Encryption Policy
SOC 2 Criteria: CC6.8
ISO 27001 Annex A: A.10.1.1, A.10.1.2, A.14.1.2, A.18.1.5
Keywords: Encryption, key management
Introduction
Encryption is a process in which data is encoded so that it remains hidden from or inaccessible to unauthorized users. It helps securely protect data that you don’t want anyone to have access to. By encrypting our data at rest and in transit, we can better protect private, proprietary and sensitive data and can enhance the security of communication between client applications and servers.
Purpose
This policy defines organizational requirements for the use of cryptographic controls, as well as the requirements for cryptographic keys, in order to protect the confidentiality, integrity, authenticity, and nonrepudiation of information.
Scope
This policy applies to all systems, equipment, facilities and information within the scope of Bramble’s information security program. All employees, contractors, part-time, and temporary workers, service providers, and those employed by others to perform work on behalf of the organization having to do with cryptographic systems, algorithms, or keying material are subject to this policy and must comply with it.
The control is applicable to the production environment and any end user devices that store such data. The production environment includes all endpoints and cloud assets used in hosting Brmbl.io and its subdomains. This may also include third-party systems that support the business of Brmbl.io.
Background
This policy defines the high level objectives and implementation instructions for Bramble’s use of cryptographic algorithms and keys. It is vital that the organization adopt a standard approach to cryptographic controls across all work centers in order to ensure end-to-end security, while also promoting interoperability. This document defines the specific algorithms approved for use, requirements for key management and protection, and requirements for using cryptography in cloud environments.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Security Assurance | Maintain this Encryption Policy and associated standards |
| Business or System Owners | Alignment to this policy and any related standards |
Encryption at Rest
Data at rest is defined as data that is physically stored and not actively moving from one location to another (i.e.: device to device or network to network). This includes data stored on laptops, flash drives and hard drives.
Encryption Method
Bramble encrypts data at rest using a variety of tools including:
- Utilizing AWS’s Technology which encrypts data at rest by default. Encryption keys are managed by AWS.
- Company laptops are encrypted per the laptop or desktop system configuration
- Conducting Third Party Risk Management activities which includes a review of encryption methods utilized by our third party vendors where applicable.
Encryption in Transit
Data in transit is defined as data that is actively moving from one location to another (i.e: device to device or network to network). This includes data transferred over public networks such as the internet.
Encryption Method
Bramble encrypts data in transit using a variety of tools including:
- TLS Strict (SSL-Only Origin Pull), Always Use HTTPS.
- Utilizing AWS’s which encrypts data in transit by default. Encryption keys are managed by AWS.
- Conducting Third Party Risk Management activities which includes a review of encryption methods utilized by our third party vendors where applicable.
Rolling your own Crypto
We don’t roll our own crypto. If you really think you have a situation where it makes sense to do this, please don’t. If you really really think this is a good idea, it is still not and please don’t. If you’re absolutely sure you have an edge case where this makes sense, please engage with the Bramble security team first so they can work with you on finding an alternative.
Exceptions
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.
Obtaining Information
When required, customers of Bramble’s cloud-based software platform offering must be able to obtain information regarding:
- The cryptographic tools used to protect their information.
- Any capabilities that are available to allow cloud service customers to apply their own cryptographic solutions.
- The identity of the countries where the cryptographic tools are used to store or transfer cloud service customers’ data.
Governing Law
The use of organizationally-approved encryption must be governed in accordance with the laws of the country, region, or other regulating entity in which users perform their work. Encryption must not be used to violate any laws or regulations including import/export restrictions. The encryption used by Bramble conforms to international standards and U.S. import/export requirements, and thus can be used across international boundaries for business purposes.
Key Management
Except where otherwise stated, keys must be managed by their owners. Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
Key Management Service
All key management must be performed using software that automatically manages key generation, access control, secure storage, backup and rotation of keys. Specifically:
- The key management service must provide key access to specifically-designated users, with the ability to encrypt/decrypt information and generate data encryption keys.
- The key management service must provide key administration access to specifically-designated users, with the ability to create, schedule delete, enable/disable rotation, and set usage policies for keys.
- The key management service must store and backup keys for the entirety of their operational lifetime.
- The key management service must rotate keys at least once every 12 months.
Secret Key
Keys used for secret key encryption (symmetric cryptography), must be protected as they are distributed to all parties that will use them.
- During distribution, the symmetric encryption keys must be encrypted using a stronger algorithm with a key of the longest key length for that algorithm.
- If the keys are for the strongest algorithm, then the key must be split, each portion of the key encrypted with a different key that is the longest key length authorized and the each encrypted portion is transmitted using different transmission mechanisms.
Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution of that key.
Public Key
Public key cryptography (asymmetric cryptography), uses public-private key pairs. The public key is passed to the certificate authority to be included in the digital certificate issued to the end user. The digital certificate is available to everyone once it issued. The private key should only be available to the end user to whom the corresponding digital certificate is issued.
Other Public Key
Other types of keys may be generated in software on the end user’s computer and can be stored as files on the hard drive or on a hardware token. If the public-private key pair is generated on smartcard, the requirements for protecting the private keys are the same as those for private keys associated with Bramble PKI.
- If the keys are generated in software, the end user is required to create at least one backup of these keys and store any backup copies securely.
- The user is also required to create an escrow copy of any private keys used for encrypting data and deliver the escrow copy to the local Information Security representative for secure storage.
- The Infosec Team shall not escrow any private keys associated with identity certificates.
- All backups, including escrow copies, shall be protected with a password or passphrase that is compliant with Bramble Password Policy.
Commercial/Outside Organization Public Key Infrastructure (PKI)
In working with business partners, the relationship may require the end users to use public-private key pairs that are generated in software on the end user’s computer. In these cases:
- The public-private key pairs are stored in files on the hard drive of the end user.
- The private keys are only protected by the strength of the password or passphrase chosen by the end user.
PGP Key Pairs
If the business partner requires the use of PGP, the public-private key pairs can be stored in the user’s key ring files on the computer hard drive or on a hardware token, for example, a USB drive or a smart card. Since the protection of the private keys is the passphrase on the secret keying, it is preferable that the public-private keys are stored on a hardware token. PGP will be configured to require entering the passphrase for every use of the private keys in the secret key ring.
Personal Identification Numbers (PINs), Passwords and Passphrases
All PINs, passwords or passphrases used to protect encryption keys must meet complexity and length requirements described in Bramble’s Password Policy.
Loss and Theft
The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately.