THE STATE OF DATA ENCRYPTION
SOLUTIONS
STATUS
MISSING PIECES
Data in motion
Data stored on user devices
Data stored on servers
Data in use
Secure Sockets Layer, HTTPS, virtual private networks
Full-disk encryption, password locks, two-factor authentication
File-based encryption, tokenization, format- preserving encryption
Tokenization, format- preserving encryption, decrypting data in least usable units
Should be in place everywhere
Should be in place everywhere
Partially complete Mostly incomplete
Some legacy websites, policy enforcement, user training for VPNs
Policy enforcement, user training
Legacy systems, large databases, key management
Legacy systems, legacy applications, lack of technology
tions,” Pate said. “It makes sure that no- body is using an algorithm that’s easily breakable.”
In general, though, each government agency has some leeway about how it implements encryption to address its own data security risks, said Scott Gordon, FinalCode’s chief operating officer. “Certain agencies, such as de- fense and intelligence, require stronger encryption, like the use of Suite B algo- rithms, and they are exploring the use of quantum-safe crypto technologies,” he added.
OTHER DATA CHALLENGES
Encrypting data in motion, data at rest and data in use each requires a differ- ent approach. Agencies should begin by identifying where their sensitive data is located and prioritize based on high- est risk because encrypting everything everywhere is usually not financially practical.
Data in motion is often the easiest to get a handle on, and most agencies are already encrypting it, Irvine said. How- ever, they should check their websites and File Transfer Protocol sites — par- ticularly those that have been around for awhile — to make sure that com- munications are encrypted. Cates said email systems and cloud storage pro- viders might also lack encryption.
Data at rest requires full-disk encryp- tion on mobile devices and file-based encryption on servers. The latest hard- ware makes such encryption faster and easier, but legacy systems are the single biggest obstacle.
Encrypting data in use remains a challenge, however.
“Data in use cannot be easily en- crypted,” Irvine said. “If I send a virus to your PC that gives me control of your PC, I can get access to everything. Right now, there’s no answer to that.”
There are also emerging technolo-
gies to keep an eye on, said Ted Hengst, principal at PTH Ventures and a 25- year veteran of the U.S. Army, where he served as CIO at the U.S. Special Op- erations Command at MacDill Air Force Base.
Wearable devices and the Internet of Things will present new encryption challenges. “It all needs to be encrypt- ed,” he said. “Otherwise, it provides a backdoor into the network.”
On a positive note, however, he said government agencies are beginning to take encryption seriously.
“Five or 10 years ago, encryption, networks and cybersecurity were the domains of the CIO, and they were the only ones who cared about it,” Hengst said. “It was a fight every year to pro- tect the networks. It’s now an executive issue. It’s first and foremost on senior government [leaders’ minds] how to protect not only the agency but the people who use that agency.” •
GCN MAY 2016 • GCN.COM 31