DSHS contracts which include the sharing of DSHS confidential data with the contractor, are required to have contract language sufficient to protect the data commensurate with the risk posed by the potential compromise of that data. To this end, the General Terms and Conditions of these contracts includes a requirement to encrypt such data when stored on portable devices, or when stored or transmitted outside the contractor's network. The Data Security Requirements Exhibit, an exhibit to the majority of data sharing contracts, has more robust security requirements, including regarding encryption.
Encryption, in a nutshell, takes data and encodes it in such a way that it can't be read by anyone without a key. Encryption keys are most often in the form of a password or digital certificate. The primary benefit of encryption is that, as long as strong encryption is used, and strong encryption is widely available on many computing platforms and many products, it can prevent unauthorized individuals from reading the encrypted material.
The difference between password protection and encryption
Many people confuse password protection with encryption. There are a lot of software products on the market and web sites that imply that data will be safe if a password is required for access. The problem is that passwords can only do so much. For instance, if you password protect a laptop, then you have to enter a Username or UserID and the password to access the data through the operating system interface. However, if someone were to steal that laptop and the data is not encrypted, then it is easy to bypass the operating system interface and access the data. There is no substitute for strong encryption when it comes to protecting data, even from someone who physically possesses the media on which the data is stored. This is why it is critically important to encrypt USB or other flash drives and laptops; because, those are the devices most likely to be lost or stolen. Likewise, while still a good idea, it is much less important to encrypt data stored in a secure data center.
Important Considerations
When deploying encryption to businesses devices, whether for one machine or 1000, you should take the time to plan that deployment. Specifically, consider:
- How the deployment will occur; will it be a manual deployment, can you use Active Directory Group Policy, or do you run tools which can be used to automate the process?
- Where will the encryption keys be stored? Be sure to have a process for retrieving keys when needed.
- Which devices will be encrypted? Just portable/removable media (USB flash drives, SD cards, etc.) and laptops? Will desktops be encrypted? Eventually, and probably sooner rather than later, encryption of workstations with DSHS confidential data on them will be required.
How will encryption, especially for portable/removable media, be enforced? A best practice is to configure the computer to automatically encrypt any removable media inserted into a workstation before any data can be written to the media.
How to encrypt computing devices of all types
Flash drives - Many brands of USB flash drives come with encryption utilities provided right on the drive when you buy it. These can be useful, but aren't necessarily the best choice for encryption. The best choice is probably to use the computer operating system itself to encrypt both external portable media, such as flash drives, as well as the hard drives on the computer.
Microsoft Windows (BitLocker) - Windows has had the ability to encrypt individual files and folders for a long time; however, the ability to apply "whole disk encryption" has been included since Windows Vista, originally released in January of 2007. If you're using Windows 7, Vista, or earlier version of Windows, there is already a problem. Those versions of Windows are no longer supported by Microsoft, which means they aren't getting the regular security updates that Microsoft provides to newer versions of its operating system. When using any version of Windows prior to Windows 8, your first step needs to be to upgrade your computer operating systems immediately.
In addition to the version of the operating system, you need to pay attention to the edition of the operating system that you are using. The native (included with the operating system) encryption tool for Windows is called BitLocker, and it is included with business-oriented editions of Windows, not the Home versions. Here are the versions of Windows that support BitLocker:
- Ultimate and Enterprise editions of Windows Vista and Windows 7
- Pro and Enterprise editions of Windows 8 and Windows 8.1
- Pro, Enterprise, and Education editions of Windows 10
- Windows Server 2008 and later
BitLocker isn't the only tool available for encrypting media on Windows based computers, but it is included with the operating system. Thus it is cheaper and well-integrated into the operating system.
For more information on BitLocker and how to implement and use it, see:
- BitLocker Overview (specific to Windows 10) Microsoft Corporation
- A beginner's guide to BitLocker, Windows built-in encryption tool (PCWorld Magazine, Aug 2016)
Apple MacOS (FileVault 2) - If you're using an Apple computer, the native encryption software is called FileVault 2 and has been included with all versions of MacOS since 10.7 Lion, which was released in 2011. The original version of FileVault was released in 2003, in MacOS version 10.3 Panther. While this earlier version will work to protect files, FileVault 2 has many advantages and since less than .02% of computers are running versions of MacOS prior to 10.7, it is highly unlikely that contractors running Apple computers won’t have FileVault 2 available to them.
Like Microsoft's BitLocker, FileVault 2 can be used to encrypt removable media as well as workstation hard disks. It is recommended that whatever product is being used for local disk encryption be used for removable media as well.
One word of caution: don’t choose the option to back up the encryption key to iCloud, as this is not sufficiently secure. Rather, make a note of your encryption key and store it in a safe and secure location. Do NOT store the key on the encrypted drive!
For more information on FileVault 2 and how to implement and use it, see:
- Use FileVault to encrypt the startup disk on your Mac Apple Corporation
- Best Practices for Deploying FileVault 2 Apple Corporation
File encryption - In addition to the disk encryption products native to the various operating systems, there are other, third-party "whole disk" encryption tools available. For more information, GFI Software has some information about tools that can be used for encryption of files and groups of files. https://techtalk.gfi.com/the-top-24-free-tools-for-data-encryption/