intelliHR's Encryption policy defines organizational requirements for the use of cryptographic controls, as well as the requirements for cryptographic keys, in order to protect the confidentiality, integrity, authenticity, and nonrepudiation of information. This policy applies to all systems, equipment, facilities and information within the scope of intelliHR’s information security program. All employees, contractors, part-time, and temporary workers, service providers, and those employed by others to perform work on behalf of the organization having to do with cryptographic systems, algorithms, or keying material are subject to this policy and must comply with it.
Background
This policy defines the high-level objectives and implementation instructions for intelliHR’s use of cryptographic algorithms and keys. It is vital that the organization adopt a standard approach to cryptographic controls across all work centers in order to ensure end-to-end security, while also promoting interoperability. This document defines the specific algorithms approved for use, requirements for key management and protection, and requirements for using cryptography in cloud environments.
Policy
Cryptography Controls
intelliHR must protect individual systems or information by means of cryptographic controls per best practices. Please reference: https://github.com/ssllabs/research/wiki/SSL-and-TLSDeployment-Best-Practices
Obtaining Information
When required, customers of intelliHR’s cloud-based software platform offering must be able to obtain information regarding:
- The cryptographic tools used to protect their information
- Any capabilities that are available to allow cloud service customers to apply their own cryptographic solutions
- The identity of the countries where the cryptographic tools are used to store or transfer cloud service customers’ data
Governing Law
The use of organisationally-approved encryption must be governed in accordance with the laws of the country, region, or other regulating entity in which users perform their work. Encryption must not be used to violate any laws or regulations including import/export restrictions. The encryption used by intelliHR conforms to international standards and U.S. import/export requirements and thus can be used across international boundaries for business purposes.
Encryption in transit
Strong cryptographic and security protocols (TLS, IPSEC, SSH) are to be used at all times for all data entering or exiting the intelliHR perimeter (i.e. the Virtual Private Cloud on AWS).
The operations team shall ensure that:
- All incoming endpoints are secured with at least TLS1.2
- All incoming public endpoints have a valid, properly signed SSL certificate
- All database connections are to be secured with SSL
At no time shall an employee of intelliHR traffic any data to or from the AWS perimeter through plain text protocols such as FTP or HTTP.
Encryption at rest
Whenever possible, operations shall ensure that data is encrypted at rest through built-in AWS controls. Where the data being stored is personally identifiable information (PII) or contains sensitive information such as access keys and secrets, and there is no built-in encryption control, the client storing the data must handle the encryption.
When using any of the following AWS services, encryption at rest must be enabled where practical to do so:
- EC2
- DynamoDB
- RDS
- S3
- SSM
Key Management
Except where otherwise stated, keys must be managed by their owners. Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
Key Management Service
All key management must be performed using software that automatically manages key generation, access control, secure storage, backup, and rotation of keys. Specifically:
- The key management service must provide key access to specifically-designated users, with the ability to encrypt/decrypt information and generate data encryption keys
- The key management service must provide key administration access to specifically designated users, with the ability to create, schedule delete, enable/disable rotation, and set usage policies for keys
- The key management service must store and backup keys for the entirety of their operational lifetime
- The key management service must rotate keys at least once every 12 months
AWS KMS
Where possible, AWS KMS should be used for encryption key management. Default AWS KMS keys are not to be used. intelliHR managed keys have been deployed into each AWS account and these should be used in favor of the default keys. When a key for a new service is required, operations is to deploy said key via CloudFormation templates.
SSH Keys
SSH keys are to be stored in 1Password and/or AWS SSM. Keys for production environments are not to be accessible by any personnel outside of the operations team.
Other Public Key
Other types of keys may be generated in software on the end user’s computer and can be stored as files on the hard drive or on a hardware token. If the public-private key pair is generated on smartcard, the requirements for protecting the private keys are the same as those for private keys associated with intelliHR PKI.
- If the keys are generated in software, the end user is required to create at least one backup of these keys and store any backup copies securely
- The user is also required to create an escrow copy of any private keys used for encrypting data and deliver the escrow copy to the local Information Security representative for secure storage
- The Infosec Team shall not escrow any private keys associated with identity certificates
- All backups, including escrow copies, shall be protected with a password or passphrase that is compliant with intelliHR Password Policy
Commercial/Outside Organisation Public Key Infrastructure (PKI)
In working with business partners, the relationship may require the end users to use public-private key pairs that are generated in software on the end user’s computer. In these cases:
- The public-private key pairs are stored in files on the hard drive of the end user
- The private keys are only protected by the strength of the password or passphrase chosen by the end-user
PGP Key Pairs
If the business partner requires the use of PGP, the public-private key pairs can be stored in the user’s keyring files on the computer hard drive or on a hardware token, for example, a USB drive or a smart card. Since the protection of the private keys is the passphrase on the secret keying, it is preferable that the public-private keys are stored on a hardware token. PGP will be configured to require entering the passphrase for every use of the private keys in the secret key ring.
Hardware Token Storage
Hardware tokens storing encryption keys will be treated as sensitive company equipment, as described in intelliHR’s Physical Security Policy, when outside company offices.
- All hardware tokens, smartcards, USB tokens, etc., will not be stored or left connected to any end user’s computer when not in use
- For end users traveling with hardware tokens, they will not be stored or carried in the same container or bag as any computer
Personal Identification Numbers (PINs), Passwords and Passphrases
All PINs, passwords, or passphrases used to protect encryption keys must meet complexity and length requirements described in intelliHR’s Password Policy.
Loss and Theft
The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately.
Audit Controls and Management
All encryption, decryption, and key management activities are to be logged via CloudTrail. CloudTrail must be enabled in all AWS accounts, and a copy of CloudTrail is to be sent to the auditing AWS account for future analysis if required.