Protecting data wherever it lives

Protecting data wherever it lives

Data encryption addresses four major areas: data in motion, data stored on user devices, data stored on servers and data that is currently being used.

MORE INFO

The encryption challenge

The obstacles are daunting -- money, time, careless users, encryption-resistant legacy systems. But the risks are no less serious. Read more.

Today, most encryption efforts focus on data stored on servers because that is where the majority of big breaches take place.

“There are lots of different challenges,” said Sol Cates, chief security officer at Vormetric. “How do I do this at scale? And how do I do it across multiple application stacks, architectures, cloud services and legacy applications?”

According to a recent 451 Research survey, 51 percent of government respondents said complexity was the biggest barrier to securing data.

Part of that complexity is the challenge of managing encryption keys. There is typically no more than one password per user per application, and users generally get to choose them. But encryption keys are long. The smallest recommended key, the AES-128, is the equivalent of a 39-digit number. The RSA-2048 is equivalent to a 617-digit number. Each file and message requires a separate key. Losing that key is the same as losing the data.

And failing to protect the keys creates a fatal security flaw, said Tammy Moskites, CIO and chief information security officer at Venafi. “If you don’t know where the keys are, it helps the bad guys circumvent controls,” she added. “Then there’s a huge security gap.”

Managing such encryption activities also takes money and people, both of which are in short supply at government agencies.

According to 451 Research, 44 percent of government respondents said lack of staff was the biggest barrier to securing data. In fact, government respondents were more likely to cite that issue than any other sector. And budget was cited by 43 percent of government respondents as an obstacle to better data security, which was also higher than for any other group.

A particular challenge for government agencies is encrypting legacy systems. Encrypting a database and sticking it on a shelf somewhere is simple enough. But encrypting a database that is constantly being used is something else entirely. The encryption must be built in from the start or added afterward to the database itself and all the applications that access it -- at significant cost.

“The Office of Personnel Management was [using] an old, legacy mainframe system that did not have the capability to do encryption,” said Jerry Irvine, CIO at Prescient Solutions. “And there are still lots of old systems out there.”

In fact, according to a report OPM issued shortly after last year’s breach, “Full encryption of the databases that were accessed in the recent incidents would not have been feasible, as many of OPM’s systems would not have worked if they were encrypted.”

The National Institute of Standards and Technology offers general guidelines for creating a data encryption architecture. “That is a requirement for many, many government organizations,” Steve Pate, chief architect at security firm HyTrust, said. “It makes sure that nobody is using an algorithm that’s easily breakable.”

In general, though, each government agency has some leeway about how it implements encryption to address its own data security risks, said Scott Gordon, FinalCode’s chief operating officer. “Certain agencies, such as defense and intelligence, require stronger encryption, like the use of Suite B algorithms, and they are exploring the use of quantum-safe crypto technologies,” he added.

Other data challenges

Encrypting data in motion, data at rest and data in use each requires a different approach. Agencies should begin by identifying where their sensitive data is located and prioritize based on highest risk because encrypting everything everywhere is usually not financially practical.

The state of data encryption

 

Solutions

Status

Missing pieces

Data in motion

Secure Sockets Layer, HTTPS, virtual private networks

Should be in place everywhere

Some legacy websites, policy enforcement, user training for VPNs

Data stored on user devices

Full-disk encryption, password locks, two-factor authentication

Should be in place everywhere

Policy enforcement, user training

Data stored on servers

File-based encryption, tokenization, format-preserving encryption

Partially complete

Legacy systems, large databases, key management

Data in use

Tokenization, format-preserving encryption, decrypting data in least usable units

Mostly incomplete

Legacy systems, legacy applications, lack of technology

Data in motion is often the easiest to get a handle on, and most agencies are already encrypting it, Irvine said. However, they should check their websites and File Transfer Protocol sites — particularly those that have been around for a while — to make sure that communications are encrypted. Cates said email systems and cloud storage providers might also lack encryption.

Data at rest requires full-disk encryption on mobile devices and file-based encryption on servers. The latest hardware makes such encryption faster and easier, but legacy systems are the single biggest obstacle.

Encrypting data in use remains a challenge, however.

“Data in use cannot be easily encrypted,” Irvine said. “If I send a virus to your PC that gives me control of your PC, I can get access to everything. Right now, there’s no answer to that.”

There are also emerging technologies to keep an eye on, said Ted Hengst, principal at PTH Ventures and a 25-year veteran of the U.S. Army, where he served as CIO at the U.S. Special Operations Command at MacDill Air Force Base.

Wearable devices and the Internet of Things will present new encryption challenges. “It all needs to be encrypted,” he said. “Otherwise, it provides a backdoor into the network.”

On a positive note, however, he said government agencies are beginning to take encryption seriously.

“Five or 10 years ago, encryption, networks and cybersecurity were the domains of the CIO, and they were the only ones who cared about it,” Hengst said. “It was a fight every year to protect the networks. It’s now an executive issue. It’s first and foremost on senior government [leaders’ minds] how to protect not only the agency but the people who use that agency.”

inside gcn

  • IFTTT data access program

    IFTTT digs into government data

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group