GSN Digital Edition April 2016

More documents

Recommendations

Info

Campbell on Crypto Cybersecurity and Occam’s Razor – Encryption is the Simplest Answer By Shawn Campbell When it comes to OMB’s Cybersecurity Strategy and Implementation Plan (CISP), it may be best to apply the problem-solving principle of Occam’s Razor: The simplest answer is usually correct. And the simplest answer is: Encrypt everything, from datain-motion to data-at-rest. CISP underscores the need for agencies to implement an indepth defensive strategy to protect high value information and assets – especially sensitive data, sensitive keys, and identity credentials. Sensitive data at rest is particularly vulnerable once a breach has occurred, because of its volume and relevance. The true threat to sensitive data comes from attackers hijacking privileged accounts with full access to servers. In some cases, “Insiders are a major source of breaches,” whether intentional and malicious or through inadvertent misuse by employees or partners. 22 the attackers are actually insiders with existing elevated privileges. Privileged accounts are where data is most readily available; other end points do hold data, but that data is too widely distributed to be as great a threat. The greatest risk to unauthorized data access comes from insider threats, which are surprisingly prevalent. As early as 2012, the industry analyst firm Forrester noted that (particularly in the private sector) “insiders are a major source of breaches,” whether intentional and malicious or through inadvertent misuse by employees or partners. Privileged accounts have access to considerable amounts of data. Today, through the sharing of administrator and superuser accounts, as well as physical theft of servers, insiders present both a real and growing threat. Enter Occam’s Razor To address CISP’s requirement for protection of high value information and assets, the best way for agencies is the simplest: Encrypt all sensitive data on your storage array. What it boils down to is, if sensitive data is encrypted, then it is safe. And if you don’t know which of your data is sensitive, then encrypt all of it. As an added layer of protection, separately store the encryption keys used to encrypt and decrypt data. When an encryption key is stored separately from the data – ideally on a hardened device – it
is not available to an attacker. You can also take immediate measures to minimize insider threats by enabling privileged users (such as root or system administrators) to perform authorized duties while keeping sensitive data encrypted and secure. Separate server administration from data access and encryption key management. Dynamically protect sensitive data-at-rest in enterprise servers through encryption at the file-system level and centralized key management. Specific Ways to Keep It Simple Protect Personally Identifiable Information (PII). When PII data is encrypted, it is not exposed in the event of a breach. This limits the potential damage of a breach, protects citizen data, minimizes the costs associated with post-breach credit tracking, and protects the reputation of the agency. The best approach to protection is to apply granular policies to control access to authorized users. For example: • Finance managers get full access to confidential financial spreadsheets • IT administrators get access to perform routine maintenance, but cannot see files that have been encrypted (IT sees only cipher text). • Program analysts can access and share their aggregated analysis on seasonal trends in the finance folder, but only see cipher text if they click on the spreadsheet with specific identity information. • Terminated employees who depart the organization with sensitive info are unable to access the agency assets in their possession. They will see encrypted data if they attempt to access or open files. Protect data in the cloud. Encrypt files before storing them in the cloud. That way, the cloud provider can never access your data. Secure big data implementations. Big data implementations collect semi-structured data from numerous sources, which may contain sensitive data. Typically, big data implementations rely on outside encryption solutions. The best approach to securing 23 big data is to provide transparent and automated encryption of sensitive data in clusters with granular access controls. These controls define and enforce policies to guard against unauthorized and rogue access to – and possible exposure of – high value data. In this era of growing insider threats to data in motion and at rest, make sure you comply with CISP by using the principle of Occam’s Razor. Encrypt everything. Shawn Campbell is VP of Product Management, SafeNet Assured Technologies. He can be reached at Shawn.Campbell@ safenetat.com
Page 1 and 2: Government Security News APRIL 2016
Page 3 and 4: NEWS AND FEATURES NICE’s Rodrigue
Page 6 and 7: LRAD ® Corporation Announces $490,
Page 8 and 9: What’s up with WhatsApp for Emerg
Page 10 and 11: Hazmat Science and Public Policy wi
Page 12 and 13: Government Security News Awards Pro
Page 14 and 15: At the end of the Awards Dinner, we
Page 16: for virtually everything else, rang
Page 20 and 21: CINCH and SIS introduce encrypted s
Page 24 and 25: ODSecurity body scanners cut prison
Page 26 and 27: Maritime/Coastal/Port Security Port
Page 28 and 29: Maritime/Coastal/Port Security Ship
Page 30 and 31: Maritime/Coastal/Port Security Mega
Page 32 and 33: Video Surveillance IMAX ® Film ‘
Page 34 and 35: Video Surveillance OnSSI receives H
Page 36 and 37: Video Surveillance DTI to provide C
Page 38 and 39: NICE’s Rodriguez: Technology cont
Page 40 and 41: U.S. Customs and Border Patrol Care
Page 42 and 43: GSN is pleased to announce that HID
Page 44 and 45: Coming Attractions - 2016 May Digit

GSN Digital Edition April 2016

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?