Skip to content

Page080

Protecting Data in Transit

Data in transit is best protected via standards-based end-to-end encryption, such as IPSEC VPN. This includes data sent over untrusted networks such as the Internet, but VPNs may also be used as an additional defense-in-depth measure on internal networks such as a private corporate WAN, or private circuits such as T1s leased from a service provider. We will discuss VPNs and various types of circuits in more detail in Chapter 5, Domain 4: Communication and Network Security.

Drive and Tape Encryption

Drive and tape encryption protect data at rest and are one of the few controls that will protect data after physical security has been breached. These controls are recommended for all mobile devices and media containing sensitive information that may physically leave a site or security zone. Encryption may also be used for static systems that are not typically moved (such as file servers).

Whole-disk encryption of mobile device hard drives is recommended. Partially encrypted solutions, such as encrypted file folders or partitions, often risk exposing sensitive data stored in temporary files, unallocated space, swap space, etc.

Disk encryption/decryption may occur in software or hardware. Software-based solutions may tax the computer’s performance, while hardware-based solutions offload the cryptographic work onto another CPU, such as the hardware disk controller.

Many breach notification laws concerning Personally Identifiable Information (PII) contain exclusions for lost data that is encrypted. An example is the 2009 update to the US Health Insurance Portability and Accountability Act (HIPAA) concerning breaches of electronic Protected Healthcare Information (ePHI).

Breach of unencrypted ePHI requires notification to the affected individuals; breaches of more than 500 individuals’ data require additional notification to the press and the US Department of Health and Human Services. Encrypted data is excluded from these rules: “secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information” [5].

Exam Warning
Note that while HIPAA is in the Common Body of Knowledge (CBK), these specific details are not. This point is raised to highlight the criticality of encrypting PII on mobile devices, regardless of industry.

Media Storage and Transportation

All sensitive backup data should be stored offsite, whether transmitted offsite via networks, or physically moved as backup media. Sites using backup media should follow strict procedures for rotating media offsite.

Always use a bonded and insured company for offsite media storage. The company should employ secure vehicles and store media at a secure site. Ensure that the storage site is unlikely to be impacted by the same disaster that may strike the primary site, such as a flood, earthquake, or fire. Never use informal practices, such as storing backup media at employees’ houses.