Protecting Sensitive Information In-Transit and At-Rest
Protecting University data wherever it is located
As people who are exposed to information either created by or entrusted to the University, we are obliged to protect sensitive information wherever it resides. Information can be found in numerous places:
- On physical media, such as paper, and even older technologies such as microfilm
- On removable media, such as DVDs, USB drives
- On computer hard drives
- On mobile devices, such as tablets and smartphones
- On shared network drives
- In the “cloud”
- In transit between one location and another
- Even in someone’s head or the air that the sound of information passes through
The security industry refers to information sitting on some storage medium to be “data-at-rest” and information passing from one location to another to be “data-in-transit”.
While we cannot do much about the information inside one’s head besides enforcing policies, there are technologies that we can employ to prevent individuals who have access to the specific storage or transmission media from viewing or tampering with the information that we need to protect. Many of these technologies have cryptography or encryption/decryption at their core.
What is encryption/decryption?
Encryption is the act of passing readable data, referred to as “clear text”, and an encryption key through a formula that changes the clear text into a form that is unreadable to anyone who does not have the associated decryption key. The unreadable text is called “cipher text”. Decryption is the reverse or encryption, converting cipher text to its corresponding clear text.
Some cryptographic systems use the same key to encrypt messages as they do to decrypt it. These "shared key" systems can be effective in scenarios involving a small number of organizations since the secure management of encryption keys can become a challenge as the number of participants increases.
Other systems are built upon a technology that is capable of generating two distinct keys (a "key pair") for each participant where any data that is encrypted by one of the keys can only be decrypted by the other key. These "public key" systems can be complex to initially set up, but they are very effective in deployments that can potentially involve large numbers of participants, e.g., encrypted e-mail, digital signature verification.
For more in-depth information about the different encryption technologies, please see the Encryption and Digital Signatures page.
Protecting data-in-transit
There are many methods of transmitting information between two computers or mobile devices. For end users of information, the most common forms of data-in-transit are web form data, application-based transactions and e-mail. Please see the following Information Security Basics topics for a discussion about e-mail and web security:
A very important consideration when securing sensitive information in e-mail, web and other application transactions is to ensure that any sensitive message transmitted between your system and another is encrypted with an approved encryption solution. Please contact the OIT Support Center at extension 2828 or supportcenter@uhcl.edu for product guidance.
Protecting data-at-rest
Encrypting storage
Keep in mind that, in most cases, data-in-transit encryption methods only protect data from time it leaves the sending computer to the time it arrives at the receiving computer. Once it arrives and is stored on the receiving computer’s hard drive, it is usually stored in a readable, clear text form.
If a computer storing sensitive data is in physically protected space, such as a data center or a secured computer room, then having the data stored in clear text may not be an issue. But, in cases where a computer that is located in a less protected office area or space that is accessible to the public, we should be concerned about what could occur if an unauthorized individual was able to physically access the computer or steal the device’s hard drive.
There are many products on the market that can keep data on a hard drive or other storage device secure by automatically encrypting data before writing it to the storage medium and by automatically decrypting it when it is retrieved by an authorized user. Once the product is installed, the encryption and decryption functions are performed in the background by the software without any user involvement, so the user experience is exactly the same with a lot more protection. Modern data-at-rest encryption systems are so tightly integrated with the operating system that the extra work that the computer must do to encrypt and decrypt data usually does not cause any noticeable degradation in performance.
- Currently supported Windows operating systems include a product called BitLocker to encrypt and decrypt the computer’s drives
- Supported Mac OS X operating systems include a product called File Vault to perform the same function
There are other commercial products available besides the ones provided by the operating system manufacturers. With any of the above products installed, we can feel confident that even if an intruder walks off with an encrypted hard drive or an entire computer that stores sensitive data, his or her ability to expose the clear text is severely diminished.
Setting file privileges
Each file and folder on a system can be set up to restrict access to a limited number of authorized individuals or groups. These restrictions can also be configured to limit what each authorized user or group is permitted to do with each file or folder, e.g., read the file/folder, create a file/folder, update the file, delete the file, administer the file/folder.
If you store any sensitive data on your system, it is important that you configure the access privileges appropriately so that individuals who can log into your system cannot access restricted data.
It is important to note that the setting of file privileges works hand-in-hand with data-at-rest encryption. Data-at-rest encryption solutions will automatically decrypt any file on any of the protected computer hard drive(s) if:
- The person knows a valid user ID and password that can be used to log into the computer
- The permissions on the file allow the logged-in account holder to read the file.
Please contact the Information Security Office through the UHCL Support Center at extension 2828 or supportcenter@uhcl.edu for additional guidance.