Cyber Security
Executive Summary
This report will define and explains vital aspects that are required in the effective and efficient operations of cryptography in securing the network and data of the Health insurance Company. There are laws, standards, and regulations governing the operations and applications of cryptography in protecting the organizational network and information. The rules define the dos and don’ts towards the enhancement of effective operations. The risks and threats present barriers involved in the application of cryptography. The enforcement of the policies ensures that cryptography meets its objectives in securing and protecting vital and confidential data. The successful operation of Cryptography takes the a series and combination of activities due to challenges and barriers experienced in the course of implementation. The institution of laws, regulations, standards and policies ensure the perceived challenges are eliminated for effective and efficient protection corporate data. Equally important, the set policies, laws, standards and regulations face environmental threats and risks thus calling for appropriate policy enforcement. Therefore, the effective operation of cryptography is characterized with checks and balances to eliminate barriers and challenges of implementation.
Introduction
Cryptography is a vital aspect of cybersecurity in the protection of data and information from landing in the wrong hands or third parties. In the case, organizational information and data land in the wrong hands it can be used against the organization in financial, social aspects. These facts have inclined organization to adopt cryptographic to improve the security of company network and operations. Cryptography is the art of protecting data by transforming it into an acceptable format referred to as ciphertext and only parties with the secret key can decipher the message into plain and understandable text (Tripathi and Agrawal, 2014). In organizations, such as Health Insurance Company, cryptography is adopted in protection and securing of confidential information of patients, financial records, treatment records, corporate data and all forms of communications in form of emails and SMSs. As the Chief Information Security Officer (CISO), one needs to understand the aspects and operations of cryptography in terms of laws, standards, and regulations governing its operations, policies within which it operates, threats to the environment and its operations in countering
Cryptography Laws, Regulations, And Standards
Cryptography standards, laws, and regulations govern the operations and activities involved in the protection and securing the system and data. Nations and stated develop legislative law to govern the operations of Cryptography (Lee and Lee, 2008). The regulations and laws on cryptography are dynamic because of commercial and international application of cryptography techniques. First, the patent system is protected by the laws to enhance the protection of cryptography innovations and technologies using the doctrine of equivalence.
Trade Secret Law on cryptography ensures that innovators are in a position to use, publish and protect their cryptography algorithm. Cryptography is regulated internationally through the use of Escrowed Encryption Standards (EES) or Clipper chip. On regulation, various clauses and best practices are used to enhance the security of information and data (Lee and Lee, 2008). The protection of security technology demands that the technology needs to be protected from tampering issues as well as not disclosing the security documentations unnecessarily. More so, the cryptographic key management requirement dictated the procedures and policies to be employed in the organization of change, generation, distribution, certification, destruction, revocation entry, storage and protection of the keys (Saper, 2012). Therefore, the laws, standards, and regulations are inclined to ensure that the operations of cryptography techniques are protected.
Policies Enforced in the Operations of the Cryptography Techniques
Policies are enforced in the cryptography to enhance the appropriate application of the different techniques. There are policies guidelines on the exchange of sensitive data that is enforced in the interest of parties’ involved (Jahid et al., 2012). The exchange of sensitive data must be done through a trusted medium with controls to enhance non-repudiation of the origin, proof of receipt, proof of submission, and authenticity of the content. Consequently, there are enforcements on the security requirement for data management. The enforcement/requirement demands the application of procedures and policies to recognize and security needs applicable in meeting business objectives, storage, processing, receipt, and organizational security policy(Saper, 2012). Moreover, there is the enforcement of security standards in the protection of entities such the Health Insurance Companies.
The enforcement of standards involves ensuring availability, confidentiality, the integrity of electronic health data created, and in transit. Protection of anticipated threats to the integrity and security of health information and protection from any unreasonable disclosures are enforced inform of policies. There is also the enforcement of technical safeguard policies. The enforcements, in this case, include the implementation of effective techniques to encrypt and decrypt electronic protected data. The HITECH Act needs to be observed in encrypting patient confidential information that should be protected (Saper, 2012). The policies in cryptography are enforced to ensure laws, regulations, and standards are observed in handling corporate information.
Cryptography Environmental Threats
Cryptography faces threats and risks that pose insecurity to the information and data stored or in transit in an organization. The threats and risks act as barriers to the protection and safety of information. Political discourse is a major threat affecting the operations of cryptography in protecting information and data. The government threats to cryptography lead to the apprehension of the security community-making operations uneasy (Petroulakis, Askoxylakis, and Tryfonas, 2012). Government and intelligence agencies interfere with the operations of cryptography thus posing as a threat. Consequently, the loss of confidentiality poses a technical threat to protecting information. Loss of confidentiality arises due to loss of utility, availability, possession, authenticity, and integrity making protected information to be vulnerable.
The loss of confidentiality can be equated to the misuse of cryptography that results in irredeemable damages to users and owners. Additionally, cryptographic attacks and information theft are eternal environmental threats to cryptographic. The attacks and thefts take place when encryption codes are broken or loss of private keys attached to the cryptography system is lost. This threat leaves the system exposed and vulnerable to attacks (Hwang, 2015). Environmental threats to cryptography cause expensive damage to organizations thus calling for effective mitigation strategies.
Table 1: Enviromental Security threats
Goal Threat
Data confidentiality Exposure of data
Data integrity Tampering with data
System availability Denial of service
Exclusion of outsiders System takeover by viruses
How The Cryptographic Mechanisms Enforce the Policies in the Presence of the Threats
Threats are common to cryptographic mechanisms as interested parties break encryption code to access information or data of interest. The attacks and information theft are countered through enforcement of policies through defined approaches and best practices. First, policies in mitigation of risk are implemented through lifecycle management of cryptographic keys. This strategy entails the developing a set of operations to maintain, create, control and protect cryptographic keys. In this case, new keys a created and once they live their useful life they are retired and others created and the cycle continues (Hwang, 2015). This approach is effective in eliminating threats that have already entered the system.
Three levels of defense are adopted in eliminating threats and risks in the system. First, firewalls are used in the filtering of threats and risks within the network. The firewalls in hardware or software or combined form prevent authorized access within a private network. This system ensures that threats in the systems are eliminated with time. The network levels security such as IPsec enhances hot to host authentication and encryption and provision of security without application knowledge. This defense level ensures that threats such as authorized access to directories and files are prevented through activities such as misuse, authorized changes, and hacking (Hwang, 2015). Finally, Application-level security enhances end to end security to detect and eliminate threats and risks within the system. This defense level ensures that the system is free from any threats.
Table 2: Defense levels used in enforcing cryptography policies
Three Levels Of Defense
Firewalls
Filtering “dangerous” traffic at a middle point in the network
Network level security (e.g. IPsec)
Host-to-host encryption and authentication
Can provide security without application knowledge
Application level security
True end-to-end security
Requires extra effort per application
Libraries help, like SSL/TLS
Conclusion
Cryptography is vital in the protection of data and information in a system despite the challenges experienced from threats and risks. The cryptography techniques are implemented with the view of protecting data and eliminating threats and risks to data. In this regard, the implementation of cryptography in line with set laws, regulations, and standards to ensure the effective and appropriate use of cryptography to meet the desired goals and objectives in an organization. The set policies are continuously enforced to ensure the set regulations, standards and laws are observed in protection organizational data. The policies are therefore enforced in exchange for sensitive information, data management requirements, and enhancing the security standards. Moreover, cryptography faces environmental threats that hinder the protection and security of data. The threats, in this case, include government interference, interference with confidentiality, cryptography attack and theft of information. Lastly, the enforcement of policies to counter threats in the system is achieved through the application of different levels of defense. The levels of defense entail the use of firewalls, network security level, and application security level.
References
Hwang, Y. H. (2015, April). Iot security & privacy: threats and challenges. In Proceedings of the 1st ACM Workshop on IoT Privacy, Trust, and Security (pp. 1-1). ACM.
Jahid, S., Nilizadeh, S., Mittal, P., Borisov, N., & Kapadia, A. (2012, March). DECENT: A decentralized architecture for enforcing privacy in online social networks. In 2012 IEEE International Conference on Pervasive Computing and Communications Workshops (pp. 326-332). IEEE.
Lee, W. B., & Lee, C. D. (2008). A cryptographic key management solution for HIPAA privacy/security regulations. IEEE Transactions on Information Technology in Biomedicine, 12(1), 34-41.
Petroulakis, N. E., Askoxylakis, I. G., & Tryfonas, T. (2012, June). Life-logging in smart environments: challenges and security threats. In 2012 IEEE International Conference on Communications (ICC) (pp. 5680-5684). IEEE.
Saper, N. (2012). International cryptography regulation and the global information economy. Nw. J. Tech. & Intell. Prop., 11, xv.
Tripathi, R., & Agrawal, S. (2014). Comparative study of symmetric and asymmetric cryptography techniques. International Journal of Advance Foundation and Research in Computer (IJAFRC), 1(6), 68-76.