Guaranteeing the confidentiality of exam papers
Case of a regional education authority in France
Following several leaks, this authority wanted to encrypt national exam papers in order to guarantee their confidentiality.
REQUIREMENTS
Once drafted, the papers are sent by e-mail to the various examination centres. Transportation of the files must therefore be secure.
With several thousand of parties involved, it is important that the information system security team has total control over the list of persons with clearance to access the content. The security team defines which storage spaces, local or shared, need to be protected. The solution must also ensure that the configuration deployed on the workstations is the one prepared by the security team
Lastly, the solution must be simple for users, and therefore transparent, with no need for them to make any decisions.
SOLUTION
With the support of the ANSSI, France’s national IT systems security agency, this authority decided to get its data encrypted with ZONECENTRAL:
- Encryption of the user profile and shared spaces on the file servers;
- Impossibility to write in plain text on portable devices;
- Adding access by certificate (share);
- Deployment of a Microsoft PKI;
- Unique private key available in the Windows CSP certificate store;
- Security policies signature.
EXPERIENCE
SECURITY DEPARTMENT: After being trained by PRIM’X, the Security team takes care of deploying ZONECENTRAL and defining and signing the security policies. The team also handles application of the encryption instructions by creating encrypted zones on the file servers and managing the cryptographic accesses of authorised users.
USERS: The authors’ local and shared files are fully encrypted. With ZED!, which is included in ZONECENTRAL, users send the exam papers in encrypted containers. The recipients are the only ones with the right to decrypt the data using their private key.
BENEFITS
The encryption performed by ZONECENTRAL is transparent: data decryption is carried out without any action on the part of the user thanks to the implementation of the Microsoft PKI, which allows transfer of the private key in the session certificate store. This PKI also provides easy control of certificates in the event of expiry or revocation
NEXT STEPS:
Passwords will be replaced by certificates for internal e-mail encryption when the next PKI is deployed.