Encryption

In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not of itself prevent interception, but denies the message content to the interceptor.

In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted.

An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors

Any and all mobile devices (laptops, tablets, USB devices, phones etc) should be encrypted to ensure the integrity of the data remains stable

Classify the data you hold – not all would need to be protected by encryption

Always use an encryption methodology that has been approved by CESG (UK Government accreditation body)

We use and recommend Becrypt (CESG Approved)

Data Classification

The UK Government Classification Scheme (GCS) changed in April 2014.

A major drive for UK Government is the need to reduce costs and achieve a better balance between usability and security, whilst still using appropriately assured platforms that make use of modern and rapidly evolving technology.

The previous protective marking scheme of UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET (roughly mapping to IL 1 up to IL 6) has been replaced by a simplified three tier Government Security Classification policy, namely OFFICIAL, SECRET and TOP SECRET. It’s not surprising that due to the scale of these changes there is a significant amount of uncertainty, especially surrounding data that was previously classified as RESTRICTED and CONFIDENTIAL (IL3 & IL4).

The vast majority of government data and routine business operations is covered by OFFICAL, with the possibility that some of the higher classified data within this tier being categorised as OFFICIAL-SENSITIVE, where stronger controls may be appropriate.

Government guidance is that all HMG data will have a Protective Marking, and required data protection should be achieved by products assured by CESG.

Whatever the classification of your data, Becrypt is the only software vendor that can offer assured disk encryption that target the complete range of Security Classification :

   
OFFICIAL DISK Protect CPA
OFFICIAL-SENSITIVE DISK Protect CPA / DISK Protect CPA+
SECRET / TOP SECRET DISK Protect Enhanced

Encryption products that have only achieved cryptographic validations, such as FIPS 140-2, do not meet guidelines.

CESG Assisted Product Service (CAPS)

CESG (Communications Electronics Security Group) is the UK National Technical Authority responsible for Information Security certifications and guidance.

The CESG Assisted Product Scheme (CAPS) provides assured products for use by UK Government and affiliated organisations, where there is a need to protect UK Government Protectively Marked information. CAPS products are also used through certain international communities, including NATO and the EU.

The CAPS Service provides verification of the implementation of cryptographic products to Government standards and formally approves their use by Central Government and the wider public sector. Every version of each product undergoes stringent code-level review by CESG to ensure that security measures are correctly implemented, and security objectives are appropriate.

Advanced Port Control (APC) is the only CAPS approved port control solution.

DISK Protect Baseline is a full disk encryption product that can be used to reduce the protective markings of data as follows :
CONFIDENTIAL to RESTRICTED
RESTRICTED to UNCLASSIFIED

DISK Protect Enhanced is a full disk encryption product that can be used to reduce the protective markings of data as follows :
TOP SECRET to SECRET
SECRET to RESTRICTED
CONFIDENTIAL to UNCLASSIFIED

Media Client Baseline enables the secure transfer of RESTRICTED data on media (USB, CD/DVD or zip files).

Apart from APC, Becrypt products that are certified under CAPS require sales approval from CESG and key material from UK Key Production Authority (KPA). For detailed operational guidance, users should refer to the relevant Security Procedures (available from CESG).

Laptops and USB devices

Laptops & USB drives need to be encrypted to stop loss of critical business data

Any device which is away from the “secure perimeter” of the office needs to be protected

All mobile devices that connect to the internal office network may hold critical business or personal data

Any unencrypted mobile device that is lost or stolen could pose a huge security risk to the business with the confidential data it holds

DISK Protect is an assured full disk encryption solution securing data on touch-screen tablets, laptops, desktops and removable media from theft and loss. Devices can be encrypted at any time and once installed, all data is encrypted transparently, thereby allowing authorised users to access data with no impact on performance. DISK Protect is available in number of approved variants, suitable for protecting commercially sensitive data right through to a high-grade version that is used to protect UK classified data (up to SECRET)

Disk Protect Touch gives you all the benefits of a full disk encryption solution, with the added provision of an on-screen digitised keyboard for pre-boot authentication (no external keyboard is required). Becrypt DISK Protect Touch is unique, in that it supports a wide range of touch-screen devices, without reliance on hardware manufacturers to present the on-screen keyboard at pre-boot.

A Removable Media Module enables the encryption of data written to removable media, and may either employ a personal Encryption Key or a shared Encryption Key allowing authorised users to exchange protected data.

Memory sticks and SD cards

Memory sticks and SD cards need to be encrypted to stop loss of critical business data; any device which is away from the “secure perimeter” of the office needs to be protected

Becrypt Media Client is a unique Government approved solution to allow flexible data sharing between businesses and departments for protectively marked data. By enabling users to seamlessly create and read encrypted files or folders on all standard media storage, Media Client facilitates collaboration with internal and external stakeholders, while ensuring data confidentiality.

Removable Media Module is available within DISK Protect, and typically used where media is not required to be shared external to an organisation. Each end point device requires an installation of DISK Protect