Transport Layer Security (TLS) encryption uses cryptographic techniques to ensure that communications between two points or two parties are authenticated and secure. Many organizations use TLS for secure communications, including Internet applications and virtual private networks (VPNs). When remote access employees need to access specific tools over the Internet, TLS may be used to secure the transmission of data both through Internet applications and VPNs.
Cryptography can be used for encrypting data at rest and data in motion for various business requirements. Examples of cryptography for business purposes are:
There are many different standards that businesses can follow. The Payment Card Industry Data Security Standard (PCI DSS), for example, requires the protection of consumers’ credit card data. One of the PCI DSS requirements is to encrypt the data or file share on which the information resides.
Cryptography is used in businesses for securing email, TLS, and Internet Protocol Security (IPSec). One example of securing email is Secure/Multipurpose Internet Mail Extensions (S/MIME), a standard for encrypting and digitally signing email. S/MIME also provides secure data transmissions by encrypting emails and their attachments. MIME is the official standard used to define how the body of an email is structured. The MIME format allows email to contain attachments via MIME-compliant mail systems. These attachments can be audio or video clips, enhanced texts, graphics, and so on. MIME provides no security; therefore, S/MIME was proposed.
Encrypting an email protects data as they travel between the sender and the receiver.
The use of S/MIME is illustrated in the following example, in which Alice is preparing an email for Bob. Alice wants to encrypt and digitally sign the email, so she performs the following steps:
In order to send digitally signed and/or encrypted email, valid, appropriate certificates must be loaded into the email client.
Distribution of keys within an organization is a vital part of key management. You need to ensure the keys are safe and distributed securely. Some organizations choose to outsource these services. The risk associated with not using the correct resources or not implementing the correct system controls is sometimes left to providers who specialize in the technology. However, outsourcing is not always a good option because of the expense involved, especially if there are many systems, communication paths, or files that need to be encrypted within an organization.
Determining whether key management should be done in-house or outsourced requires much consideration. There is a large amount of risk associated with key management in terms of security, quality, and availability of resources; cost; and other factors. Some considerations regarding in-house versus outsourced key management are:
Organzations may choose to outsource key management or manage keys internally. While internal key management provides a greater degree of control over key distribution, outsourcing may have significant financial benefits.
Choosing the appropriate resources from in-house or outsourced key management services is a risky process. Some organizations are uncomfortable with managing such a vital part of security in their own infrastructure. Some feel that leaving this responsibility to providers who know the technology and specialize in its capabilities is more beneficial to them no matter what the cost. Others may feel the opposite and decide that leaving such an important security measure in someone else’s hands is not worth the risk. Both options are correct for various types of businesses. The process should be carefully planned because changing direction after initial implementation can cause problems.