The Secure Breach and what the Government can learn from the private sector
By Jason Hart, Vice President and CTO for Data Protection at Gemalto
There’s a hope amongst many people that government is ahead of the curve, a wish that behind closed doors, in some secret facility, there’s a team with a technology that’s always one step ahead of the “bad guys.” Yet, as the worst breach of U.S. government data continues to unfold, it’s apparent the opposite is true. The Office of Personnel Management (OPM) had grossly inadequate IT security, enabling suspected Chinese hackers to roam their databases for a full year before detection.
There are things the OPM and other government agencies can learn from the private sector. Security in finance and retail is often more sophisticated. Even healthcare, long considered a laggard in this area, is making great gains in their move towards secure electronic communications, driven by the Direct Project and increasing compliance measures.
Like with most issues, resolution begins with acceptance. Savvy businesses are realistic and they know it’s no longer a matter of if a breach is going to occur but when. Security must begin with a mindset that looks beyond breach prevention to breach acceptance. Agencies have to lay the groundwork for a “secure breach” future in which cyber intruders who penetrate the network perimeter can’t access or use valuable data. There’s nothing wrong with network perimeter security technologies. The problem is, many rely on them as the foundation of security strategy, and unfortunately, there’s no fool-proof way to prevent a breach. You build higher walls; they build taller ladders.
Still, while it’s imperative to change a mindset, it’s another thing to implement a new approach across a government organization where hard-and-fast procedures have long been in place. Adverse consequences and related costs can be mitigated, however. By implementing the following three steps, agencies can effectively prepare for and avoid falling victim to the serious consequences of a breach.
1. Control Access and Know Who is Accessing Your Data
Control access to sensitive data. The proliferation of mobile devices and cloud-based applications warrants more stringent internal controls. Agencies need to ensure user identities are not only protected, but authorized. Strong authentication will block unauthorized access and hold individuals accountable.
Passwords are the most vulnerable form of authentication as they can be easily hacked, stolen, copied or shared. Require users to login with something they know – a username – combined with something they have, such as a one-time passcode generated on a separate token. Only users with both should be given access. Also, apply different authentication methods to different user groups to prevent misuse by insiders. Software and hardware-based tokens can be administered according to roles or functions.
2. Encrypt All Sensitive Data
Adversaries are after data, so identify existing and emerging threats and move security controls as close as possible to the data. Embedding protection close to the data ensures that even after a perimeter is breached, any stolen information remains secure. That means using encryption technology.
Locate and prioritize your most sensitive assets and repositories, whether it is in the data center or the cloud. Data in physical, virtualized and cloud environments can all be encrypted. Review normal business activity within and beyond the agency, understanding how it maps to the underlying infrastructure.
Do not overlook network traffic flowing between headquarters and other locations. Once this data leaves your organization, you no longer have control over it – cyber criminals can easily “tap” your fiber optic cables. There are also risks of transmission to wrong locations. These can be eliminated by automatically encrypting data in motion. The ability to encrypt data at scale in a centralized way is relatively new, but is now possible.
3. Know Where Your Keys Are
At the heart of data encryption are the secret cryptographic keys used for encrypting and decrypting sensitive data. Lost or stolen keys can take down the entire data and security infrastructure.
The volume of data in storage clusters, applications, databases, file servers and other environments that needs encrypting involves potentially thousands of encryption keys. With isolated, disconnected key management, it becomes nearly impossible to adequately manage and protect keys. Since these are stored in a variety of places, often on the very systems containing sensitive data, they are vulnerable. Unprotected backup keys in transit create additional exposure.
A crypto management platform enables centralized management. Ongoing rotation, storage, backup, deletion and creation of new keys can eliminate security vulnerabilities. Safeguard the key storage container. Software key wrappers do not protect encryption keys as well as hardware-based options; vaulting keys in a hardware security module will provide added protection.
The following guidelines can help you store and manage keys effectively:
- Build a foundation that provides a “trust anchor” for implementation of encryption across the agency to handle secure key generation, storage, archiving and termination.
- Implement key management to create and enforce policies during the life of a key and its use, and to ensure they’re available to information and applications.
- Limit access to your cryptographic keys. Enact a separation of duties policy, whereby administrators can manage data resources without access to information inside those files.
Securing data is challenging when cloud, virtualization and mobile devices are causing an increase in the attack surface. Still, those who don’t learn from history are doomed to repeat it. The OPM’s legacy systems didn’t allow for it to take advantage of encryption or authentication. Clearly, there are things agencies can learn from the private sector. Accepting that breaches are inevitable, and adopting a secure breach approach, has become standard for many enterprises – and it’s a lesson worth learning.
Jason Hart is Gemalto’s VP and CTO for Data Protection. Gemalto is a world leader in digital security. Its technology portfolio - from advanced cryptographic software embedded in a variety of familiar objects, to highly robust and scalable back-office platforms for authentication, encryption and digital credential management - is delivered by a world-class service team across 46 countries. For more information, visit www.gemalto.com.