Introduction

The Committee on Information Services and Technology approved the Electronic University Data Regulations¹ on 19 August 2010. Faculties and staff are obliged to protect “all data collected, maintained and used in the University's information systems.” In addition to observing related policies (for example, Policy on Use of IT Services and Facilities Organizations), departments must establish procedures to grant access privileges to different users, review the privileges periodically, restrict data transfer and duplications, and take measures to prevent data leakage as far as possible. This article will review the three stages of data (data at rest, data in use and data in motion) and examine how encryption technologies can be used to improve information security.

 

Stages of Data and Risks of Information Leakage

Data at rest includes the data residing on a wide variety of computer storage and electronic devices, such as network shares, backup storage, hard disk drives, CDs/DVDs, floppy disks, thumb drives, PDAs, smartphones and others. The high risk of information leakage is obvious due to loss of the devices, inability to remove data before disposal of equipment, ignorance of the existence of temporary files and unwanted files inside the Recycle Bin and so on.

Data in motion refers mainly to the data moving through the network. Data in motion occurs in e-mail, instant messaging, FTP download, web browsing, data transfer to known and unknown points and others. Surely, data in motion requires protection as malicious people may install a sniffer or similar equipment on the networks to capture and analyze information transmitted over internal and public networks. In addition, removable storage devices can be relocated from one place to another easily.

Data in use means that the data on a computer is being analyzed or worked on, including creation, retrieval, modification, deletion, saving and printing. Data in use is the most difficult to protect as data can be manipulated, copied and pasted into another document, saved to removable devices, burned onto a CD/DVD, screen-captured, printed and so on. Furthermore, human errors, virus infection, email phishing, malware attack and natural accidents are inevitable, making data vulnerable to attack.

 

Encryption for Data Protection

Encryption has a long history, starting from special use in military affairs in the past to commonly use in commercial applications today. Encryption is the process of concealing data by using a code. In order to read the concealed data, the code deployed in the encryption process must be used to decrypt the data. As such, encryption can be used to restrict access to data only to those who have the code. According to different stages of data described above, encryption is best for protecting data at rest and data in motion.

 

Protecting Data at Rest

It is the users’ responsibility to protect data at rest in order to avoid information leakage. This is simple and many free and commercial products are available for the purpose. As encryption works with mathematical algorithms, users should always select more robust algorithms (for example, AES-256 bit) as well as secure passwords to encrypt files.

• Individual files and folders
  Specific files and folders containing sensitive data should always be encrypted wherever they reside. As encrypted files remain encrypted when they are copied to different media, encryption is an effective way to protect data at rest.
   
• Partitions or Volumes
  When a partition or volume is encrypted, files stored inside the partition or volume will be encrypted automatically. This saves effort as it is unnecessary to encrypt individual files. However, this arrangement is not without risk as when a file is moved out from the partition to another unencrypted location (for example, unencrypted thumb drive or CD/DVD), it is decrypted automatically. Careless operations will leave the files unprotected.
   
• Entire Physical Disks
  Hard disk encryption works similar to partition encryption and some manufacturers produce hard drives with built-in encryption capability. As disk encryption encrypts the whole disk, saving anything to an encrypted disk will be encrypted automatically while coping anything out of it will be decrypted automatically. For example, a file stored under an encrypted drive will be sent in decrypted form as attachment in e-mail to someone. Therefore, disk encryption cannot protect data in motion although it is a good solution for securing sensitive data on the notebook computer or disks.

Protecting Data in Motion

No network is absolutely safe in the world and protecting data in motion becomes necessary. Again, encryption can be used for the purpose. Encryption can be applied to many things, including sending email, backing up laptop data to a central server, uploading files to or downloading files from websites, doing online banking, etc. There are basically two ways to use encryption to protect data in motion: (1) an encrypted connection and (2) using file encryption.

(1) Using an Encrypted Connection

An encrypted connection simply encrypts everything that is sent over the network, neglecting encryption status of the information to be sent. Upon arriving at its destination, the information is decrypted. In flight, the data is reasonably safe since it is encrypted and it does not make sense to anyone who reads it. Hence, users basically need not to do anything to the information to be sent. If an encrypted file is sent, it will be encrypted again in flight.

(2) Using File Encryption

Another method to protect data in motion is to encrypt the data to be sent beforehand using the encryption method for data at rest. As the file is in encrypted form, it is protected no matter it is stored at rest or sent in motion as an attachment. If an encrypted connection is not available for data transmission, sending an encrypted file is the only solution. Indeed, it is good practice to send encrypted attachment while leaving the email content in plaintext format.

Some Examples

Secure shell (SSH)	SSH encrypts all data between two SSH enabled computers. It is recommended for secure connection and file transfer.
Web traffic (https)	Most web browsers support https for communication. Users are recommended to use https for the exchange of sensitive data between the client and host.

Protecting Data in Use

Encryption is surely not a solution to protect data in use as data must be available for processing. However, there are some good practices that facilitate protection of data in use. As transfer of data in use is almost untraceable, it is necessary to restrict users to access certain kind of data. Documenting access privileges assigned to various users is deemed necessary and periodically review is required. Downloading information onto removable media devices should be avoided.

Another way to protect data in use is to protect the working computing environment to the largest extent. Antivirus software should be installed and updated with the latest virus signature data, patches must be applied to the Windows environment and all applications, refraining from visiting unsecure websites and downloading files there, beware of attached links and attachment in email sent from unfamiliar senders, and so on.

Don’t forget that human factor is the weakest part in data protection. To reduce the risk of data leakage, security awareness of the users who use the data is the most important part.

Summary

Data protection is not an option. Protection is a must wherever data resides. As such, reducing unnecessary copies can simplify the work. Contemporary encryption solutions are able to protect data at rest and data in motion to certain extent. In summary, both the data providers and the end users must follow security guidelines, cultivate data protection habits, and cautious to avoid errors to achieve best results.

 

References:

1. For Electronic University Data Regulations, please visit http://wikisites.cityu.edu.hk/sites/upolicies/itpolicy/Wiki%20Pages/(3)%20Electronic%20University%20Data%20Regulations.aspx
2. For PC security, please visit http://www.jvrhmfr.xyz/csc/install-guide/PCSecurity.htm.
3. For using encryption, please visit http://www.jvrhmfr.xyz/csc/deptweb/education/encryption_for_information_protection.htm.