Install and Use a File Encryption Program and Access Controls

Install and Use a File Encryption Program and Access Controls

Let’s return to your living space and our original analogy. Think about your checkbook, your insurance policies, perhaps your birth certificate or passport, and other important documents you have at home. Where are they? They’re probably stored in a filing cabinet or a safe, either of which that can be or is routinely locked. Why do you store these important items in a locked container?

Without realizing it, you are satisfying one of the three components of information security – confidentiality. Confidentiality means keeping secrets secret. Only those who are supposed to see that information should have access to it. You are keeping information sensitive to you and others away from those who should not be able to get to it, for example a family member or an intruder. By the way, the other two components of information security are integrity (Has my information changed?) and availability (Can I get to my information whenever I need it?).

You further protect information confidentiality when you enforce it by using an access control device, namely the lock on your filing cabinet or safe. This device stands between the information and those seeking access, and it grants access to all who have the combination, the key, or whatever tool unlocks the container. When several layers of access control devices are used (called “defense in depth”) – you might also find that these containers are themselves in locked rooms. Would-be intruders must pass through several levels of protection before finally gaining access to the information they seek.

Now, think back to your home computer. The problem is to control access to files and folders. The access control device here is the access control list or ACL. ACLs define who can perform actions on a file or folder: reading and writing, for example. ACLs are equivalent to a locked filing cabinet for paper documents.

Different computer systems provide different types of ACLs. Some have fine-grained controls while others have virtually none. The key is to use all the controls that are available on your computer.

Frequently, vendors define ACLs that are overly permissive. This satisfies their need to ensure that access limitations don’t get in the way of using their systems. Your challenge is to tighten those ACLs so that they properly restrict access to only those who need access. This means that you need to modify the ACLs from the settings set by the vendor. We’ll talk more about how to do this shortly.

Returning to the home environment, do you remember a time when adults in your house wanted to say something to one another in front of their children but in such a way that the children couldn’t understand what was being said? Perhaps they spelled their message or used Pig Latin (ig-pay Atin-lay) to conceal the meaning. This worked for a while, until the children learned to spell or could otherwise understand what was being said. What’s really happening here?

Very simply, the adults could not control who could hear their conversation. It was inconvenient or perhaps impossible for them to go to another room where they couldn’t be heard. They had to talk in a way that only those who knew the concealing scheme could understand what was being said.

On a computer, when access to information can’t be limited, such for an e-commerce transaction over the Internet, that information is concealed through a mathematical process called encryption. Encryption transforms information from one form (readable text) to another (encrypted text). Its intent is to hide information from those who have neither the transformation method nor the particulars (the decryption keys) to transform the encrypted text into readable text. The encrypted text appears to be gibberish and remains so for people who don’t have the scheme and the keys.

Back on the home front, the children eventually learned how to spell and perhaps also learned the trick to using Pig Latin. They can now understand the conversations the adults are having. While they could also understand the conversations held weeks, months, or even years before, the information in those conversations is no longer important. The encryption scheme – spelling or Pig Latin – is strong enough to guard the information during its useful lifetime.

Computer-based encryption schemes must also withstand the test of time. For example, if a credit card encryption scheme needs six months of computer time to break, the resulting clear text credit card number is probably still valid and, therefore, useful to an intruder. In this case, the encryption scheme isn’t strong enough to guard the information for its entire useful lifetime.

So, to guard paper or computer files, you need to limit who has access to them by using the access control devices, whether filing cabinets and safes for paper or access control lists for information on a computer system. For assets whose access cannot be sufficiently limited, you need to encrypt them strongly enough so that the time it takes to decrypt them is longer than their useful life.

Now, what can you do?

First, if more than one person uses your computer, you can adjust the ACLs that control access to sensitive files and folders. Your goal is to allow the correct type of access to the files and folders that each user needs, and nothing more. The steps below help you to decide how to adjust the ACLs for files and folders:

1.The Who test: Who – which users – need access to files besides you?

2.The Access test: What type of access do they need? Read? Write?

3.The Files/Folders test: Which files and folders need special access? Just like your firewall rules, your general policy should be to limit access to only you first, and then grant access beyond that where needed.

By applying the WAF tests, you can limit access to sensitive files on your computer to only those who need it.

Setting proper ACLs is not a trivial task. Be prepared to repeat it a few times until you get it right for the way your computer is used. It’s worth the time spent, but know that it may take longer than you expect.

For very sensitive files and for files that are on a laptop, don’t rely solely on file and folder ACLs. You need to go further and use encryption.

Some vendors provide encryption with their systems right from the start. This means that all you have to do is follow the vendor’s instructions on how to use those features, but be certain to use them.

On systems where encryption is not included, you need to install additional encryption programs. For encryption programs that you download from the Internet, be sure to follow the instructions in Task 7 - Use Care When Downloading and Installing Programs. Also follow the instructions in Task 6 - Use Strong Passwords for additional guidance on passwords required by encryption programs.

There are free and commercial encryption programs, and in most cases, the free versions suffice. However, commercial programs may provide more features and may keep up better with newer and, therefore, stronger encryption methods. If you rely on a laptop computer, you should consider purchasing a commercial file encryption programs.

Whether paper files around your living space or files and folders on your computer, limit access where you can. On your computer, use encryption programs either when you can’t restrict access to the extent that you’d like or when you want even more security protecting your computer files and folders.