Controls

Terug naar overzicht
Version

SB.5.001 Encrypted data storage

Cryptography
Medium
Medium
nvt
System Owner
v2.0 (Q1 2024)

Description

Data at rest is always stored encrypted. The organisation is responsible for the key management of the chosen encryption solution, either directly, contractually or through policies.

Specification

Encryption can take place at the application, database, file system or entire disk level. The latter, Full Disk Encryption, is the preferred method of encrypting data-at-rest.

Based on the classification of the data, determine the requirements for data encryption.

Endpoints should support Intel® AES-NI technology, UEFI and GPT platforms.

Decryption keys can only persist on endpoints in the TPM (Trusted Platform Modules).

Data on unmanaged devices must be stored encrypted. It is recommended that this occurs in encrypted containers managed by the organisation and that users are not responsible for encrypting the unmanaged devices themselves. Note also the requirements surrounding key management.

Chosen cryptographic modules used must be validated by the NIST with an ‘active’ status: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

Symmetric encryption for data-at-rest when using a block cipher must use an approved cipher and corresponding approved modes of operation according to NIST: https://csrc.nist.gov/projects/block-cipher-techniques

Specification

ISO

Encryption can take place at the application, database, file system or entire disk level. The latter, Full Disk Encryption, is the preferred method of encrypting data-at-rest.

Determine the requirements for data encryption and against what threats the data must remain protected. Data can be intercepted now to be decrypted in the future when technology, especially in the field of quantum computing, has advanced enough. If the data has to remain encrypted in a post-quantum scenario follow the NCSC guidelines: https://www.ncsc.nl/documenten/publicaties/2022/juli/guidelines-for-quantum-safe-transport-layer-encryption/guidelines-for-quantum-safe-transport-layer-encryption

Endpoints should support Intel® AES-NI technology, UEFI and GPT platforms.

Decryption keys can only persist on endpoints in the TPM (Trusted Platform Modules).

Data on unmanaged devices must be stored encrypted. It is recommended that this occurs in encrypted containers managed by the organisation and that users are not responsible for encrypting the unmanaged devices themselves. Note also the requirements surrounding key management.

Chosen cryptographic modules used must be validated by the NIST with an ‘active’ status: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

Symmetric encryption for data-at-rest when using a block cipher must use an approved cipher and corresponding approved modes of operation according to NIST: https://csrc.nist.gov/projects/block-cipher-techniques

NBA