Encryption Is Key to a More Secure Cyber Future
Proper key management can thwart the theft of sensitive data.
The increase in cyberthreats from both internal and external sources has put the onus on government agencies, particularly at the federal level, to implement strong cybersecurity architectures. While encryption is an essential component, without careful implementation, criminals easily can exploit its weaknesses, and the emerging power of quantum computing could compound the problem.
Despite vulnerabilities, encryption is central to data protection. Even Silicon Valley tech giants and Washington lawmakers found consensus on the issue. “Any measure that weakens encryption works against the national interest,” reads the first observation listed in a 2016 joint report from the U.S. House Judiciary and Energy and Commerce committees. The report reflects the testimony of stakeholders from the national security community, civil society organizations, the private sector and academia, all of whom agree that “encryption is one of the strongest cybersecurity tools available.”
So let us get keyed in. Neither encryption nor key management is magic, but they can be likened to the secret decoder rings once popular with kids. Symmetric key encryption uses the same key for both encryption and decryption. Anyone who can access the message can break the code. Asymmetric, or public key, encryption addresses this challenge and uses public and private keys to encrypt and decrypt data. Anyone can encrypt a message using the public key, but the only way to decipher the message is by using the private key.
Of course, the process is slightly more complicated when implementing data security, especially for highly sensitive data. One major challenge emerges: encryption key and policy management. Encryption key management involves everything that touches cryptographic keys, from generation to use, storage and destruction, according to the National Institute of Standards and Technology. Without strong policies, users will not get the full benefit of encryption, if any benefit at all.
Most keys are generated by algorithms, from a true random seed, and are known as pseudorandom or deterministic random numbers. This method poses a vulnerability that has been a root cause of multiple reported breaches and will be even more risky in the future as the processing power of attackers increases. Of particular concern when it comes to brute processing strength is the new class of quantum computers in development. But the news is not all bad. A way to generate full entropy or true random numbers exists, and it does not rely on algorithms. By using quantum effects, we can generate true random numbers at high rates, sufficient for the security needs of large organizations.
Still, there are other complications in a cybersecurity infrastructure. Bad actors who want to access and steal data to ransom back to victims or to release secrets to the world pose increasingly serious threats. One basic method to guard against bad guy breaches is to implement network segmentation. Segmenting significantly decreases the chances that if one device—a smartphone, a laptop or a server—is compromised, then the hack will not infect the entire system. It is as basic a protection as firewalls and encryption, but the extra security layer produces an extra layer of complexity to the task of managing multiple network segments.
An appropriate encryption key management system allows for virtual network segmentation so that rather than requiring physical segregation, logical segregation can be implemented using cryptographic techniques. This simplifies network configuration and device management and moves much of the complexity into the key management system.
Key management also has a link to data centers. Consolidation and modernization of the U.S. Defense Department’s information technology infrastructure renders key management easier overall. The department, quite possibly the largest data center operator in the world, has been trying to reduce the number of physical data centers since the 2010 creation of the Federal Data Center Consolidation Initiative, now the Data Center Optimization Initiative. By the end of fiscal year 2015, the department had closed 18 percent of its data centers, fewer than half of the 40 percent goal, according to a Defense Department Inspector General report.
Keeping cybersecurity best practices alive when consolidating data centers is difficult to do when information technology teams treat virtual machines differently than physical hardware. Do not do that. Implement cybersecurity for virtual machines the same way as for physical servers. And encrypt the data on virtual servers. This security layer adds a layer of key management work, but it is vitally important. More and more virtual machine and virtual storage products come with support for encryption and interfacing with standards-based key management servers.
Encryption in the cloud has its own set of concerns. In January, IBM signed a contract to build, manage and operate a private cloud data center at the Army’s Redstone Arsenal in Huntsville, Alabama. Army leaders now face these questions: Should the service encrypt its data before turning it over to IBM and the cloud? Should it rely on IBM’s encryption? Should it retain control of the keys and encryption key management or entrust those cybersecurity safeguards to the contractor, which has been cleared to handle the most sensitive government secrets? In a post-Edward Snowden world, this last question carries a lot of weight.
A good rule of thumb is to keep keys close. While it might be more convenient at times to share keys with trusted third parties, a little frustration over inconvenience in the name of security is better than the massive problems a breach can cause. Ideally, smart key management makes theft of sensitive data considerably less convenient.
John Leiseboer is founding chief technology officer at Australia’s QuintessenceLabs and is responsible for the research, design and development of key management, communication security and information security products. He has 35 years of experience in these areas. The views expressed are his own.