PGP version is an open source version of the commercial PGP offerings. Both versions are supported for most common Operating System platforms.
Removable Data Storage Devices
As popularity of USB flash drives data storage increases, potential buyers should be aware that secure flash drives are available which use 256-bit encryption to protect the contents. Users can also use free software like Truecrypt to encrypt contents of USB flash drives.
Macintosh OS X users can also create encrypted disk images to store encrypted data on USB flash drives.
Remote Access Encryption
We strongly recommend that users needing remote access to campus computers use a secure remote access method. We recommend the (free and secure) Microsoft Remote Desktop client for remotely accessing Windows computers. Apple offers a similar remote access program which can be purchased.
The Microsoft Remote Desktop client utilizes secure technology licensed from Citrix. It is the strongest and most effective remote access method which we recommend for use with Microsoft Windows.
Wireless Network Encryption
All employees who use wireless network connections should be wary of sending any sensitive data (including passwords) over unencrypted wireless networks. Microsoft Windows XP and Mac OS X both provide simple indicators of whether or not a wireless network is secure. System Administrators can very quickly show a user how to determine if a wireless network is encrypted.
Unencrypted wireless networks offer no protection for any data sent through it. Most communications can be easily intercepted and read. It is worth noting that WEP encryption is outdated and easily defeated, making it a weak encryption protocol to rely on. WPA is a recommended alternative, given its stronger resistance to compromise.
When a secure remote access protocol is used (like the Microsoft Remote Access client), the communication is encrypted from end-to-end, meaning all data passed between the two computers, even when over an unencrypted network, is still protected by use of the secure remote access protocol.