March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Sept 2016 Digital Edition
The Secure Breach and what the Government can learn from the private sector
By Jason Hart, Vice President and CTO for Data Protection at Gemalto
There’s a hope amongst many people that government is ahead of the curve, a wish that behind closed doors, in some secret facility, there’s a team with a technology that’s always one step ahead of the “bad guys.” Yet, as the worst breach of U.S. government data continues to unfold, it’s apparent the opposite is true. The Office of Personnel Management (OPM) had grossly inadequate IT security, enabling suspected Chinese hackers to roam their databases for a full year before detection.
There are things the OPM and other government agencies can learn from the private sector. Security in finance and retail is often more sophisticated. Even healthcare, long considered a laggard in this area, is making great gains in their move towards secure electronic communications, driven by the Direct Project and increasing compliance measures.
Like with most issues, resolution begins with acceptance. Savvy businesses are realistic and they know it’s no longer a matter of if a breach is going to occur but when. Security must begin with a mindset that looks beyond breach prevention to breach acceptance. Agencies have to lay the groundwork for a “secure breach” future in which cyber intruders who penetrate the network perimeter can’t access or use valuable data. There’s nothing wrong with network perimeter security technologies. The problem is, many rely on them as the foundation of security strategy, and unfortunately, there’s no fool-proof way to prevent a breach. You build higher walls; they build taller ladders.
Still, while it’s imperative to change a mindset, it’s another thing to implement a new approach across a government organization where hard-and-fast procedures have long been in place. Adverse consequences and related costs can be mitigated, however. By implementing the following three steps, agencies can effectively prepare for and avoid falling victim to the serious consequences of a breach.
1. Control Access and Know Who is Accessing Your Data
Control access to sensitive data. The proliferation of mobile devices and cloud-based applications warrants more stringent internal controls. Agencies need to ensure user identities are not only protected, but authorized. Strong authentication will block unauthorized access and hold individuals accountable.
Passwords are the most vulnerable form of authentication as they can be easily hacked, stolen, copied or shared. Require users to login with something they know – a username – combined with something they have, such as a one-time passcode generated on a separate token. Only users with both should be given access. Also, apply different authentication methods to different user groups to prevent misuse by insiders. Software and hardware-based tokens can be administered according to roles or functions.
2. Encrypt All Sensitive Data
Adversaries are after data, so identify existing and emerging threats and move security controls as close as possible to the data. Embedding protection close to the data ensures that even after a perimeter is breached, any stolen information remains secure. That means using encryption technology.
Locate and prioritize your most sensitive assets and repositories, whether it is in the data center or the cloud. Data in physical, virtualized and cloud environments can all be encrypted. Review normal business activity within and beyond the agency, understanding how it maps to the underlying infrastructure.
Do not overlook network traffic flowing between headquarters and other locations. Once this data leaves your organization, you no longer have control over it – cyber criminals can easily “tap” your fiber optic cables. There are also risks of transmission to wrong locations. These can be eliminated by automatically encrypting data in motion. The ability to encrypt data at scale in a centralized way is relatively new, but is now possible.
3. Know Where Your Keys Are
At the heart of data encryption are the secret cryptographic keys used for encrypting and decrypting sensitive data. Lost or stolen keys can take down the entire data and security infrastructure.
The volume of data in storage clusters, applications, databases, file servers and other environments that needs encrypting involves potentially thousands of encryption keys. With isolated, disconnected key management, it becomes nearly impossible to adequately manage and protect keys. Since these are stored in a variety of places, often on the very systems containing sensitive data, they are vulnerable. Unprotected backup keys in transit create additional exposure.
A crypto management platform enables centralized management. Ongoing rotation, storage, backup, deletion and creation of new keys can eliminate security vulnerabilities. Safeguard the key storage container. Software key wrappers do not protect encryption keys as well as hardware-based options; vaulting keys in a hardware security module will provide added protection.
The following guidelines can help you store and manage keys effectively: