Federal agencies face a growing dilemma: How to seize the speed and flexibility of cloud computing without sacrificing security in an increasingly distributed IT environment.
That dilemma carries over to decisions on how best to encrypt data in motion and at rest. As agencies turn increasingly to infrastructure, platform and software services that include built-in encryption engines, they run the risk that distributed encryption practices create their own set of vulnerabilities.
Too few federal agencies, however, are taking full advantage of readily available, centrally managed encryption platforms capable of securing data on-premises and in the cloud, according to new technical brief.
“The Real Story on Encryption in the Cloud,” written by FedScoop and sponsored by Thales, underlines the benefits agencies can expect to gain by deploying a centrally controlled encryption management service. Those benefits include:
- The ability to better manage data access across multiple cloud and on-premises IT environments.
- Greater insights into user and administrator access to agency data.
- Improved data protection and reduced risk to data losses.
The benefits can now be achieved without the latency and performance issues that until recently, were commonly associated with encryption engines, according Brent Hansen, federal chief technology officer at Thales.
“When people think encryption they think, ‘Oh, it’s going to kill performance, it’s going to be complicated and it’s going to break everything in my application stack,’” Hansen said. However, many of those concerns are now a thing of the past, he continued. Encryption processing traditionally has taken place on a server’s main CPUs. However, more modern solutions now allow processing to be offloaded to other computing resources, for example, in the cloud.
Agencies that bring their own encryption management system to the cloud, however, gain substantially greater control over their data, wherever it may be. Not only do they control encryption keys protecting data at rest, they also control who has access to the encryption keys on third-party cloud services, giving added protection from potential insider or operator threats.
Hansen warns that encryption keys can be easily abused depending on the permissions extended to a cloud provider. If third-party developers or database administrators create their own key vaults, and create keys for whatever they need, it can compound into multiple key vaults with no end, he says.
“When you are putting data in the cloud you are trusting administrators with the most important thing you have,” he said. Cloud insider threat is a real attack vector that agencies can protect themselves from if they own the encryption keys.
An agency greatly reduces its risk to insider threats if it eliminates the task of decrypting data from all administrative accounts.
Read more about data encryption and key management tips and practices.
This article was produced by FedScoop for, and sponsored by, Thales.