6 months ago

GSN Magazine June 2016 Digital Edition

Campbell on Crypto Big

Campbell on Crypto Big Data, Big Troubles: Simple advice for encrypting data in motion By Shawn Campbell As Big Data becomes more prevalent in government – along with growing adoption of cloud services, and unprecedented volume of data moving across networks – there is an increasing threat to data in motion. With Big Data comes big data networks, big cloud computing and big datacenter services, which expose organizations to bigger threats including data theft, cyber-crime and malicious cyber-attacks. The moment data is transmitted from one location to another, it’s at risk. Encrypting data in motion doesn’t keep cyber-criminals from accessing the data network. Rather, it protects the data from unauthorized parties, making tampered encrypted data useless and harmless when it is decrypted at the time it is received. Of course, there are numerous ways to reduce the risk of data tampering. Your organization may have already implemented some of these ways. But at a minimum you should have regular system intrusion and penetration testing to review each of the following: • Intrusion detection systems (IDS) to detect hackers Organizations can spend a fortune on traditional data network security measures such as firewalls and anti-virus software, but still fail to protect their data while it’s moving through the network. • Intrusion Prevention Systems (IPS) to counter penetration attempts • Internal access controls based on passwords or identity keys • Encryption of all network traffic • Access control to prevent 18 unauthorized entry to secure areas • Measures to discourage tailgating • Motion detectors and/or CCTV monitoring to secure areas Defensive actions may seem equally obvious: Identify your most sensitive data and segment your IT infrastructure, increase the visibility of your network activity through analytics and forensics tools, and monitor your logs. The best advice, however, is to encrypt your data in the most effective and efficient way possible. Organizations can spend a fortune on traditional data network security measures such as firewalls and anti-virus software, but still fail to protect their data while it’s moving through the

network. Once the data leaves the building, it can be attacked and directly controlled from the outside. By encrypting sensitive data while in motion, you can rest easy that data accessed by unauthorized parties is useless in their hands. It’s a common misconception that any encryption of data in motion can lead to bandwidth losses, poor network performance and increased costs. But that doesn’t have to be the case. Data in motion can be protected at any level in the communication subsystem; where volumes are low, software encryption based on SSL/TLS may be enough. With greater demands on the network, you’ll need more efficient approaches, with encryption at either Layer 2 or Layer 3. As a refresher, Layer 2 devices such as network switches operate at the data link level (one above Layer 1, or the “physical layer”). Layer 3 is the next Layer up – also known as the Internet Layer, often made up of routers or “switch routers.” Layer 3 encryption is more commonly known as IPSec (Internet Protocol Security) encryption, is generally provided within the routers that are deployed throughout your data network. However, IPSec does affect the throughput performance of the data network. With Layer 3, overheads are typically 30-40%. While dedicated internal networks may be able to accommodate this, using Layer 3 encryption across public networks can be expensive. IPSec essentially imposes an encryption tax on your data. For that reason, in practice, the higher the network speed or the greater the bandwidth requirements, your more likely solution would be Layer 2 encryption. Layer 2 encryption can be applied in point-to-point, meshed, and VPN or MPLS networks. The most effective form of Layer 2 encryption is provided by dedicated hardware systems that use the AES algorithm and encrypt with 256 bit keys. To ensure that these devices are secure you should always verify that they are appropriately accredited to international security standards. For federal agencies, that standard would be Federal Information Processing Standard Publication (FIPS) 140-2 FIPS Publication 140-2 is a 19 U.S. government computer security standard used to accredit cryptographic modules. It is a joint effort mandated by both the United States and Canadian governments, and recognized by many other countries and institutions. Products that meet the security requirements of the FIPS 140-2 Cryptographic Module demonstrate security and proficiency which both government and commercial customers can rely upon. When current best practice data encryption technology is implemented for data in motion and data at rest, the data gained by cyber-criminals is, of course, rendered completely useless assuring no risk of adverse consequences. Shawn Campbell is VP of Product Management, SafeNet Assured Technologies, LLC. He can be reached at Shawn.Campbell@