The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/900970
25 WWW.ILTANET.ORG To help mitigate these issues, ensure that proper key management is utilized, which includes cycling keys and using a key management system (KMS). When developing systems that utilize hashing (such as for storing credentials), incorporate salting. Use supported industry-standard algorithms and avoid the use of proprietary algorithms. NIST provides excellent guidance on what algorithms to use. Finally, ensure that users create strong passwords to access encrypted data (for BitLocker To Go and/or mobile devices); a weak password makes encryption almost useless. Inaccessible Data: One other big risk is the inability to access data. While making data inaccessible is the idea behind encryption, it doesn't include authorized access. Remember that one pillar of the CIA triad is availability; if a password or keys are lost, there would be a good chance that the encrypted data can no longer be accessed. Keys must be properly safeguarded and securely backed up to mitigate this risk. Technologies such as BitLocker allow for enterprise management of a computer fleet. This means that an administrator can unlock a drive using recovery keys if the keys are lost or a password forgoen. What's Next? Many firms already have access to technologies such as BitLocker, and all modern smart phones have encryption capabilities (iPhones have been enforcing them for years now). It is important to first develop and then implement an encryption policy and standards. This should include mandating the use of encryption and then what algorithms, key sizes, key management and backup and recovery procedures must occur. This should be a risk-based approach, identifying what data your firm has and how it needs to be protected, including the length of time it needs to be protected. Remember that large keys require more processing and decrease performance and that some data might not require protection for 20-plus years. Having policies, procedures and standards in place, along with the complementing technical controls, can go a long way to ensuring the security of sensitive and privileged data. Preventing the unauthorized access to or leakage of data, whether accidental or not, can help firms maintain their security posture and limit their exposure. P2P Codes and Keys: What, How and Why To Encrypt FEATURES Avoid non- compliance fines 30% of documents are dark data Find ALL the documents you need See what you're missing. 3 % Get a free dark data audit today DarkDataAudit@docscorp.com W H AT 'S SA LT I N G? Salting adds arbitrary data to a hash input to make it unique. This mitigates the ability to conduct "pass-the- hash attacks" commonly seen in Windows.