ENCRYPTION
their important data is stored than they should.
According to the 451 Research survey, government respondents were among those with the low- est confidence in the security of their sensitive data’s location. Although 50 percent of financial- sector respondents expressed confidence, only 37 percent of government respondents could say the same.
In fact, only 16 percent of all respondents cited “lack of perceived need” as a barrier to adopting data security, but 31 percent — or almost twice as many — government respon- dents did so.
Earlier this year, the Ponemon Institute released a report show-
ing that 33 percent of govern-
ment agencies use encryption ex- tensively, compared to 41 percent of companies in general and far behind the financial sector at 56 percent. In that survey of more than 5,000 tech- nology experts, 16 percent of agency respondents said they had no encryp- tion strategy.
On a positive note, the public sector has been making headway. Last year, for example, only 25 percent of gov- ernment respondents to the Ponemon survey said they were using encryption extensively.
“This is showing heightened interest in data protection,” said Peter Galvin, vice president of strategy at Thales e- Security, which sponsored the Ponemon report. High-profile data breaches have drawn public attention to the issue, he added.
PROTECTING DATA STORED ON SERVERS
Data encryption addresses four major areas: data in motion, data stored on user devices, data stored on servers and data that is currently being used.
Today, most encryption efforts focus
on data stored on servers because that is where the majority of big breaches take place.
“There are lots of different challeng- es,” said Sol Cates, chief security officer at Vormetric. “How do I do this at scale? And how do I do it across multiple ap- plication stacks, architectures, cloud services and legacy applications?”
In the 451 Research survey, 51 per- cent of government respondents said complexity was the biggest barrier to securing data.
Part of that complexity is the chal- lenge of managing encryption keys. There is typically no more than one password per user per application, and users generally get to choose them. But encryption keys are long. The smallest recommended key, the AES-128, is the equivalent of a 39-digit number. The RSA-2048 is equivalent to a 617-digit number. Each file and message requires a separate key. Losing that key is the same as losing the data.
And failing to protect the keys cre- ates a fatal security flaw, said Tammy Moskites, CIO and chief information security officer at Venafi. “If you don’t
know where the keys are, it helps the bad guys circumvent con- trols,” she added. “Then there’s a huge security gap.”
Managing such encryption activities also takes money and people, both of which are in short supply at government agencies.
According to 451 Research, 44 percent of government respon- dents said lack of staff was the biggest barrier to securing data. In fact, government respondents were more likely to cite that is- sue than any other sector. And budget was cited by 43 percent of government respondents as an obstacle to better data secu- rity, which was also higher than for any other group.
A particular challenge for gov- ernment agencies is encrypting legacy systems. Encrypting a database and sticking it on a shelf somewhere is simple enough. But encrypting a da- tabase that is constantly being used is something else entirely. The encryption must be built in from the start or added afterward to the database itself and all the applications that access it — at sig- nificant cost.
“The Office of Personnel Manage- ment was [using] an old, legacy main- frame system that did not have the capability to do encryption,” said Jerry Irvine, CIO at Prescient Solutions. “And there are still lots of old systems out there.”
In fact, according to a report OPM issued shortly after last year’s breach, “Full encryption of the databases that were accessed in the recent incidents would not have been feasible, as many of OPM’s systems would not have worked if they were encrypted.”
The National Institute of Standards and Technology offers general guide- lines for creating a data encryption architecture. “That is a requirement for many, many government organiza-
“Five or 10 years ago, encryption, networks and cybersecurity were the domains of the CIO, and they were the only ones who cared about it. It’s now an executive issue.”
— TED HENGST, PTH VENTURES
30 GCN MAY 2016 • GCN.COM