• Report an Incident
• Incident Information
• Self Service Security
• Services and Products
• Best Practices
  • Staff
  • Workstations
  • Personal Systems
  • Servers
  • Mobile Devices
  • Medical Devices
  • All Best Practices
    • Backups
    • Desktop locking
    • Encryption Solutions
    • Information Security Checklist
    • Keep your accounts secure
    • Physical security
    • Recommendations for Securing Mobile Devices
    • Turn off unnecessary services
    • Update the operating system
    • Updating non-operating system software
    • Using a firewall
    • Using anti-spyware
    • Using anti-virus
• Policies, Guidelines and Procedures
• Security Awareness, Training and Education (SATE)
• Vulnerability Information
• About EIS
• What's New

---

Encryption Solutions

New laws and policies intended to prevent unauthorized access to certain types of information are regularly being updated with stricter security requirements (UCSF 650-16, Information Security and Confidentiality). While campus units have been encouraged to eliminate unnecessary electronic storage of sensitive personal information, the need to protect sensitive data necessary to conduct university business remains.

To assist campus departments and community members who do not have the resources to deploy proper encryption with appropriate key management as defined in Encryption at the University of California: Overview and Recommendations, OAAIS offers these encryption services to the UCSF community. (These services are supported only where indicated.)

Other departments such as the UCSF Medical Center and School of Medicine may offer alternative encryption products or options for their clients. Work with your department Computer Support Coordinator (CSC) to find the best solution for your environment.  

Entrust (Standard or Advantage) Server Certificates (SSL) [Supported by EIS] - Provides website identification and enables 128 and 256 bit encryption between common Web browsers and Web servers. An Advantage Server Certificate provides the ability to secure two virtual web servers using the same SSL certificate via the Subject Alternative Name (SubjectAltName) extension.
Pointsec [Supported by EIS; recharge] - A symmetric encryption software that provides whole disk encryption.
PGP [Supported by EIS; recharge] - An asymmetric encryption software that provides volume, email, Instant Messaging, and NetShare encryption. (coming Fall 2008)
Secure Email (Tumbleweed) [Hosted by the UCSF Medical Center IT] - an email gateway that captures messages flagged for protection.
Secure Shell (SSH) and Secure FTP [OAAIS] – An encrypted shell command program used to securely access a remote computer.
Stunnel: Universal SSL Wrapper [OAAIS] - Stunnel is a "Secure Tunnel" that allows normal, unencrypted programs to have a secure link over the network using SSL (Netscape's Secure Sockets Layer, currently the most widely used method for performing secure transactions on the web).
UCSF Remote Access (VPN) [Supported by EIS] – A web interface to access restricted resources remotely. The UCSF Medical Center also provides VPN services for their users. Each system addresses different needs and offers different options.

What is encryption?

Encryption is the process of converting information into an encoded form making it readable only by someone with the knowledge of how it was encrypted.  Electronic information can be divided into two major categories: 1) information that is stored ("at rest") and 2) information moving along a network ("in flight").  Encryption may be required in both of these categories to help prevent unauthorized access to personal, confidential, and Protected Health Information.

A strong encryption program must provide a key length of 128 bits or larger for symmetric encryption and 1024 bits or larger for public-key encryption.

Why should I use encryption and when is it required?

Encryption can be applied to storage devices (data "at rest") and to network data (data "in flight").  What type of computing device, what network you are communicating from/to, and if you have confidential or Protected Health Information will dictate whether or not encryption is recommended or required.  The full encryption guidelines from UCOP can be found here.  Encryption is not needed if you do not store or work with personal, confidential, or Protected Health Information.  Therefore it's best not to have any of this information unless it's actually needed.

Scenarios in which storage encryption is REQUIRED:

• Possession of personal, confidential, or Protected Health Information AND
• Computing device is a mobile device OR
• Computing device is a personal system OR
• Storage device is removable (portable) OR
• Access to the storage device is not in a physically secure environment.

Scenarios in which network encryption is REQUIRED

• Use of personal, confidential, or Protected Health Information over a network
• The information is not already encrypted by means of storage encryption AND
• Any part of the data transmission is outside of the trusted network AND
• Access is part of an interactive session OR
• Access to this information is not entirely over a trusted network (Find out now)  OR
• Access to a system containing personal, confidential, or Protected Health Information is not entirely over a trusted network

Examples of common tasks where encryption is REQUIRED

• Use of electronic personal, confidential, or Protected Health Information AND
• The information is being sent by:
• Email OR
• Webmail OR
• Web browser OR
• Traditional mail (US Post Office) OR
• Courier OR
• Instant messenger (Yahoo, AOL, MSN, etc.) OR
• Peer-To-Peer network OR
• Wireless (WiFi, 802.11, Cell phone, EV-DO, GPRS, Blackberry, etc.) OR

• A backup of the information is created

Please tell us what you think of our new website