S 2.162 Determining the need to use cryptographic procedures and products

Initiation responsibility: IT Security Officer

Implementation responsibility: Persons responsible for individual applications, Administrator

In order to arrive at realistic, reliable, and application-compliant requirements and basic conditions regarding the use of cryptographic procedures and products when processing and transmitting sensitive information, the data worthy of protection must initially be identified and evaluated.

Identification of the data to be protected

Firstly, it must be determined which tasks cryptographic procedures are to be used for and which data is to be protected by these procedures. The use of cryptographic procedures may be necessary for different reasons (see also S 3.23 Introduction to basic cryptographic terms):

in order to protect the confidentiality and/or integrity of data,
for authentication,
for sending or receipt certificates.

Depending on the purpose, different cryptographic methods may make sense, e.g. encryption or hash procedures. The typical fields of application for cryptographic procedures include:

local encryption,
communication protection at application and/or transmission level,
authentication,
non-repudiation,
integrity.

Some examples from the different typical fields of application for cryptographic procedures are provided below:

A PC hard disk contains data to be protected against unauthorised access by means of encryption.
Information is to be transmitted via telephone, fax, or data networks, e.g. it is to be sent via email or data medium exchange.
The information to be protected is not under the sole control of the organisational unit responsible (LAN is available in parts of the building used by third-party companies; a server containing personnel data is supported by employees not belonging to the personnel department).
Remote access should be secured using strong authentication.
For emails, it should be possible to unequivocally determine who were the senders and whether the contents were transmitted in an unchanged manner.

In order to determine the cryptographic procedures and/or products required and the data to be protected using these procedures and/or products, the current IT structure should first be determined. This determination should include:

the IT systems used to process and/or store data (PCs, laptops, servers, etc.) or to transmit data (bridge, routers, gateway, firewall, etc.) and
the transmission routes available. For this, the logical and physical network structure should be determined (see also S 2.139 Survey of the existing network environment).

Protection requirements of the data (confidentiality, integrity, authenticity, non-repudiation)

All applications and/or data characterised by particular requirements regarding confidentiality, integrity, authenticity, and/or non-repudiation should be determined. However, cryptographic products are not only required for IT systems, applications, or information with higher protection requirements, but also for information with medium protection requirements.

Examples for data with particular requirements regarding confidentiality include:

personal data,
passwords and cryptographic keys,
confidential information the publication of which may incur recourse claims,
data a competing company may profit from financially,
data the loss of confidentiality of which endangers the fulfilment of a task (e.g. investigation results, site register regarding endangered plants),
data the publication of which may damage the reputation.

Note: The accumulation of data increases the protection requirements of a collection of data so that encryption may be required even if the individual sets of data are not so sensitive.

Examples of data with particular requirements regarding integrity include:

financially effective data the manipulation of which may cause financial damage,
information the falsified publication of which may entail recourse claims,
data the falsification of which may cause improper business decisions,
data the falsification of which may cause reduced product quality.

An example for applications with a particular requirement regarding authenticity includes remote accesses. An example of data with a particular requirement regarding non-repudiation includes orders or reservations where the orderer should be identifiable.

As a result of protection requirements determination, it should be defined which applications or data must be protected cryptographically. This definition can be refined later and should be reviewed at regular intervals.

As a result, there is an overview of all storage locations and transmission routes to be protected cryptographically. This practically results in an IT map with highlighted encryption areas.

Requirements survey

Using a questionnaire containing the aspects described in the figure as an aid for such a requirements survey makes sense. In doing so, the technical, organisational, and economic aspects can be divided into 4 further subcategories in each case.

Technical aspects	Organisational aspects	Economic aspects
User services and applications	Field of application	Streamlining aspects / cost savings
Usage profile	Migration concept	Numbers
Network infrastructure	Schedule	Procurement costs
IT end device	Corporate basic conditions	Administration and maintenance expenditure

Table: Classification aspects for drawing up a questionnaire

Regarding the technical aspects, it is important to determine under "User services and applications" whether real-time or no real-time data is to be examined predominantly. In the "Usage profile" category, the applications and data which cryptographic procedures are to be used for must be determined, e.g. for external communication or for short- or longer-term processing of confidential data. Furthermore, the information referring to "Network infrastructure" and "End device" must be determined, e.g. port configuration.

The "Field of application", i.e. the range of participants or networks, the questions regarding an existing "Migration concept", as well as the "Schedule" and the "Corporate basic conditions" must be examined as organisational aspects.

From an economic point of view, the essential aspects include:

streamlining aspects, e.g. by using a product with transparent encryption instead of manual actuation,
an estimation regarding the numbers and the procurement costs, as well as
the administration and maintenance expenditure to be expected.

On the basis of this survey, an application and requirements concept that is as practical as possible can be drawn up, which then serves as a starting point for specific implementation decisions and/or the selection of suitable cryptographic products/components (see S 2.165 Selection of a suitable cryptographic product).

The approach described above is to support the person in charge of security in determining, evaluating, and coordinating the use and the extent of security technology to be used in different system locations, network transitions, and end devices. Furthermore, the determination of the required protection (protection requirements) is intended to provide an answer to the question regarding the appropriateness of information security during the planning phase. The outlined approach constitutes a pragmatic approach and takes into account security aspects in open, distributed IT infrastructures, as they can be found in many locations.

The security investments assessed this way must be economically reasonable for the field of application used. The mode of operation of implemented security policies must take into account the expectations of the end users in terms of flexibility, transparency, and performance. The planned and integrated security services must not limit the end user beyond the necessary extent.

Review questions:

Is it determined which tasks cryptographic procedures are to be used for and which data is to be protected by these procedures?
Were applications, IT systems, and communication connections determined that should be protected cryptographically due to their protection requirements?