A significant issue facing infosec professionals is implementing secure data transmission methods when sending...
and receiving confidential, sensitive and proprietary information.
Some industries face regulations requiring the secure transmission of data -- such as the HIPAA Security Rule for healthcare -- but all enterprises need to consider secure transmission methods to protect against theft of intellectual property or other sensitive data.
When many organizations think of secure data transmission methods, the conversation inevitably turns to encryption and various ways to transmit encrypted data securely, including email, dedicated software or services, VPNs or physical media.
However, regardless of the method of data transmission an organization prefers, IT staff must always be aware of the type of encryption being used.
Not all encryption is equal
The most basic form of encryption for data in transit is TLS. TLS is used in many web-based email services and other websites. However, TLS does not work unless both the sending and receiving servers are configured properly. TLS also only encrypts the data in transit and not the message itself, so the data would not be protected if it were stolen.
Advanced Encryption Standard (AES) 256 is accepted as the strongest encryption algorithm currently available. AES is the accepted standard based on NIST guidelines and can be used in 128-, 192- and 256-bit variants. For organizations more concerned with encryption speed and resource use, AES-128 or AES-192 can be used. Organizations with the most sensitive data to protect should opt for AES-256. AES-256 is considered strong enough that the only reliable way to successfully brute-force attack it would be by using quantum computers.
When considering encrypted email, options include public key infrastructure (PKI) and Secure/Multipurpose Internet Mail Extensions (S/MIME). PKI requires an exchange of keys used to unlock encrypted messages, and this process has been simplified with Outlook/Active Directory and G Suite Enterprise, all of which will automatically store and exchange digital IDs or certificates purchased from a certifying authority to enable encryption.
Even so, the process of sending encrypted emails can be tricky. If G Suite rules are not set properly, messages may not be encrypted. Similarly, Outlook users can enable S/MIME encryption certificates and digital ID certificates manually, but a more automated approach would require a Microsoft 365 subscription and the use of Microsoft 365 Message Encryption to send encrypted emails to both Outlook and non-Outlook addresses.
Since email encryption can be tricky to implement and can easily fail if the sender and recipient aren't configured properly, software and services are available to help with secure data transmission. Again though, organizations must be careful to note how and when files are encrypted. Cloud storage services, like Box, OneDrive and G Suite, will encrypt data at rest and data in transit, but the service provider still holds the encryption keys. This leaves the data at risk to insider threats at those companies.
The most secure option is end-to-end encryption (E2EE), where even the service provider cannot decrypt data shared through it.
For smaller organizations, an E2EE messaging service, like Signal or Wickr, may be sufficient. But, for larger organizations and those needing to meet regulatory compliance mandates, a managed file transfer service might be the better option.
Remote user communication
Remote users present an additional security risk because they are often communicating between their home and an organization. This means they not only need to be aware of secure data transmission requirements, but also other infosec risks associated with remote access to confidential information.
To secure communication with remote users, one option is to install a VPN on employee devices, which encrypts all the data sent between its users. An emerging option for remote workers who need access to cloud services is Secure Access Service Edge, or SASE, which uses a combination of software-defined WAN, secure web gateways, cloud access security brokers and zero-trust network access to ensure secure connections to cloud services.
In general, physical devices are not good options for transmitting data securely. Encryption can help protect data on a laptop or other portable device, but physical devices are still easily lost or stolen. Additionally, it is not uncommon for organizations to ban the use of USB thumb drives or other removable storage technology because of malware infection risks.
As employees work remotely more often, another threat to sending data securely becomes the wireless networks they connect to. Unsecured wireless networks are significant points of vulnerability and open up organizations to threats. Employees should only connect to known, trusted networks and those secured with passwords -- otherwise, data sent from devices could be easily intercepted.