encryption key (Feylite/Shutterstock.com)


Encryption key management: Best practices for federal agencies

Government cloud adoption continues to increase steadily. According to a Bloomberg Government analysis, spending on cloud technology is expected to reach $8.5 billion by FY23. But as agencies consider their next steps towards the cloud, security remains a consistent concern. Efforts like the Cloud Smart Strategy and the Federal Risk and Authorization Management Program have helped agencies evolve their cloud security strategies, but there is still much consider, including approaches to encryption.

Basic practices like encryption of data stored in the cloud are critical, but they're not always enough for federal agencies. In addition to basic encryption techniques, agencies must also think about sophisticated internal and external threats: This where complete control over encryption keys becomes crucial. 

Threats against agencies are becoming more advanced

Bad actors' techniques have advanced along with government cloud technologies, which means an extra layer of protection is necessary to match expanding threats. Encrypting data from end-to-end, in transit and at rest, ensures it stays protected at all times.

Beyond those basics, stringent security over the keys used to encrypt data can be crucial for sensitive applications and workloads. When employing a cloud solution, agencies may enlist multiple providers to create a multi- or hybrid-cloud environment, meaning encryption keys are stored in more than one location across various infrastructures, increasing the risk of the keys falling into the hands of a bad actor. 

For agencies dealing with sensitive information, such as citizens’ personable identifiable information, it's essential they ensure keys are accessible, under their control and available only to those who need them. By keeping ownership over keys, agencies maintain complete control over their data and the encryption process. 

The Cloud Security Alliance recommends encrypting data in the cloud and managing the encryption keys on premises within a FIPS-certified boundary. They should be secured and operated by a FIPS 140-2 certified key manager. Storing keys in tamper-resistant FIPS 140-2 Level 3 hardware security modules provides the highest level of security against internal and external threats. 

Having full ownership of encryption keys gives agencies a layer of security to protect against sophisticated and persistent threats; however, offices must strictly limit and verify who has access to those keys. 

The mobile perspective

Cloud-based applications often connect directly with mobile devices, which can also serve as entry points for bad actors via malware apps, mobile phishing and more. Cloud encryption is important, but agencies must also provide comprehensive security for the endpoints.

A dedicated mobile security solution is always essential to fully protect an agency and its information from phishing as well as app, device and network threats. The security platform should also adhere to zero-trust principles. Since government employees are working away from the office, administrators must ensure endpoint validation of all users before allowing access to organizational infrastructure. 

As federal agencies increase their dependence on the cloud, they must consider a cybersecurity strategy that includes mobile devices and advanced encryption solutions.

About the Author

Tim LeMaster is senior director, sales engineering, at Lookout.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected