By Marcelo Delima, Global Product Marketing Manager at HPE Security – Data Security
Throughout federal, state, and local governments, the digital revolution is driving exponential growth of high-value data. Personally identifiable information (PII) is collected on government employees, taxpayers, students, retirees, military personnel, and anyone doing business with the government.
This data is a valuable resource that has the potential of transforming the government as we know it. Big data analytics could allow for better allocation of resources and more efficiency; transparency initiatives could allow better citizen services and more accountability, and data sharing could enable better coordination between agencies in key fields such as national security, healthcare or education.
But this same data is also highly prized by cyber-criminals, malicious insiders and nation-states. The challenge is how to protect the data, but in such a way that it can still be safely shared and analyzed by data scientists in its protected form.
Government under attack
Federal and state government agencies disclosed a total of 203 data breaches between 2010 and 2016, with 72 breaches in 2016 alone. In the majority of cases, government breaches involved personal information such as names, Social Security numbers, and birthdates.
The United States Office of Personnel Management (OPM) alone experienced the theft of PII and security clearance background investigation information for 22.1 million individuals in 2015.
The growth in data breaches is a proof that the most common cybersecurity measures—firewalls, intrusion prevention systems, antivirus software, and other security technology operating at the network and endpoint layers—are increasingly ineffective against advanced cyberattacks, leaving gaps where data is exposed.
The data security challenge
Government entities have some of the same challenges faced by private-sector corporations, including:
– Big data and data sharing: Government agencies are challenged with providing better citizen services and being more transparent, but that requires increased data sharing between agencies and contractors. It also requires big data analytics and adoption of new technologies to manage the “data lake” such as Hadoop.
– New technologies and innovations: As the public sector adopts new technologies and innovations, data security becomes more complex. Internet of Things (IoT), mobile and cloud create not only more data for hackers to target, but also increase the surface area for attacks, including more devices, connections, and networks.
– Legacy systems: A major challenge faced by government agencies is the dependency on legacy applications and platforms with limited native data security options. These sometimes decades-old systems may no longer have vendors that supply patches or otherwise maintain the code, making it vulnerable to hackers.
– Limitations of traditional security: Common cybersecurity measures only protect data indirectly. For example, firewalls and intrusion prevention systems operate predominately at the network level. Likewise, desktop antivirus software works to stop the spread of malware infections, but none protect data directly.
– Gaps in data protection: Most data-protection techniques shield only stored data. While helpful when equipment is lost or stolen, it doesn’t protect data when it is in-use. Data is exposed to attack when it is decrypted and retrieved from an encrypted database and before it flows through an encrypted link.
– Compliance: Stringent data-privacy requirements make greater data protection. Agencies must comply with federal standards and regulations such as the Cybersecurity Act of 2015, DFARS CUI, and the National Institute of Standards and Technology (NIST).
Why data needs a new approach to protection
In an ideal world, sensitive data travels in well-defined paths from data repositories to a well-understood set of applications.
In this scenario, data can be protected by armoring the repository, the links, and the applications using point solutions such as database encryption and SSL network connections.
In real systems, data travels everywhere. Today’s IT environment is a constantly shifting set of applications running on an evolving set of platforms.
The data lifecycle is complex and extends beyond the container and application, into offsite backup services, cloud analytic systems, and outsourced contractors.
Data-centric security – a proven approach
Recent advances in data-centric security techniques protect data no matter where it resides, how it is transported, and even how it is used—without increasing complexity and without requiring massive application changes, or impeding mission performance.
An essential part of a layered-defense security strategy, data-centric security includes encryption, tokenization, data masking, and enterprise key management techniques to help effectively protect data from the moment it is ingested, through analysis, to the backend storage.
In the private sector, Format Preserving Encryption (FPE) is the main data-centric approach that helps reduce exposure of personal data to cyber thieves or internal threats.
Format preserving encryption (FPE) – Neutralizing data breaches
Format-preserving encryption (FPE) makes it far easier and cost-effective for organizations to use encryption. It is critical in protecting sensitive data-at-rest, in-motion and in-use while preserving data format. Traditional encryption methods significantly alter the original format of data.
For example, a 16-digit credit card number encrypted with AES produces a long alphanumeric string. FPE maintains the format of the data being encrypted so that a social security number or birth date still looks like a social security number or birth date when encrypted. That usually means no database changes and minimal application changes.
FPE enables government organizations to de-identify sensitive personal data without extensively revamping existing IT infrastructure. With FPE, even if a security system is breached, the data is worthless to attackers because it’s encrypted.
However, because the encrypted data looks like the real thing, analysts can still use it to identify patterns and run queries without decryption. It also allows data to be mobile so it can be moved between systems and shared.
NIST validation brings FPE to government
In 2016, the National Institute of Standards and Technology’s (NIST) released the AES FF1 Format-Preserving Encryption (FPE) mode standard that makes encryption easier using an approved and proven data-centric encryption method for government agencies and contractors.
The NIST standard allows the use of FPE to protect sensitive data-at-rest, data-in-motion, and data-in-use while preserving data formats, enabling government agencies to use this breakthrough technology widely used in the private sector.
Format-Preserving Encryption, when properly implemented, enables the protection of all kinds of high-value data, from personally identifiable information (PII) to protected health information (PHI) or Classified data types.
It also allows safe data sharing, between agencies or with contractors, and deep big data analytics, leveraging Hadoop and cloud. This technology allows security to be layered into decades-old legacy systems and applications, and address specific privacy requirements in legislations.
Bottom line: De-identified data should be the natural state of data
Data can be leveraged to usher in an era of better, more efficient government services and programs at all levels. The challenge is how to protect this data when it is used. The solution lies in the fact that the natural state of data in systems should be de-identified data. That would remove all identifiers that could be of value to attackers while leaving enough data in the clear for analytics and business processes to continue.
Only a few select people should have the ability to decrypt the sensitive portions of the data, while a very large number of people should be able to work on projects and leverage the huge treasure trove of available “de-identified” data for the betterment of government.
About the Author
Marcelo Delima, Global Product Marketing Manager, HPE Security – Data Security
In his capacity as Global Product Marketing Manager at HPE Security – Data Security, Marcelo focuses the US Federal market sector among other responsibilities. Marcelo has over 16 years of experience in marketing secure technology solutions for highly regulated enterprises and government agencies.
In his career, Marcelo has held marketing leadership and management positions in technology organizations large and small in Silicon Valley.