Encryption is the process of encoding information in order to protect it. Information can be encrypted at rest (when it is stored) and/or in transit (when it is transmitted over networks). Encyption:
- Reduces the risk of unauthorized access and disclosure.
- Mitigates financial, regulatory, reputational, and institutional risks to U-M and individuals in the event of loss or breach of data.
You are expected to use encryption to secure data at rest and in transit in accordance with Encryption (DS-15) and other applicable U-M policies and standards, as well as with regulatory and contractual obligations.
What Data Needs to Be Encrypted?
- Minimum Information Security Requirements entry for Encryption lists encryption requirements by data type.
- Where technically feasible, the university requires data classified as Restricted or High to be encrypted at rest and in transit. If data cannot be encrypted for technical reasons, an appropriate set of compensating controls must be implemented.
- Encryption requirements also depend on the data's storage location, the type of device it is stored on, and whether it is transmitted within or outside U-M networks.
- Encryption (DS-15) contains reference tables detailing encryption requirements for:
- Data at rest, depending on location or device type
- Data in transit, depending on the networks it is transmitted between
Common Encryption Methods
Encryption at rest is typically achieved by either file-level or full disk encryption. It is important to ensure that unit laptops have full-disk encryption enabled. This is typically achieved with BitLocker on Windows and FileVault on Macs. Depending on who manages your workstations, this may be already be done for you:
- MiWorkspace. MiWorkspace-managed laptops are encrypted. Neighborhood IT staff can assist with encrypting other devices as needed.
- Michigan Medicine. Health Information Technology & Services provides devices to Michigan Medicine faculty and staff and is primarily responsible for the maintenance and security standards of those devices, including encryption.
- Unit-Managed Devices. Please contact your unit's IT staff.
Encryption in transit can be accomplished in a number of ways, most commonly through a Virtual Private Network (VPN) (see Secure Your Internet Connection) or over HTTPS. If you manage a web server in your unit, consider configuring it to redirect all unencrypted requests (HTTP) to HTTPS, which provides encryption using TLS. For this, your web server will need an SSL/TLS certificate, which you can get at no charge through Wasup.
Email and Encryption
Email—a type of data that goes through in-transit and at-rest states—presents particular concerns and challenges. Email is generally sent and stored as clear text, meaning that anyone with access to the network it is sent through, or devices it is stored on, can potentially read it.
These characteristics make email an inherently insecure method of communication. Avoid using email to transmit sensitive data. If you must send sensitive information through email, use encrypted email attachments.
Cryptographic keys are a type of IT security information that is classified as High.
- Have a key management plan. If you manage encryption keys in your unit for full-disk encryption, database encryption, or unit-specific password management, it is important to have a key management plan in place. The plan can be technical and/or administrative, and it should account for unit applicable situations. Examples of topics to include are staff turnover, cipher deprecation, and key recovery and expiration.
- Store keys securely. Encryption keys must be stored separately from the data they are used to unlock; the keys should be on a different machine from the data. If encrypted data and its associated encryption keys are on the same machine, for example, an attacker who compromises that machine will be able to decrypt the data.
You are responsible for complying with the policies and standards below. The requirements on this page help you meet that responsibility.