In recent weeks there have been a number of news stories focusing on the vast troves of data that federal agencies are storing to deliver on the mission. The Department of Defense has long been acknowledged as the leader in data aggregation, but now civilian agencies are amassing their data troves too. From the National Institutes of Health (NIH), which receives data from more than 3,000 groups daily to support epidemiological studies, genome sequencing and clinical trials to the Department of Health and Human Services (HHS) that is aggregating data to analyze it and put it to work to fight opioid abuse.
As federal agencies create these storehouses the ability to secure sensitive citizen data and state intelligence has assumed a new urgency for federal CIOs and CISOs. In recent years the rate of cyber attacks against federal government agencies has grown rapidly fueled by state sponsorship of cyber attacks. For example, The WannaCry malware attack in May 2017 was notable for paralyzing access to patient data for Britain’s National Health Service. Meanwhile, other nation-state cyber attackers are continually testing government networks in search of national intelligence and strategic advantage. And all of this is before we get to the use of cyber attacks to paralyze critical infrastructure.
While there are myriad cybersecurity solutions deployed to defend networks against attack and to alert CERT teams if there is a breach, the question remains about what else federal CIOs and CISOs can do to bolster the nation’s information security. As Jon Temple with IronBrick shared recently, the key to security – no pun intended – is ensuring that data is protected via encryption so that it can’t be reconstructed. However, Temple cautioned that “when considering security for your critical systems, it’s important to understand how you will encrypt your data both in transit and at rest. It’s a broad topic and can be confusing for the uninitiated, or even those who have been doing it for years.”
Data encryption provides an additional hardened layer of protection designed to thwart attacks that have made it through perimeter defenses and protect against threats posed by privileged users, regardless of whether they are malicious or accidental. As Fred Sadler, retired Director of the Freedom of Information Act and Privacy Act office of the US Food and Drug Administration, noted recently “Hackers always will try to find new ways to break-in, but those breaches will have a minimal impact…if the data was protected in a way that can’t be reconstructed, used or sold.”
Temple shared that there are many different ways to encrypt data at rest, but two of the strongest — that also have low impact on system performance and ability to scale — are hardware-based solutions that use self-encrypting drives to obfuscate access and software-based encryption that enables the encryption of data on any disk with a unique key for decryption. Both methods of encryption support a strong end-to-end security posture. However, to provide the level of protection needed by federal agencies, it’s essential that any encryption protocol for data at rest conform to NIST’s recommended encryption standard FIPS 140-2 with AES-256 encryption.
While even the most robust encryption is not a standalone information security strategy, it should indeed be part of every federal agency’s data security posture. As our government and society embrace a data-driven future, it’s more important than ever to encrypt data at rest to ensure citizen privacy and national security.
To learn more about how to encrypt data at rest, read this useful guide from IronBrick’s Jon Temple, here.