Encryption
Questions 60 to 63 — check your requirements for encryption — the why, how, who, where and when of the information you need to encrypt.
Questions 60 to 63 — Encryption
Table 1 lists who is responsible for answering each question. There are multiple questions that both your government organisation and the service provider need to answer.
Context and help for questions 60 to 63
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Have requirements for the encryption of the information that will be placed in the public cloud service been determined?
- Does the public cloud service use only approved encryption protocols and algorithms, as defined in the New Zealand Information Security Manual (NZISM)?
- Which party is responsible for managing the cryptographic keys — the government organisation or service provider?
- Check — does your answer affect your data sovereignty?
Sovereignty over the information
- Check — does your answer affect your data sovereignty?
- Does the party responsible for managing the cryptographic keys have a key management plan that meets the requirements defined in the NZISM?
| Entity | Questions to answer |
|---|---|
| Government organisation | 60, 61, 62, 63 |
| Service provider | 61, 62, 63 |
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Independent assurance reports — NZISM
Context and help for questions 60 to 63
The following guidance gives you context and help for answering questions about encryption.
Limits of encryption for confidentiality
Encryption is often presented as the solution for addressing risks to confidentiality in public cloud services. However, there are important limits to encryptions that government organisations need to consider by determining their encryption requirements.
Requirements for encryption
Government organisations must work out their specific requirements for protecting information using encryption. Think about the following points.
What information needs to be encrypted
For the information you’re holding in a public cloud service, see if you need to encrypt:
- all information
- only certain data types
- just specific database rows, columns or entities.
Why the information needs to be encrypted
You might need to encrypt information to meet the requirements of a policy or standard. Make sure you know which policies or standards apply to your information and organisation.
Government organisations must, for example, meet their obligations under the:
How the information should be encrypted
See which protocols, algorithms and key lengths you should use to encrypt your information.
The interception of data in transit is an inherent risk whenever information goes through a network — especially when it’s not owned or managed by the government organisation, such as the internet or a service provider’s network.
Government organisations must ensure that the public cloud service encrypts all sensitive data, including authentication credentials, in transit. Use only the encryption protocols, algorithms and key lengths approved in the NZISM.
Who encrypts the information and manages the keys
This will either be your organisation or the service provider.
If a public cloud service is capable of storing data in an encrypted format, government organisations must know if it’s them or the service provider who is responsible for managing the encryption keys — also called cryptographic keys. The NZISM details the practices required to effectively manage cryptographic keys.
If the service provider has access to or manages the cryptographic keys, they will be able to decrypt and access the information you’re holding in the public cloud service. This affects data sovereignty if encryption is used to treat risks related to information being stored outside New Zealand.
Sovereignty over the information
The party that manages the cryptographic keys must have an effective key management plan. This protects the encryption keys from being compromised, which might otherwise lead to the:
- unauthorised disclosure of information
- government organisation no longer being able to access its information
- government organisation not meeting its obligations to certain NZ legislation.
Where the information should be encrypted and decrypted
Work out if the encryption and decryption should be done within:
- your organisation
- the client devices
- the service provider.
When the information needs to be encrypted and decrypted
See if the encryption and decryption need to happen:
- in transit
- by the application — for example, message encryption
- at rest.
While encryption is an effective control for protecting the confidentiality of data at rest, there are limits when the data needs to be processed by a business rule.
Data needs to be unencrypted for business rules in an information system to process it. This may make it impractical or impossible to encrypt data stored within a public cloud service that processes information — instead of just storing it.
Utility links and page information
Last updated
