2010-02-25 03:12 PM
I think it would be great to hear from you about encryption implementation best practices -- are there any best known methods, tips, documentation....etc....?
Solved! SEE THE SOLUTION
2010-02-26 04:53 PM
This is quite a formidable topic, but I will take a first stab at it. Hopefully others will be able to chime in and offer some further advice.
Encryption Policy considerations:
2010-02-26 08:53 PM
Also, to add to Mike's points, best practice defines that you have policiesin place to take advantage of encryption.
1. Identify the data that must be encrypted prior to settling on a solution. Encrypting everything usually is not a suitable approach.
2. Set policies on who can access the data with what conditions and by which method. This may involve restricting access through specific servers with enhanced authentication and logging. Encryption is only as good as the policies, authentication and logging that is available.
3. Have logging servers that are secure ready to integrate your encryption solution as well as your authentication to ensure that tracking and control measures are effective.
4. Have a secured ethernet network for management of the infrastructure that is accessible only by those that need access to manage the encryption and assets.
5. Establish roles with separate passwords and two factor authentication for :
a. Security administration - This usually can be someone responsible for data security in the environment.
b. Physical administation - In a typical environment technical staff have the skills to implment the solution.
6. Never entrust all passwords to one person. This puts the whole security of the environment at risk if that person abruptly quits or is terminated. Share roles across two or three trusted employees.
There are still others but much of this should be decided upon prior to implementation.