November 2017

Related Policies, Procedures, and Resources

UAB Data Protection and Security Policy; Data Classification Rule; Data Protection Rule; UAB Computing Device Rule; Portable Computing Device Security – Laptop Standard

1.0 Overview

The confidentiality and integrity of Sensitive and PHI/Restricted data and resources owned by the University of Alabama at Birmingham (UAB) are of paramount importance. Encryption provides the ability to protect those data and resources and is required by the UAB Data Protection Rules when Sensitive and PHI/Restricted data are involved.

2.0 Objective / Purpose

This document provides guidance for leveraging encryption with a variety of technologies and use cases to ensure that the confidentiality and integrity of UAB data and resources are protected, in accordance with the UAB Data Protection Rule and other policies, standards, rules, and security frameworks. As technology and standards evolve, this list of encryption guidelines will be updated to reflect such changes. Questions regarding these guidelines can be directed to AskIT via email at askit@uab.edu, or by phone at (205) 996-5555.

3.0 Recommendations

The following guidance should be used when leveraging encryption to secure UAB data and workflows in which the associated levels of confidentiality and integrity must be protected.

3.1 Web communications



Requirement

Solution

Comment

Secure web HTTPS web communication

TLS 1.2

Use TLS 1.2 to secure web-based HTTPS communications. SSL and older versions of TLS have been deemed obsolete and/or vulnerable to attacks, and many vendors are moving away from these older versions.

3.2 Secure network transmission protocols (non-web-based)

Requirement

Solution

Comment

Authentication and remote management

SSH v.2 or OpenSSH

Use the most recent versions and confirm any reported vulnerabilities have been remediated

Transferring files securely

SFTP, WinSCP or SCP

Files containing Sensitive or Restricted data can be transferred over the network via these protocols 

Network management

SNMP v.3

Unlike previous versions of this protocol, encryption can be enabled with ver. 3

Secure tunneling

IPSec

Encapsulating Security Payload (ESP) must be enabled to provide encryption

3.3 Whole disk encryption

Requirement

Solution

Comment

Encrypting Windows desktops/laptops

BitLocker

Be sure to save and secure your recovery key

Encrypting Mac desktops/laptops

FileVault

Be sure to save and secure your recovery key

3.4 Sensitive or Restricted files

Requirement

Solution

Comment

Microsoft Office files (Word, Excel, PowerPoint, etc.)

Use the Protect Document – Encrypt with Password functionality

Follow UAB’s Password/Passphrase policy to create a passphrase and escrow it with Keeper

Non-Microsoft Office files/folders on Windows machines

Encrypting File System (EFS is built into Windows), 7Zip

If possible, use a minimum of AES-256 encryption

Non-Microsoft Office files/folders on Apple laptops/desktops

Disk Utility (native to Mac OS X)

Follow UAB’s Password/Passphrase policy to create a passphrase and escrow it with Keeper

3.4 Guidelines for symmetric encryption algorithms

Requirement

Solution

Comment

Evaluating the algorithm used in a symmetric encryption-related process

Use a public, well-validated, strong algorithm such as AES, Twofish, or Serpent. Avoid the use of products that rely on weak or proprietary encryption algorithms.

Public algorithms have been thoroughly vetted. Proprietary algorithms have not been open to public review, and are not as well tested or vetted as a result.

3.5 Guidelines for asymmetric key exchange/encryption algorithms

Requirement

Solution

Comment

Evaluating the algorithm used in an asymmetric key exchange- or encryption-related process

Use a public and well-validated, strong algorithm such as Diffie-Hellman, RSA, ECC, or El Gamal. Avoid the use of products that rely on weak or proprietary encryption algorithms.

Public algorithms have been thoroughly vetted. Proprietary algorithms have not been open to public review, and are not as well tested or vetted as a result.

3.6 Guidelines for using hashes

Requirement

Solution

Comment

Digitally signing or validating files

Use SHA-2 or higher hashing algorithms

MD-5/SHA-1 are considered weak and should be avoided