Protecting Data Means Balancing Security vs. Convenience
Most people use encryption every day, unaware that their phones and Internet browsers invisibly translate their data as it moves from point to point on the internet or that their mobile apps use the technology to obscure their data in the cloud.
Yet many government agencies are still struggling to deploy encryption across all their systems.Only 44 percent of non-defense Federal web sites employ the secure HTTPS Internet protocol, according to pulse.cio.gov, a government transparency project of the General Services Administration (GSA).
Encryption first scrambles data, then “keeps it secret, makes sure it hasn’t changed, and makes sure you can know the source of the data,” said Andrew Regenscheid, lead for Hardware-Rooted Security in the National Institute of Standards and Technology’s (NIST) Computer Security Division, and a mathematician in NIST’s cryptographic technology group.
As government customers migrate to cloud-based systems and solutions, determining whether vendor solutions match government requirements is difficult. Skyhigh Networks claims that fewer than 9.4 percent of cloud applications encrypt data at rest. Among those that don’t: Facebook, Gmail and PayPal.
Among government agencies, the IRS refuses to share data with federal, state and local government entities unless they meet minimum IRS standards for encryption on “all portable electronic devices, regardless of whether the information is stored on laptops, personal digital assistants, diskettes, CDs, DVDs, flash memory devices, or other mobile media or devices.”
The IRS standards are based on the National Institute of Standards and Technology (NIST) Federal Information Processing Standards 140-2, Security Requirements for Cryptographic Modules.
To understand why other agencies haven’t gone in this deeply, it helps to take a step back, Regenscheid said. Maximizing security means data should be encrypted in three distinct instances: in transit, at rest and when stored on a mobile device, such as a smart phone, tablet, laptop or even portable data storage.
Device encryption is a straightforward application dof well-established algorithms to lock up all the data onboard. While comparatively simple, challenges persist. In its most recent “State of Software Security Report,” application security provider Veracode finds that as many as 80 percent of mobile devices suffer encryption flaws. The FBI’s very public squabble with Apple over encryption on its devices shined light on the issues, which ended with the FBI using a third-party to crack the encryption on an iPhone 5C.
Encrypting data in transit is also routine, typically accomplished by the use of TLS, a protocol baked into every web browser, said Marvin Marin, a program manager with NetCentrics, whose cyber analytic technology is used by DoD, FBI and law enforcement. “The browser is a tool that is on every desktop, with secure configurations that can be built into the enterprise baseline, and that makes it all very intuitive,” he said.
Dan Boggs, director of product management at security technology specialist Panzura, said the situation gets more complicated with cloud computing. Panzura’s cloud security technologies are used by NIST and by the Executive Office of U.S. Attorneys in the Department of Justice.
“Now you go to the cloud and the scenario changes,” he said. “They know that their data is going to land somewhere, but they don’t always know where that is or whether that data will be protected at that location.
“Handing it over to a cloud provider may be more complicated,” Boggs said. “Who encrypts it? Who holds the encryption keys? And how do you control access to those?”
The Defense Department has a long history of using encryption to secure data and messages, noted Stan Tyliszczak, chief engineer at General Dynamics Information Technology. “DoD has used encryption to protect sensitive data from inadvertent disclosure for years,” he said. “Other Federal agencies are only now beginning to appreciate that they have similar threats. So they are beginning to adopt similar practices to protect their information.”
Federal agencies face varying levels of regulatory obligation in terms of these diverse security needs, Regenscheid said. OMB has directed agencies to encrypt mobile devices and issued an HTTPS-Only Standard directive requiring publicly accessible Federal websites to deliver services only through secure HTTPS connections. All encryption solutions must comply with NIST’s FIPS 140-2 protocol, and NIST maintains a list of compliant vendors.
Yet Federal agencies still face a number of hurdles, Regenscheid said. Agencies have considerable leeway in determining which data requires encryption at rest and which does not, for example. For example, while FIPS 140-2 describes standards for encryption, it does not spell out exactly what data must be scrambled, leaving it to IT leaders to sift for themselves through the needs in any particular configuration.
“Realistically you have to make decisions on where you would like to invest your resources and where it is simply impractical to implement encryption,” he said. “As part of your overall risk management process you will be identifying your critical information systems that need protection. What sensitive info do you have and what kind of protection does it need?”
Then there are practical usability concerns. The more effort you put into encryption, the more you will have to do on the receiving end to un-encrypt data and put it to work.
There are real consequences to such decisions, said Clay Calvert, director of cybersecurity for MetroStar Systems and a former network engineer on contract in the State Department. “I have worked in one federal system where I have to type in five different passwords and secondary tokens to get where I have to be to do my job,” he said.
Beyond inconvenience, encryption can also degrade performance. For example, a trial using Android Lollipop’s native Full Disk Encryption slowed down read performance in Google’s Nexus 6 device by 62.9 percent.
“Security exists on a spectrum, with security on one end and convenience on the other,” Calvert said. “You have to decide as the business owner where that needle needs to be. When you have an encrypted laptop, you need a pass code before the system will even boot up, and if you lose the encryption key, you’re done. People complain about that.”
Key control itself adds an administrative burden, Regenscheid said. Keys must be generated, stored, updated. Procedures need to be defined for when keys are lost. Specific uses need specific rules: Do you encrypt all emails, for example, or just certain higher-security messages?
Usability is paramount, or users will seek work-arounds and the security will be defeated before it starts. “The business of IT is to support the mission of an organization,” Marin said. “And any implementation that runs counter to that will cause a user acceptance issue. Wield too heavy a hand, and you can lock yourself out of your own data.”