Device & Data Encryption

Introduction

In the course of University business, Arizona State University personnel routinely handle sensitive information including Personally Identifiable Information (PII), student records, health records, financial records, and research data. Federal laws, state statutes, and industry standards apply civil penalties for failure to protect sensitive information adequately. Encryption plays a key role in keeping information safe by ensuring that it can't be obtained through theft or eavesdropping.

As part of its overall program to ensure appropriate measures to protect PII and other sensitive data in a robust and least-intrusive manner, Arizona State University provides requirements for encrypting data in transit and storage.

Implementing encryption of data in storage is one of ASU's Top Five Critical Security Initiatives. This can include desktops, laptops, mobile devices, printers, HVACs, RFID readers, cameras, display boards, etc. Encrypt everything!

Endpoint Encryption

Endpoint Encryption ensures that if your computer is stolen, any sensitive information on its disk will be unavailable to the thief. Encrypt your computer's hard disk using your operating system's built-in disk encryption software or other encryption software suggested by UTO.

Encryption at Rest (file encryption) ensures that data on your computer is secured no matter the state of your computer. It can also provide a form of access control to files that may contain sensitive information on your computer.

All ASU maintained computers, backup media, and other devices used to store electronic data should be secured using full-disk encryption (FDE) everywhere possible, with key escrow adequate to provide for third-party data recovery in the event of legal requirements or business need. In addition to full disk encryption, All ASU computers should encrypt individual files containing sensitive data. The minimum standard for encryption algorithms should be 128-bit AES, or the highest level allowed by export controls in the case of international applications.

Devices should comply with minimum hardware and software requirements for ASU-sanctioned FDE solutions. If a device cannot be encrypted because its operating system is obsolete, the device should be upgraded to a current operating system. If a device lacks the recommended hardware (e.g., minimum system requirements for compliant operating system, chipset including compliant TPM chip), the device should be upgraded or replaced with a compliant device.

Where possible, devices should use ASU's Active Directory environment for key escrow. If this is not possible, the administrative or academic unit responsible for a device must establish and document a key escrow process to ensure authorized third-party access to encryption keys when necessary.

The following documents provide information on how to encrypt your computer and individual files. Consult your departmental technical support personnel for assistance.

Encryption in Transit

Encryption in transit reduces the chance that data you access and send will be available to someone who is eavesdropping on the network. Here are some general practices to follow. Consult your departmental technical support personnel for assistance.

  • Use ASU ENCRYPTED wireless. More information here
  • Use the SSLVPN when accessing ASU systems from any network off campus; download and installation instructions are available at https://sslvpn.asu.edu.
  • Use encrypted protocols (e.g., https, ssh) when accessing any networked system.
  • Note that electronic mail is not secure; even if you get and send your email using an encrypted connection, the person on the other side might not!

Please refer to the ASU Data Handling Standard for more information about use, transmission and storage of sensitive data.

Enterprise & Systems Encryption

ASU Cybersecurity can assist with implementation and review of Enterprise & Systems encryption technologies. For more information, please contact ASU Cybersecurity.