ExecTech
in the recent incidents would not have been feasible, as many of OPM’s sys- tems would not have worked if they were encrypted.”
The National Institute of Standards and Technology offers general guide- lines for creating a data encryption architecture. “That is a requirement for many, many government organiza- tions,” said Steve Pate, chief architect at security firm HyTrust. “It makes sure that nobody is using an algorithm that’s easily breakable.”
In general, though, each government agency has some leeway about how it implements encryption to address its own data security risks, said Scott Gordon, FinalCode’s chief operating officer. “Certain agencies, such as defense and intelligence, require stron- ger encryption, like the use of Suite B algorithms, and they are exploring the use of quantum-safe crypto technolo- gies,” he added.
Other data challenges
Data in motion, data at rest and data in use each require a different approach to encryption. Agencies should begin
by identifying where their sensitive data is located and prioritize based on highest risk because encrypting everything everywhere is usually not financially practical.
Data in motion is often the easiest to get a handle on, and most agencies are already encrypting it, Irvine said. However, they should check their web- sites and File Transfer Protocol sites — particularly those that have been around for a while — to make sure that communications are encrypted. Cates said email systems and cloud storage providers might also lack encryption.
Data at rest requires full-disk encryp- tion on mobile devices and file-based encryption on servers. The latest hard- ware makes such encryption faster and easier, but legacy systems are the single biggest obstacle.
Encrypting data in use remains a challenge, however. “Data in use can- not be easily encrypted,” Irvine said. “If I send a virus to your PC that gives me control of your PC, I can get access to everything. Right now, there’s no answer to that.”
There are also emerging technologies
to keep an eye on, said Ted Hengst, prin- cipal at PTH Ventures and a 25-year vet- eran of the U.S. Army, where he served as CIO at the U.S. Special Operations Command at MacDill Air Force Base.
Wearable devices and the Internet of Things will present new encryption challenges. “It all needs to be encrypt- ed,” he said. “Otherwise, it provides a backdoor into the network.”
On a positive note, however, he said government agencies are beginning to take encryption seriously.
“Five or 10 years ago, encryption, networks and cybersecurity were the domains of the CIO, and they were the only ones who cared about it,” Hengst said. “It was a fight every year to protect the networks. It’s now an executive issue. It’s first and foremost on senior government [leaders’ minds] how to protect not only the agency but the people who use that agency.” n
An expanded version of this article appears in the May issue of FCW’s sister publication GCN, which focus- es on technology, tools and tactics for public-sector IT.
The state of data encryption
SOLUTIONS
Data in motion Secure Sockets Layer, HTTPS, virtual private
networks
STATUS
Should be in place everywhere
MISSING PIECES
Some legacy websites, policy enforcement, user training for VPNs
Data stored on user devices Full-disk encryption, password Should be in place Policy enforcement, locks, two-factor authentication everywhere user training
Data stored on servers File-based encryption, tokenization, format-preserving
encryption
Partially complete
Legacy systems, large databases, key management
Data in use Tokenization, format-preserving encryption, decrypting data in
least usable units
Mostly incomplete
Legacy systems, legacy applications, lack of technology
32
May 30, 2016 FCW.COM