Encryption has become the most essential part of securing data online. The biggest headache to the Cybersecurity industry is a data breach. The last few years have seen an increase in hacking and exposure of confidential data to individuals or cyber criminals. Lack of data protection or data encryption has been one of the major reasons behind such security breaches.
Recently, a healthcare industry data breach occurred because the company stored Social Security Numbers of 80 million customers without encrypting them. The subsequent paragraphs suggest a set of best practices that can help to improve the level of cyber security in eGovernment transactions.
1. Encrypting data at rest and data in transit
Data stored in any digital form such as database, archives, tapes, mobile devices, laptops can be classified as data at rest. The encryption of data at rest should include strong encryption methods such as AES or triple-DES, and RSA or Diffie-Hellman for key-exchange
Any data flowing through HTTP channels will be in plaintext. To prevent sniffing of plaintext traffic, HTTPS or HTTP over TLS must be used. With the increase in SSL security vulnerabilities such as POODLE or Heartbleed, it is highly recommended to use TLS 1.2 or above with strong cipher suites.
Encryption adds an extra layer of security, even if your laptop or smartphone is stolen; the data is still well protected if full disk encryption (data-at-rest encryption) is enabled. Many systems still rely on static passwords for granting access, which poses a significant vulnerabilty, regardless of how strong the encryption technology is. Organizations should encourage its customers and staff to use strong passwords and password managers or strong authentication. Recent security breaches have shown that even IT educated employees sometimes tend to store passwords in a simple text file.
3. Protection from unauthorized access
Targeted data theft is one thing, but another way to misuse data is through manipulation. Insider threats are also a matter of concern when it comes to information leakage. Implementing separation of duties and least privilege policy can help in preventing unauthorized access within the organization or Intranet.
4. Digital signatures to ensure data integrity
A digital signature not only ensures that the alleged sender actually sent the message, but also that the message has not been altered since it was signed. It uses asymmetric cryptography like RSA based signature schemes, ElGamal, etc. When signing, you use your private key to create the message's signature, and others use your public key to check if it's really yours.
Cryptomathic’s Signer offers secure signing for web services such as eBanking and eGovernment. It combines strong authentication with digital signatures to enable user mobility without trading off security. Signer is a central server, which stores the users’ private keys in a secure database and generates digital signatures on their request. As the private key is stored centrally, the physical security and responsibility of the key no longer lies with the individual user, as it is not stored on a PC or hardware token.
5. Signing and encrypting Email communications
Email is prone to disclosure of information. Email communications within an organization can be highly sensitive. Multiple data breaches occurred in the last few years, hackers released more than 100GB worth of data stolen including email communications, client lists and invoices.
Signing emails improve communication security since it helps to ensure non-repudiation. Cryptomathic’s Signer provides a convenient mechanism not only for signing but subsequent encryption as well, and signing and encrypting emails and can be easily integrated with applications, including Microsoft Outlook.
6. Encryption, regulations and control
Encryption is applicable to various data protection directives and standards, such as PCI DSS, HIPAA HITECH, Data Protection Act, etc. Encrypting data is the easy part, the biggest challenge is having the right procedures and controls (such as managing cryptographic keys) to avoid weaknesses in the security systems. The biggest threat to many organisations comes from poor cyber security practices, which makes the critical infrastructure vulnerable to sophisticated cyber-attacks (e.g. the 2015 US Office of Personnel Management incident).
7. Designing and implementing PKI
PKI (Public Key Infrastructure) has been recognized as a key element for supporting secure and reliable electronic communications in the framework of eGovernment. The purpose of a PKI is to facilitate the secure electronic transfer of information. It consists of a variety of components from a certification authority (CA) over policies to users credentials.
It is used for content protection such as DRM, EMV payment cards and trusted devices. Cryptomathic’s PKI product range includes all the applications needed to set up and maintain a 'trusted community' based on PKI.