Implementing Encryption on a network
So here is a broad topic, which is encryption. When looking at the security controls of a network, it seems that encryption is a must. My question is what things should be encrypted on a network? Are we talking encryption on a intranet? Email? File sharing? What are some of the suggested practices in terms of what items need to be encrypted and HOW can that be implemented? Does it happen at the firewall level? Is it configured on the switch? This is a broad question, but it will give me some direction when seeing the replies.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check also NIST
https://www.nist.gov/topics/cryptography
https://www.nist.gov/publications/encryption-basics
https://www.nist.gov/fusion-search?s=encryption&commit=Search
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175B.pdf
Check SANS
https://www.sans.org/reading-room/whitepapers/vpns/paper/36442
https://www.sans.org/reading-room/whitepapers/vpns/paper/771
https://www.nist.gov/topics/cryptography
https://www.nist.gov/publications/encryption-basics
https://www.nist.gov/fusion-search?s=encryption&commit=Search
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175B.pdf
Check SANS
https://www.sans.org/reading-room/whitepapers/vpns/paper/36442
https://www.sans.org/reading-room/whitepapers/vpns/paper/771
ASKER
David, in practical terms how do you accomplish that? What are you using to accomplish that?
Ultimately, it is back to asking what is your security action plan and principles as encryption on network is just one of the many puzzle pieces to the organisation cyber defence plan.
The Security Action Plan covers Governance, Policy & Standards, Stakeholder and Operational management aspects. The encryption mandate will come closely with the data classification and sensitively. These will be mandated the organisation security policy (under guidance on the principles). The Security Principle covers Security By Design (Risk measured approach), Secure By default (Configuration) and Secure Deployment. With the two clear in mind, you can better chart your strategy to focus on specific areas from application to system to network to devices handling the organisation data that need to be secured
https://www.experts-exchange.com/articles/17367/What-is-a-good-Security-Action-Plan.html
https://www.experts-exchange.com/articles/31709/Making-The-RIGHT-Security.html
The Security Action Plan covers Governance, Policy & Standards, Stakeholder and Operational management aspects. The encryption mandate will come closely with the data classification and sensitively. These will be mandated the organisation security policy (under guidance on the principles). The Security Principle covers Security By Design (Risk measured approach), Secure By default (Configuration) and Secure Deployment. With the two clear in mind, you can better chart your strategy to focus on specific areas from application to system to network to devices handling the organisation data that need to be secured
https://www.experts-exchange.com/articles/17367/What-is-a-good-Security-Action-Plan.html
https://www.experts-exchange.com/articles/31709/Making-The-RIGHT-Security.html
ASKER
Good point. I need to sit down and come up with what really needs encryption if anything.
To protect network communication:
• Ensure that local and network firewall rules are in place. If possible, check for this within the application before any sensitive data is communicated.
• Do not transmit sensitive data, files, passwords, or settings on the network without strong encryption. Sensitive information sent via network without any form of data encryption, which is vulnerable to being read by an attacker monitoring network communications.
• A major consideration is choosing the right encryption protocol for a given task.
• Understand methods of encryption, such as IPsec, SSL/TLS, SFTP, and SSH, that can secure data in storage and in transit.
Example: You can get more details at:
http://www.howtogeek.com/194740/what-is-the-difference-between-ftps-and-sftp/
• Ensure that local and network firewall rules are in place. If possible, check for this within the application before any sensitive data is communicated.
• Do not transmit sensitive data, files, passwords, or settings on the network without strong encryption. Sensitive information sent via network without any form of data encryption, which is vulnerable to being read by an attacker monitoring network communications.
• A major consideration is choosing the right encryption protocol for a given task.
• Understand methods of encryption, such as IPsec, SSL/TLS, SFTP, and SSH, that can secure data in storage and in transit.
Example: You can get more details at:
http://www.howtogeek.com/194740/what-is-the-difference-between-ftps-and-sftp/
My rule is... encrypt everything... meaning, no plain text protocols running at all.
For me, any protocol connecting any local machine to any other machine (Internet or Intranet), I encrypt using a SSL/TLS cert or SSH/SFTP.