Data Encryption in Transit Guideline

NOTE: The Information Security Office recently updated the UC Berkeley's Data Classification Standard and Protection Profiles for the Campus. These number changes are reflected on this page.

--------------------

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as optional guidance to assist with achieving the Data Encryption in Transit requirement.

Requirements

Resource Custodians and anyone moving covered data through a network must use secure, authenticated, and industry-accepted encryption mechanisms. 

See Approved Exceptions section to see where this requirement is not applicable.

Description of Risk

Malicious users may intercept or monitor plaintext data transmitting across unencrypted network and gain unauthorized access to that jeopardize the confidentiality of the sensitive data.

Recommendations

Covered data must be encrypted when transmitted across networks to protect against eavesdropping of network traffic by unauthorized users. In cases where source and target endpoint devices are within the same protected subnet, covered data transmission must still be encrypted as recommended below due to the potential for high negative impact of a covered data breach.  The types of transmission may include client-to-server, server-to-server communication, as well as any data transfer between core systems and third party systems.  

Email is not considered secure and must not be used to transmit covered data unless additional email encryption tools are used.  See Additional Resources section for email encryptions options and see Approved Exceptions section to see where this requirement is not applicable.

Consider the following recommendations for designing secure transit of covered data.

  1. Where the covered device is reachable via web interface, web traffic must be transmitted over Secure Sockets Layer (SSL), using only strong security protocols, such as Transport Layer Security (TLS).
  2. Covered data transmitted over email must be secured using cryptographically strong email encryption tools such as PGP or S/MIME (see email encryption link in Additional Resources section).  Alternatively, prior to sending the email, user should encrypt covered data using compliant File Encryption tools and attach the encrypted file to email for transmission.  
  3. Non-web transmission of covered data should be encrypted via application level encryption
    • Where the application database resides outside of the application server, the connection between the database and application should also be encrypted using FIPS compliant cryptographic algorithms
  4. Where application level encryption is not available for non-web covered data traffic, implement network level encryption such as IPSec or SSH tunneling (for more details on these technologies, see Additional Resources)
  5. In general, encryption should be applied when transmitting covered data between devices in protected subnets with strong firewall controls.  *See Known Exceptions section to see where this requirement is not applicable. 

Examples of insecure network protocols and their secure alternatives include:

 Instead of...Use...
Web Access HTTP HTTPS
File transfer FTP, RCP FTPS, SFTP, SCP, WebDAV over HTTPS
Remote Shell telnet SSH2 terminal
Remote desktop VNC radmin, RDP

Picking Encryption Algorithms

When selecting algorithms to encrypt covered data, keep these considerations in mind:

  • For the same encryption algorithm, longer encryption key length generally provides stronger protection.
  • Long complex passphrases are stronger than shorter passphrases.  Please refer to campus passphrase security standard for additional guidance. 
  • Strong encryption generally consumes more CPU resources than weak encryption.

Wireless Connections

When connecting to wireless networks to access a system handling covered data, only connect to wireless networks employing cryptographically strong wireless encryption standards such as WPA2.  Encryption mechanisms described in the section above must also be applied in addition to strong wireless network encryption to ensure end-to-end protection. 

Relevant Campus Services

ISO CalNet team provides InCommon Certificate Services that distributes Comodo certificates for encryption and authentication needs.  

Link: https://calnetweb.berkeley.edu/calnet-technologists/calnet-incommon-comodo-certificate-service

Approved Exceptions

Data encryption in transit (as defined in MSSEI requirement 15.1, and further described in this guideline) is not required in the following three narrowly defined scenarios. Information Security and Policy approved these exceptions based on an exception request submitted by Network and Operations Services, after performing a security risk assessment. Because these exceptions are the result of a point-in-time evaluation of risk, they will be reviewed on an annual basis, and will be updated as needed.

  1. Covered data (UC P2/P3) traversing only within the Earl Warren Hall (EWH) data center network does not require encryption in transit.   For example, this exception applies when transferring covered data between two servers residing in the EWH data center. However, the exception does NOT apply – i.e., encryption is required – when a user is accessing covered data on a server in the EWH data center from a desktop in a second floor office in EWH.

    Any device on the same subnet as a UC P4 system that uses this encryption in transit exception is required to meet UC P4 requirements. All other UC P4  security controls, including the protected subnet requirement, do still apply to covered devices residing on the Earl Warren Hall data center network.
     
  2. UC P2/P3 data is not required to meet MSSEI encryption in transit requirements when traversing the UC Berkeley campus wired network.  The UC Berkeley campus wired network generally falls under UC Berkeley campus IP address spaces as defined athttp://net.berkeley.edu/access/ucb-nets.shtml. For more specific guidance on which IP address ranges are part of the campus wired network, please review the Wired Campus Network Firewall Recommendations page (requires CAS authentication).

    This exception does not include transmission over the CENIC network to the San Diego Super Computer data center (e.g., UC Backup), off campus networks that are still part of the campus IP address space, or wireless networks such as Airbears. Applications or systems (e.g. file servers) wishing to take advantage of the campus wired network encryption exception must restrict access to and from all other networks. This can be accomplished by applying firewall rules.
     
  3. Email with UC P2/P3 data routed only within the berkeley.edu domain (bMail) is encrypted in transit by default, and therefore does not require additional encryption.

    Email forwarding to non-berkeley.edu addresses invalidates this exception, because encryption between UC Berkeley and external mail servers cannot be guaranteed.  Campus units using email for institutional processes involving UC P2/P3 data should establish unit-wide policies that restrict staff and faculty from forwarding their email outside of the berkeley.edu domain.
These requirements for handling institutional data are not applicable to an individual's use and handling of data about himself or herself.

Additional Resources

References to Encryption Procedures