IT’S YOUR DATA
PROTECT IT END-TO-END Industry Perspective
It’s Your Data: Protect it End-to-End 1
Your data sets are the crown jewels of your enterprise. You must be able to protect them through their entire lifecycle while keeping them available to those who need them. Bill Bacci, Federal Director of Data Security at HPE, explained why government agencies need a comprehensive approach to enterprise data protection in a recent interview with GovLoop. He also shared how data security technologies can help agencies achieve end-to-end data-centric security without compromising functionality. Information technology is an enabler that has changed the way agencies do business and perform their mission. It allows the collection and use of data for analytics, transactions and delivery of services. As this data is collected and combined, it increases in value. Big data has emerged as a resource that can be mined for insights and understanding of your mission and constituents, and used to improve decision-making and customer experiences. This value is a two-edged sword. As the data gains value, the consequences of a compromise of sensitive data – intellectual property (IP), personally identifiable information (PII) and personal health information (PHI), financial (FTI), and other sensitive data grows, too. It becomes a target for criminals and other adversaries, and the potential harm to the organization and to individuals as the result of a breach becomes greater. Securing IT infrastructure alone no longer provides adequate protection. The data itself must be protected through its entire lifecycle while keeping it available to those who need it, when they need it, without adding computational overhead.
Industry Perspective 2
Today’s Threat Landscape Traditional IT security has focused on the IT infrastructure, beginning at the perimeter and then moving inward to the network and the application. But the threat landscape has changed greatly over the years, both in the nature of the threats and their targets. Threats are constantly evolving as adversaries adapt to changes in technology and refine their attacks. As vulnerabilities are found and patched, new vulnerabilities are being discovered and exploits developed. But the old exploits seldom disappear – they remain in use to target unpatched and outdated systems, and often are recycled as part of newer, more complex attacks. Multistage attacks are used to quietly breach defenses, move vertically and horizontally through compromised systems and enterprises, elevate stolen privileges and lie hidden until they execute their mission – which is most often the collection and exfiltration of sensitive data.
The New Value Proposition Career bank robber Willie Sutton, when asked why he robbed banks, was said to have replied, “Because that’s where the money is.” (Sutton denied making this remark, but admitted in his autobiography, “If anybody has asked me, I’d probably have said it.”) Apocryphal or not, the rule also applies to cybercrime. Among the earliest targets of online thieves were individual credit card and bank account information, which could be immediately exploited for cash. The value proposition of digital data has expanded since then. Today credit card information is stolen and marketed in bulk, and PII, FTI and PHI are gathered as tools for identity theft that can used for everything from opening new accounts to tax fraud. IP and confidential information of all types are targeted by nation states, nonnation states, and non-governmental organizations to gain technical, political and military advantages.
Big data – the ability to aggregate, correlate and analyze large volumes of data from disparate sources – has added to the value of the information now being held in the enterprise, creating attractive new targets for the bad guys who are going after money and advantage. In addition to the threats posed by a data breach to the enterprise, the compromise of PII, PHI or any sensitive information can also have a serious impact on individuals, violating their privacy and exposing them to financial and other risks. Because of this, a variety of privacy regulations were enacted by Congress to protect citizens’ personal information. Some of these are: ⇾⇾ The Gramm-Leach-Bliley Act (GLB) ⇾⇾ The Health Insurance Portability and Accountability Act (HIPAA) ⇾⇾ The Children’s Online Privacy Protection Act (COPPA) ⇾⇾ The Fair Credit Reporting Act (FCRA) ⇾⇾ The Cybersecurity Act of 2015
The Perimeter – Necessary but Not Sufficient The traditional defense against cyber intruders begins with perimeter security. Firewalls, intrusion detection and prevention systems and other tools for filtering and blocking traffic at the enterprise edge are used to keep unwanted traffic out and to deny access to unwanted outsiders. The idea is logical: If you can keep the bad guys outside the fence, everything inside is secure. There are weaknesses in this strategy, however. One is the ability to build a fence, but still be open to support customer and employee access. Additionally, no fence is good enough to keep everyone out, and technology changes so quickly that adapting the fence becomes a never-ending and eventually impossible challenge.
It’s Your Data: Protect it End-to-End 3
The perimeter is amorphous – constantly changing with technology, and has become less well-defined with the increasing use of mobile devices and the advent of cloud computing. And perimeter defenses do nothing against insider threats, whether they’re malicious or well-intentioned. The upshot of this is the concept of defense in depth – multiple lines of defense, each backing the others in case of a breach. The network, applications and various access paths all have their own lines of defense. All of these lines are necessary parts of a complete cybersecurity program, but they are not sufficient by themselves.
The Final Line of Defense The final line of defense is at the data itself. The challenge is to defend this line as if there were no other layers in front of it, so that in the event of a breach – and breaches will occur – the data still is protected. This is important, because breaches are increasingly stealthy. The bad guys often are in systems for weeks or even months before they are discovered or begin exfiltrating data. Data owners, systems administrators and security professionals cannot assume that the defense-in-depth strategy remain intact merely because a breach has not yet been detected.
The Challenge of Securing Data in the Enterprise
Just as a bank locks its money in a vault against robbers who make it through the front door and past the surveillance and alarm systems, data must be continuously protected as well.
Security is almost always a tradeoff: Increased security means less convenience. So security is balanced against the need to keep systems user-friendly and the resources available. This can be a particularly difficult balancing act in the case of enterprise data. It is a high-value target requiring high security, but to realize its value to the enterprise, it must be readily available to those who need it. The answer to this challenge is a solution that provides security through the complete lifecycle of the information, without interfering with its use.
Making it Secure Your data requires end-to-end protection, but most solutions fall short. Disk-level encryption and database encryption provides physical protection for data while it is at rest. Strong encryption available today – such as the U.S. government standard Advanced Encryption Standard (AES) – provides strong security, protecting it against theft and leakage when disks or database files are exploited. But it does not protect it while it is in transit from storage to user. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encrypt data in transit to protect it from interception. Each of these strategies has gaps in protection from an end-to-end perspective, and do not protect the data while it is in use. Disks decrypt at Industry Perspective 4
runtime, data in an encrypted database must be decrypted in responding to an SQL request, and SSL-protected data is decrypted when it reaches the end user creating gaps in data protection. Your enterprise needs a way to secure your data end-to-end – at rest, in transit and in use – while maintaining its value as an enterprise resource. This requires protecting it throughout its lifecycle, from the time it is gathered through its final use, and making it available only to those who need it when it is actually needed. This can be accomplished with datacentric security that protects data as it is captured, processed and stored across a variety of devices, operating systems, databases, platforms and applications.
End-to-End Encryption for Your Enterprise The answer to security is to protect sensitive data while providing each user what is needed – and only what is needed – to perform an operation.
Format Preserving Encryption When information is being used, and sensitive information needs to be protected, often only specific pieces of data are needed. Help desks, for example, often need only the last four digits of a Social Security number to verify a caller’s identity. Help Desk personnel can request the SSN from a database and the user only sees the last four digits in plaintext. Researchers and analysts often need data about activities, events and conditions – such as demographics or health conditions – but do not need any personally identifiable information associated with it.
The answer to security is to protect sensitive data while providing each user what is needed – and only what is needed – to perform an operation. This is done through data-centric protection, in which data is encrypted without changes to its format or integrity. This means that a SSN retains its 123-456789 format although the numbers themselves are protected through highlevel encryption. The SSN is encrypted in a database, and if the last four digits are needed to verify identity, the first five digits are encrypted.
Making the Data Useful Traditional encryption has an enormous impact on data structures, schemas and the applications using the data. For example, a 16-digit credit card number encrypted with AES produces a long alphanumeric string. As a result, database schema changes are required. HPE Format-Preserving Encryption (FPE) overcomes this challenge by encrypting any type of data while maintaining its original format. This means that no changes are needed to the database schema and minimal changes to applications are required—often none at all. HPE FPE is a mode of the industryproven Advanced Encryption Standard (AES), so users do not sacrifice security by compromising encryption strength. Structured data fields, such as Social Security, Tax ID, credit card and account numbers, dates of birth, salary, or other sensitive information can be encrypted in place and can be located—although they remain unreadable—by applications. In a development environment, HPE FPE de-identifies production data to create structurally valid test data. This allows developers or users to perform quality assurance testing or conduct data analysis – all without exposing sensitive data. The HPE SecureData Enterprise management console enables easy policy control and provides audit capabilities across the data lifecycle-even across thousands of systems.
It’s Your Data: Protect it End-to-End 5
The result of data-centric security is end-to-end protection that does not sacrifice usability or incur added overhead for decryption and key management. HPE SecureData employs Stateless Key Management to eliminate one of the largest operational headaches in managing encryption. It securely and mathematically derives any key as needed by an application once the application and its users have been properly authenticated and authorized against a centrally managed policy. This eliminates the cost and complexity of large-scale encryption: ⇾⇾ Eliminating the need for a key database, as well as the corresponding hardware, software and IT processes; ⇾⇾ Making it easy to recover archived data because keys can always be recovered; ⇾⇾ Automating supervisory or legal e-discovery through simple application APIs, both native and via web services; and ⇾⇾ Maximizing the re-use of access policy infrastructure by integrating easily with existing identity and access management frameworks and dynamically enforcing datalevel access as roles change.
Conclusion
Agencies must protect their data for the entire lifecycle. Given the current threat environment, protecting the perimeter is not enough. It is essential that agencies look for a comprehensive end-to-end data-centric security solution to protect their most sensitive information, while keeping the data accessible.
About HPE
About TSPi
About GovLoop
Hewlett Packard Enterprise is an industry-leading technology company that enables customers to go further, faster. With the industry’s most comprehensive portfolio, spanning the cloud to the data center to workplace applications, our technology and services help customers around the world make IT more efficient, more productive and more secure.
Technology Solutions Providers, Inc. (TSPi) is a certified Small Disadvantaged Business providing performance driven end-to-end IT solutions to federal government customers. For over 15 years our business model, as well as our key to success, is based upon maintaining long-lasting relationships by delivering performance driven results. Our federal government customers can readily attest to our in-house expertise, commitment to quality, reliability, and exceptional performance. TSPi is Capability Maturity Model Integration (CMMI) Level 2 appraised and International Organization for Standardization (ISO) 9001:2008 certified.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
www.hpe.com | www.hpe.com/gov/ transformation | @HPE
Industry Perspective 6
For more information about this report, please reach out to info@govloop.com.
It’s Your Data: Protect it End-to-End 7
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop
Industry Perspective 8