Encryption - Issues to Consider Before Implementing Encryption

This document outlines issues end users should consider as they contemplate using encryption.

What is encryption

Encryption renders data unintelligible to anyone who accesses it except those who have the decryption key.  Access to the decryption key is typically protected by a password i.e anyone that knows the password can decrypt or read the data.  Encryption has been used for many years to protect data during transmission, using techniques such as SSL (https:) and VPN connections.  Encryption technology is also used to protect stored data.  Data can be encrypted before storage and decrypted upon access. This article addresses encryption for data at rest (stored data).

Why use encryption

In 2009, the Policy on Storage and Encryption of Sensitive Information (.pdf) (iEncrypt) was approved.  This policy reduces the risk of unauthorized access to sensitive University data.   This is particularly important for protecting personally identifiable data (such as Social Security numbers, credit card numbers, financial account numbers) as well as student data and the intellectual property of research.  Should a laptop containing confidential information be lost or stolen, for example, encryption would protect the data from unauthorized access.

Under the new policy, UW faculty and staff must obtain permission from supervisors before storing restricted or sensitive information (.pdf) on desktops, laptops or other portable devices or media. In addition, faculty and staff can only store the minimal amount of sensitive information needed and must encrypt what data remains, and ensure that these University data records are available, if needed.

How to avoid needing to encrypt

One way to avoid needing to comply with the iEncrypt policy is to not store restricted or sensitive information on your desktop, laptop or other portable device or media.  Identity Finder is a data discovery tools that can help you find personal identifying information e.g SSNs, credit card numbers by scanning files on your computer for this type of data.  If restricted data is found and you don't need it, delete it or delete the restricted data elements from the file. Alternatively, you could move the file to a server managed and protected by IT staff rather than storing it on your computer or portable device.

If possible, avoid downloading copies of sensitive data like course rosters, grade books, employee lists etc. when accessing data from UW systems such as Learn@UW, ISIS, HRS, etc.. Instead leave the information on the source system rather than propagating the sensitive information to your computer of mobile device.

How to encrypt

If you determine that you have a business need for keeping restricted or sensitive information on your computer or other portable device or media, it is important to consider---

  1. the type of encryption you need (document, file/folder, usb drive, full disk), and
  2. the approach you will use for backup of encryption keys and associated passwords.

These considerations are discussed in detail at Encryption - Types of encryption and key concepts.