data encryption on circuits and on a file server

I have 2 domain controllers\ file servers  installed at 2 different buildings. The domain controller's replicate data  through a circuit so that the changes on one server is replicated to the other server

This allows both to be identical for DR purposes etc

Users have shared areas on these servers and home directories
We use Comcast metro Ethernet between the 2 buildings

I had an auditor question me  about data encryption and I need someone to help me understand

The servers are Windows 2012r2

I was  told that the data on the servers needed  to be encrypted and the data also needs  to be encrypted when it replicates over the circuit to the other server
they explained it to me this way----- data that is moving or standing still must be encrypted

The data is inside my network secured by a firewall

The circuits are private- I was told by the auditors that the service provider could get access to the data as it moves through the circuit

Is the auditor right?

What could be done to fix this problem,?
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Indeed as expert mentioned, auditor is looking at data at rest and in transit (over wire) to be encrypted. In fact, for over the wire, some may say end to end encryption - data is encrypted before it get onto wire and wire is further secured so even if the wire does get intercepted, the data leaked remains encrypted.

Smb3 is good. But note to make sure Amb v1 is disabled so that it cannot be downgraded - see "5. Encryption Details".
The Secure Negotiate capability described in section 3 does prevent a “man in the middle” from downgrading a connection from SMB 3 to SMB 2 (which would use unencrypted access); however it does not prevent downgrades to SMB 1 which would also result in unencrypted access.

For this reason, in order to guarantee that SMB 3 capable clients will always use encryption to access encrypted shares, the SMB 1 server must be disabled.

If the –RejectUnencryptedAccess setting is left at its default setting of $true then there is no concern, because only encryption capable SMB 3 clients will be allowed to access the shares (SMB1 clients will also be rejected).

With SMB Encryption, the encryption key is derived from the existing session key, so you don’t need PKI or certificates. These keys are not shared on the wire. Clients don’t need to do anything, other than support SMB 3.0. The default configuration is to configure encryption per share, but there is an option to enable encryption for the entire server, configured via PowerShell. You simply need to use Set-SmbServerConfiguration –EncryptData $true.

See section 7 in
Dr. KlahnPrincipal Software EngineerCommented:
I would say half right.  Data moving over media that you don't control can be intercepted by the media provider.

Now, all this goes out the window if your auditors are from outside the organization and you must comply in order to get that contract or meet government specs.  But if the auditors are hired guns looking over your operation ...

I don't think your auditors understand how much of a drag on operations it is to maintain encryption on server data.  The intent is good, but they don't have to maintain the systems.

Every time anyone who has access to the servers leaves the organization, all the encryption must be undone, then redone with new keys.  In addition to that, the encryption must be undone, then redone periodically (at least every six months) just on general principles.  This will require cloning each server at least once so that you don't have company-wide Encryption Downtime Days.

But you'll have to buy more servers anyway, because instead of serving data the servers will instead be spending most of their time encrypting and decrypting data as it goes to and from disk.

As Admiral Grace Hopper said, data has a value.  Some data is valuable, some is not, some is valuable forever, some only for three minutes.  You should have your management put a value on the data on those servers, decide how long it is valuable, and then have them decide what is an acceptable risk level.  Then you can act accordingly to their decision, tell them how much it will cost to implement security at that level, and no matter whether they go ahead with it or not the consequences are on their heads, not yours.
McKnifeConnect With a Mentor Commented:

Data at rest can be encrypted with bitlocker.
Replication data between domain controllers will use the SMB protocol and we can enforce encryption on that protocol as well.

Please google bitlocker and smb 3.0 encryption.
the auditors are technically correct for the data transit but are stating an extreme situation. If the private circuit is point to point then its quite challenging to sniff the data on there i.e. dig up the cables, break into the exchanges that route these.
If you have firewalls or routers that you control on each end then the easiest thing to do is do VPN connection between them. that way the traffic is encrypted in transit

With regard to data encrypted at rest i would push them for actual requirements, i would only expect to do this with client data in transit as it moved between network segments. If they are physical servers then making sure they have TPM chips you could encrypt them, if they are SAN attached then encrypted disks at the array level would protect from physical removal/theft
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.