While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Regardless of where federal agencies store there data, security remains a top concern. While agencies typically prefer to keep data in-house, cloud providers sometimes implement security patches and other security updates more diligently than government IT staff.
Like their enterprise peers, government IT staff sometimes push patch updates behind more pressing projects. Cloud providers, on the other hand, make patches a top priority as their reputation and revenue could suffer greatly if there’s a data breach they could have prevented. The same applies when updating to a new version of a product, such as SQL Server.
Agencies typically follow strict processes for evaluating new products. That includes developing implementation guidelines that can take six months to a year. If the new version plugs security holes, that delay means a big window of opportunity for hackers.
As in the enterprise space, federal users leverage encryption more than before.
“We’ve seen a big uptake in encryption at rest,” says Rob Stein, vice president for NetApp’s U.S. public sector division. “A lot of our customers use encrypted drives.”
There are multiple options for implementing encryption. If they want, agencies can apply encryption to only high-priority data sets, cutting costs while maximizing performance.
“Because Tintri manages data at VM granularity, users can isolate which applications they wish to encrypt at rest without affecting adjacent workloads or performance,” says Rodney Billingsley, Tintri’s senior federal director.
Granularity also helps minimize the impact of a breach.
Wayne Webster, Nimble Storage's vice president of federal sales, says that since most solutions are systemwide, all data must be destroyed following a breach. A better approach, he says, involves fine-grained encryption, where individual data sets have their own encryption keys. This allows for both the securing and destruction of data at a finer level.
Another consideration is whether to apply encryption end to end: on the storage device, in transit on the network and on an endpoint, such as a PC.
Webster says many systems that implement encryption use the hardware functionality of the disk drives or solid-state drives. However, reading the data from these drives so it can be sent remotely requires that data be decrypted into clear text.
“A better approach is to perform encryption and key management by the storage array operating system,” Webster says. “This approach allows data to remain encrypted during transit.”
Webster points to Nimble’s FIPS-certified SmartSecure encryption. It offers granular encryption and data shredding, ensuring data remains encrypted when sent across the network for data replication.
Agencies must also consider endpoint capacity. Some data sets may need to be accessed from smartphones or tablets, while other data sets need to be stored on these devices. Some enterprises resist using encryption on mobile devices because of the device’s lower processing power and memory.
That argument is waning, however. “If it’s not completely gone away, it’s definitely going away,” Audie Hittle, federal chief technology officer for EMC’s Emerging Technologies division, says of the resistance to encryption on mobile. “The solutions exist now, but awareness is key. The challenge is that so many agencies are personnel- and budget-constrained. Because of that, they don’t have the time to keep people aware of the options.”
Mobile also shows a larger shift in security strategy.
Before the increase in mobile devices, data was stored in a single, central location. The focus centered on securing tapes, drives and other infrastructure.
“In today’s architectures, those controls simply don’t work because the data is much more distributed than before,” says Terence Spies, Hewlett Packard Enterprise distinguished technologist in data security. “Our data center strategy is about cataloging data: determining the crown jewels of an organization and identifying how they are accessed and consumed. Then you can think about protecting data through techniques like masking or format-preserving encryption.”
Secure multitenancy has become another critical piece, one that needs to be addressed both at the hardware and policy levels. Agencies should require a third-party provider to explain exactly how it ensures that one tenant’s data isn’t compromised if another customer inside the data center is breached.
“Multitenancy solutions need to be designed up and down the stack: not just at the storage level, but at the networking level and the server level,” Stein says. “NetApp has delivered converged infrastructure products that deliver this stack. That way, you have essentially virtual private networks for each tenant so there’s a boundary created, and data doesn’t go across users.”
For more on federal data storage, visit "Storage Wars: How the Federal Government is Tackling Data Growth."