Encryption Guidelines
1.0 Overview
The confidentiality and integrity of Sensitive and PHI/Restricted data and resources owned by the University of Alabama at Birmingham (UAB) are of paramount importance. Encryption provides the ability to protect those data and resources and is required by the UAB Data Protection Rule when Sensitive and PHI/Restricted data are involved.
2.0 Objective/Purpose
This document provides guidance for leveraging encryption with a variety of technologies and use cases to ensure that the confidentiality and integrity of UAB data and resources are protected, in accordance with the UAB Data Protection Rule and other policies, standards, rules, and security frameworks. As technology and standards evolve, this list of encryption guidelines will be updated to reflect such changes. Questions regarding these guidelines can be directed to AskIT via email at This email address is being protected from spambots. You need JavaScript enabled to view it., or by phone at (205) 996-5555.
3.0 Recommendations
The following guidance should be used when leveraging encryption to secure UAB data and workflows in which the associated levels of confidentiality and integrity must be protected.
3.1 Web communications
| Requirement | Solution | Comment |
|---|
| Secure web HTTPS web communication |
TLS 1.2 |
Use TLS 1.2 to secure web-based HTTPS communications. SSL and older versions of TLS have been deemed obsolete and/or vulnerable to attacks, and many vendors are moving away from these older versions. |
3.2 Secure network transmission protocols (non-web-based)
| Requirement | Solution | Comment |
|---|
| Authentication and remote management |
SSH v.2 or OpenSSH |
Use the most recent versions and confirm any reported vulnerabilities have been remediated |
| Transferring files securely |
SFTP, WinSCP or SCP |
Files containing Sensitive or Restricted data can be transferred over the network via these protocols |
| Network management |
SNMP v.3 |
Unlike previous versions of this protocol, encryption can be enabled with ver. 3 |
| Secure tunneling |
IPSec |
Encapsulating Security Payload (ESP) must be enabled to provide encryption |
3.3 Whole disk encryption
| Requirement | Solution | Comment |
|---|
| Encrypting Windows desktops/laptops |
BitLocker |
Be sure to save and secure your recovery key |
| Encrypting Mac desktops/laptops |
FileVault |
Be sure to save and secure your recovery key |
3.4 Sensitive or Restricted files
| Requirement | Solution | Comment |
|---|
| Microsoft Office files (Word, Excel, PowerPoint, etc.) |
Use the Protect Document – Encrypt with Password functionality |
Follow UAB’s Password/Passphrase policy to create a passphrase and escrow it with Keeper |
| Non-Microsoft Office files/folders on Windows machines |
Encrypting File System (EFS is built into Windows), 7Zip |
If possible, use a minimum of AES-256 encryption |
| Non-Microsoft Office files/folders on Apple laptops/desktops |
Disk Utility (native to Mac OS X) |
Follow UAB’s Password/Passphrase policy to create a passphrase and escrow it with Keeper |
3.5 Guidelines for symmetric encryption algorithms
| Requirement | Solution | Comment |
|---|
| Evaluating the algorithm used in a symmetric encryption-related process |
Use a public, well-validated, strong algorithm such as AES, Twofish, or Serpent. Avoid the use of products that rely on weak or proprietary encryption algorithms. |
Public algorithms have been thoroughly vetted. Proprietary algorithms have not been open to public review, and are not as well tested or vetted as a result. |
3.6 Guidelines for asymmetric key exchange/encryption algorithms
| Requirement | Solution | Comment |
|---|
| Evaluating the algorithm used in an asymmetric key exchange- or encryption-related process |
Use a public and well-validated, strong algorithm such as Diffie-Hellman, RSA, ECC, or El Gamal. Avoid the use of products that rely on weak or proprietary encryption algorithms. |
Public algorithms have been thoroughly vetted. Proprietary algorithms have not been open to public review, and are not as well tested or vetted as a result. |
3.7 Guidelines for using hashes
| Requirement | Solution | Comment |
|---|
| Digitally signing or validating files |
Use SHA-2 or higher hashing algorithms |
MD-5/SHA-1 are considered weak and should be avoided |
