S 2.162 Determining the need to use cryptographic procedures and products

Initiation responsibility: IT Security Management

Implementation responsibility: Administrators; staff responsible for the individual IT applications

In order to arrive at realistic, reliable and appropriate indications of requirements and basic conditions for the use of cryptographic procedures and products in relation to the processing and transmission of sensitive information, it is first necessary to identify and assess the data that is worth protecting.

Identification of the data to be protected

First it is necessary to identify the tasks for which cryptographic procedures are to be used and the data which these procedures are intended to protect. The use of cryptographic procedures may be necessary for a variety of reasons (see also S 3.23 ):

• To protect the confidentiality and/or integrity of data

• For the purpose of authentication

• To provide proof of sending or receipt (non-repudiation)

It may make sense to use various different cryptographic methods, such as encryption or hash functions, depending on the intended purpose. The typical fields of use for cryptographic procedures are:

1. Local encryption

2. Communication security, at the application level and/or at the transmission level

3. Authentication

4. Non-repudiation

5. Integrity

A number of examples from the various typical fields of use for cryptographic procedures are described below:

• A PC hard disk contains data which is to be protected by encryption to prevent unauthorised access.

• Information is to be forwarded via telephone, fax or data networks, for example it is to be sent by email or transferred by the exchange of data media.

• The information that needs to be protected is not under the sole control of the responsible organisational unit (the LAN runs through parts of the building that are used by other companies; a server storing personnel data is managed by staff who do not belong to the personnel department).

• Remote access is to be secured by strong authentication.

• In the case of emails, it must be possible to determine without doubt who the sender was and whether the content has been delivered unchanged.

In order to establish which cryptographic procedures and products are required and which data needs to be protected by these means, the first step should be to determine the current IT structure (see also Chapter 2 on recording the details of IT systems and applications). The following facts should be established:

• What IT systems are there which are used for processing or storing data (PCs, laptops, servers, ...) or for transmitting data (bridges, routers, gateways, firewalls, ...)

• What transmission routes are used. The logical and physical networking structure should also be recorded in this connection (see also S 2.139 Survey of the existing network environment).

Degree of protection required for the data (confidentiality, integrity, authenticity, non-repudiation)

All applications and data for which there are particular requirements in terms of confidentiality, integrity, authenticity or non-repudiation should be identified (see Chapter 2). However, cryptographic products are not required solely for IT systems, applications or information with high-level protection requirements, they are also needed for those with medium-level protection requirements.

Examples of data with particular requirements regarding confidentiality include:

• Person related data

• Passwords and cryptographic keys

• Confidential information, the publication of which could result in recourse claims

• Data from which a competing company could derive financial gain

• Data which would jeopardise the fulfilment of a task if it did not remain confidential (e.g. results of an inquiry, register of sites or endangered plants)

• Data which could result in an injurious falsehood if published

Note: The accumulation of data increases the protection requirements of a data collection, such that encryption may become necessary even if the individual records in the collection are not particularly sensitive.

Examples of data with particular requirements regarding integrity include:

• Financial data, the manipulation of which could cause financial loss

• Information which, if published in a corrupted form, could result in recourse claims

• Data which, if corrupted, may lead to incorrect business decisions being taken

• Data which, if corrupted, may result in a deterioration of product quality

An example of applications with particular authenticity requirements is remote access. An example of data with particular requirements regarding non-repudiation would be orders or bookings where the person ordering or booking should be identifiable.

Once the protection requirements have been determined, the next step should be to establish which applications or data are to be protected by cryptographic means. This stipulation can be further refined later, and should be revised regularly.

The result obtained in this way is an overview of all storage locations and transmission links which have to be secured by cryptographic means. The outcome is therefore effectively an IT map with crypto areas marked on it.

Survey of needs and requirements

As an aid to investigating what is required, it makes sense to use a set of questions covering the subject areas in the breakdown shown in the table below. The technical, organisational and economic aspects can each be divided into 4 further subcategories.

Figure: Classification criteria for creating a questionnaire

Among the technical aspects it is important to find out under "User services and applications" for example whether the data concerned is mainly real-time or not. In the utilisation profile category it is necessary to identify the applications and data for which cryptographic procedures are to be used, for example for external communications or for the short-term or longer-term processing of confidential data. Furthermore, information about the network infrastructure and the terminal needs to be established, for example the connection configuration.

The organisational aspects to be considered are the field of use, i.e. user domain or network domain, the question of whether there is an existing migration concept, the envisaged timescale and the operational circumstances for the end user.

The key aspects from the economic standpoint are:

• Rationalisation aspects, for example using a product with transparent encryption instead of manual activation

• Estimates as to quantities required and procurement costs

• Anticipated administration and maintenance costs

Using this survey as a basis, an operations and requirements concept as close to practical reality as possible can be drawn up; this is then used as the starting point for actual implementation decisions and the selection of suitable crypto components and products (see S 2.165 Selection of a suitable cryptographic product).

The approach described above is intended to help staff responsible for security to determine, assess and coordinate the use of security technology in various system localities, network gateways and terminal equipment, as well as the extent to which the technology is to be used. In addition, the question of the appropriateness of IT security is to be answered in the course of the planning phase by determining the necessary degree of protection (protection requirements). The course of action outlined here is a pragmatic approach and takes account of security aspects in open, distributed IT infrastructures, as found in many instances.

The investment in security viewed in this way must be economically justifiable for the respective field of use. The mode of operation of security strategies that are put into practice must take account of the expectations of the end users with regard to flexibility, transparency and performance. The security services, whether planned or integrated, must not impose any restrictions on the end users over and above that which is necessary.