An important issue facing infosec professionals is the implementation of secure data transmission methods when sending …
and receive confidential, sensitive and proprietary information.
Some industries face regulations requiring secure transmission of data, such as HIPAA security rule for healthcare, but all businesses should consider secure transmission methods to protect against theft of intellectual property or other sensitive data.
When many organizations think about methods of transmitting secure data, the conversation inevitably turns to encryption and various ways of transmitting encrypted data securely, including email, dedicated software or services, VPNs, or physical media. .
However, no matter what method of data transmission an organization prefers, IT staff should always be aware of the type of encryption being used.
Not all encryption is created equal
The most basic form of encryption for data in transit is TLS. TLS is used in many webmail services and other websites. However, TLS only works if the sending and receiving servers are configured correctly. TLS also only encrypts data in transit and not the message itself, so the data would not be protected if stolen.
Advanced Encryption Standard (AES) 256 is accepted as the strongest encryption algorithm available today. AES is the accepted standard based on NIST guidelines and can be used in 128, 192 and 256 bit variants. For organizations more concerned with encryption speed and resource usage, AES-128 or AES-192 can be used. Organizations with the most sensitive data to protect should choose AES-256. AES-256 is considered powerful enough that the only reliable way to successfully complete a brute force attack is to use quantum computers.
When considering encrypted email, options include Public Key Infrastructure (PKI) and Secure / Multifunction Internet Mail Extensions (S / MIME). PKI requires an exchange of keys used to unlock encrypted messages, and this process has been simplified with Outlook /Active Directory and G Suite Enterprise, which will automatically store and exchange digital IDs or certificates purchased from a certificate authority to enable encryption.
Even so, the process of sending encrypted emails can be tricky. If G Suite rules are not set correctly, messages may not be encrypted. Likewise, Outlook users can manually activate S / MIME encryption certificates and digital ID certificates, but a more automated approach would require a Microsoft 365 subscription and the use of Microsoft 365 Message Encryption to send e- encrypted emails to Outlook and non-Outlook addresses.
Encryption of applications
Since email encryption can be difficult to implement and can easily fail if the sender and recipient are not configured correctly, software and services are available to help with the secure transmission of data. Again, organizations should be careful to note how and when files are encrypted. Cloud storage services like Box, OneDrive, and G Suite will encrypt data at rest and data in transit, but the service provider still holds the encryption keys. This exposes the data to insider threats in those companies.
The most secure option is end-to-end encryption (E2EE), where even the service provider cannot decrypt the data shared through it.
For small organizations, an E2EE messaging service, such as Signal or Wickr, may be sufficient. But, for large businesses and those that need to meet regulatory compliance obligations, a managed file transfer service may be the best option.
Remote user communication
Remote users present an additional security risk because they often communicate between their home and an organization. This means that they should not only be aware of the requirements for secure data transmission, but also of the other infosec risks associated with remote access to confidential information.
To secure communication with remote users, one option is to install a VPN on employee devices, which encrypts all data sent between its users. An emerging option for remote workers who need access to cloud services is Secure Access Service Edge, or SASE, which uses a combination of software-defined WAN, secure web gateways, access security agents, cloud and untrusted network access to ensure secure connections to cloud services.
In general, physical devices are not good options for transmitting data securely. Encryption can help protect data on a laptop or other portable device, but physical devices are always easily lost or stolen. Additionally, it is not uncommon for organizations to ban the use of USB drives or other removable storage technologies due to the risk of malware infection.
As employees more often work remotely, another threat to the secure sending of data becomes the wireless networks to which they connect. Unsecured wireless networks are important points of vulnerability and open organizations up to threats. Employees should only connect to known and trusted networks and those secured with passwords – otherwise, data sent from devices could be easily intercepted.