Information security in government IT: Lessons learned from the financial industry
- By Gia Nguyen
- Oct 03, 2017
The risk of citizens' private data being stolen has grown in recent years. News stories of hacking incidents that affect millions and the potential loss of personally identifiable information illustrate the clear and present danger of cybercrimes. Adding to the risk of a data breach is the push for data access and ubiquity of information in the cloud. With more organizations relying on cloud providers to operate their mission-critical applications, risk mitigation gets more challenging for security professionals. As more agencies move to cloud computing, federal IT managers will continue to face the challenges surrounding the protection of citizens' PII.
Driven by stringent regulations, the financial industry has a long record of implementing controls and policies for enforcing financial data integrity. The Statement on Standards for Attestation Engagements No. 16 is a set of auditing guidelines for financial reporting that includes IT security compliance. Practices the financial industry uses to protect PII can be applied to government organizations that must comply with requirements of the Federal Information Security Management Act and the National Institute of Standards and Technology Special Publication 800-53
Financial data repositories can be extremely large and somewhat unwieldy, much like those found in government. However, the financial industry conducts analysis by chunking the data down into smaller segments so that it can slice and package data by geographical and socioeconomic cohorts and perform modeling simulations on these selective subsets -- an efficient and cost-effective method for analytics reporting. With its ability to quickly spin up CPU cycles and storage space, the cloud has naturally become the de facto computing platform for on-demand financial modeling.
Moving to the cloud does impose additional security risks. Traditionally, financial data has been stored in-house because of its sensitive nature. Cloud-destined data is no longer in the relative safety of an on-premise host, so special considerations govern protection of PII: data encryption and data anonymization.
Data encryption for the cloud
Data encryption is now ubiquitous, especially for PII. It is worth noting, however, that 128-bit secure socket layer (SSL) protection, once considered de facto for e-commerce, is no longer adequate. For extra level of PII protection, the financial industry is looking toward the strength of AES-256 protection. Transport layer security, particularly TLS 2.0, is replacing SSL 3.0 as the standard.
With the data that persists on a cloud platform, AES-256 should be the encryption standard -- applied to data-at-rest for both active databases and backup storage. When data is in transit between an on-premise facility and the hosting environment, the data package should be encrypted using AES-256 prior to transporting, even if the transportation layer already provides its own intrinsic encryption (i.e. a VPN tunnel or an HTTPS connection). Under this double-encryption scheme, critical data will be under military-grade protection -- a direction in which the financial industry is increasingly heading.
Data anonymization, also referred to as sanitization, obfuscation or de-identification, is the technique for masking or removing PII from datasets so that the records no longer identify the individuals to whom the information belongs. Anonymizing data prior to uploading to the cloud can provide an additional layer of security in case of data breach.
There are two primary techniques for data masking: static masking and dynamic masking. Static masking can be applied when there is no need to unmask (i.e. to transform the scrambled PII back to its identifiable form). This comes into play with datasets that are used in analytics, where PII has no direct role in the formulation of results. Dynamic data masking, where PII masking is transient, has the advantage of reversibility. If an architectural pattern requires frequent data synchronization between the cloud and on-premise data stores, or between transactional and analytical systems, dynamic masking may be applicable.
Data-masking solutions range from those developed in-house, to built-in features of the enterprise resource planning or database platform, to dedicated software for anonymization. In-house and built-in features of ERP and databases may be more suitable for static data masking. Dedicated data obfuscation solutions with efficient algorithms may be more effective for dynamic requirements.
Enterprise cloud migration, and the required preparations for over-the-cloud PII protection, can be less challenging for agencies if they draw from the experiences of early adopters in the financial industry. They can then charter their own path to the cloud from these lessons learned.
Gia Nguyen is a solution architect at Macro Solutions.