Encryption management in government hyperconverged IT networks

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Bill Becker
 

Connecting state and local government leaders

By Bill Becker

|

Today’s hyperconverged networks demand a comprehensive range of encryption solutions to secure data-at-rest and data-in-motion across agencies.

Hyperconvergence is becoming more widely accepted in government IT infrastructure, with agencies like the Department of State and the Government Accountability Office moving to the solution.  

A hyperconverged infrastructure (HCI) enables organizations to scale IT in the cloud while maintaining the performance, reliability and availability of an on-premises data center. It combines storage, compute, networking and a hypervisor into a single solution for a fully functional data center. But it’s not without its particular set of problems – for example, ensuring that sensitive data is properly encrypted and encryption keys are appropriately managed.

As organizations migrate to this new architecture, they often use native HCI security to protect their sensitive data-at-rest. Federal agencies, however, often require additional security to ensure that their sensitive data is properly protected. With regulations requiring compliance with the Federal Risk and Authorization Management Program and the Federal Information Security Management Act, combined with the high cost of data breaches, the pressure to protect sensitive data has never been greater.

Let’s take a closer look at some considerations for organizations managing their valuable data-at-rest in a hyperconverged infrastructure.

External key management

An external key manager offers several benefits to agencies managing data natively in a hyperconverged IT infrastructure. External key management ensures appropriate data controls as well as data and key lifecycle management, while facilitating audit and compliance requirements.

External key managers can also help organizations streamline audit reporting, providing signed, validated log information on both key management and key consumption – that is, who accessed the key, the event time and the success or failure of the operation.

What’s more, these tools also can define permissions for key administrators and key consumers, ensuring appropriate data access through separation-of-duties requirements used by HIPAA, FedRAMP, the Department of Defense's Security Requirements Guide and others.

Encryption key management should incorporate some level of centralized policy and control. It’s not as simple as creating the key, encrypting the data and forgetting about it. A key lifecycle management strategy should also enable functions such as:

  • Key generation
  • Key retirement
  • Determination of key activation or de-activation
  • Key rotation (to ensure the periodic update of key content)
  • Destruction (when required)

Hardware or virtual management? Compliance implications

Compliance with Federal Information Processing Standard 140-2 requires organizations stop using encryption algorithms deemed unsafe and deploy tamper-proof appliances. Appropriate key management must allow organizations to set best practices to ensure proper algorithm usage.

For organizations that require more than just the disabling of unsafe encryption key algorithms (that is, almost all federal agencies), external key managers have two additional levels of security: storing keys in hardware where any tampering is readily evident and providing tamper-resistant key storage. External key managers can also integrate with hardware security modules for a higher level FIPS certification.

When selecting an appropriate key management platform, agencies can opt for either a hardware appliance or a hardened virtual security appliance. There are benefits to both, but virtual appliances also enable organizations to scale key management at remote facilities or in cloud infrastructures, such as VMware. This can eliminate the cost of additional rack space.

With the growth of cloud-based IT infrastructures, key management must work with a variety of encryption products as well as self-encrypting drives, tape archives, storage-area networks and the growing list of vendors supporting the OASIS Key Management Interoperability Protocol standard.

Multiple key types must be addressed in a key management strategy to centrally manage both symmetric and asymmetric keys, secret data such as passwords, certificates as well as policies associated with those certificates. That’s a complex collection of requirements, and it demands a simplified management of encryption keys across the entire lifecycle for secure key generation, storage and backup, key distribution, deactivation and deletion.

Unified key management across multiple encryption deployments and products can ensure that administrators have restricted roles for their scope of responsibilities. A virtual key management approach can securely store encryption keys for diverse encryption solutions, including virtual machine encryption, as well as both traditional storage and hyperconverged solutions.

Today’s hyperconverged networks demand a comprehensive range of encryption solutions to secure data-at-rest and data-in-motion across organizations. With the proper strategy in place, organizations can address a wide range of challenges, from simply encrypting data that stays at rest to ensuring that only encrypted text information is ever transmitted across the network and outside the organization.

NEXT STORY: Cybersecurity for smart cities: Changing from reactionary to proactive

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.