by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : May 30, 2016
Encryption works. So why aren’t all agencies encrypting everything, everywhere, all the time? The short answer: Although it might be effective, encryp- tion is not that simple. It can be costly and time-consuming. It can also be sabotaged by users and difficult to integrate with legacy applications. So to make smart decisions about where and how to encrypt, it’s essential to understand the dif- ferent approaches. Protecting data stored on servers Data encryption addresses four major areas: data in motion, data stored on user devices, data stored on servers and data that is cur- rently being used. Today, most encryption efforts focus on data stored on servers because that is where the majority of big breaches take place. “There are lots of different chal- lenges,” said Sol Cates, chief secu- rity officer at Vormetric. “How do Idothisatscale?AndhowdoI do it across multiple application stacks, architectures, cloud ser- vices and legacy applications?” Part of that complexity is the challenge of managing encryption keys. There is typically no more than one password per user per application, and users generally get to choose them. But encryp- tion keys are long. The smallest recommended key, AES-128, is the equivalent of a 39-digit number. RSA-2048 is equivalent to a 617-digit number. And each file and message require separate keys. Losing the key is the same as losing the data. And failing to protect the keys creates a fatal security flaw, said Tammy Moskites, CIO and chief information security offi- cer at Venafi. “If you don’t know where the keys are, it helps the bad guys circumvent controls,” she added. “Then there’s a huge security gap.” A particular challenge for gov- ernment agencies is encrypting legacy systems. Encrypting a database and sticking it on a shelf somewhere is simple enough. But encrypting a database that is constantly being used is some- thing else entirely. The encryption must be built in from the start or added afterward to the database itself and all the applications that access it — at significant cost. “The Office of Personnel Man- agement was [using] an old, lega- cy mainframe system that did not have the capability to do encryp- tion,” said Jerry Irvine, CIO at Pre- scient Solutions. “And there are still lots of old systems out there.” In fact, according to a report OPM issued shortly after last year’s breach, “Full encryption of the databases that were accessed Understanding the encryption options BY MARIA KOROLOV When it comes to protecting data, it’s rarely as simple as “encrypt it all, all the time” May 30, 2016 FCW.COM 31 ExecTe c h Some encryption options • Full-disk encryption. Fully encrypting every- thing on a particular device, such as a laptop, is useless unless the device is protected with a secure password. It is also ineffective if the device is compromised while it is being used or if the user turns off the password protection. But when implemented correctly, not even the FBI can breach full-disk encryption. According to the Aberdeen Group, 70 percent of all breaches of endpoint devices involve loss or theft, and full-disk encryption would be useful in blocking them. • File-level encryption. If hackers get into a particular file on a server, they would not be able to access others because the files are locked with different keys. However, if hackers compromise a privileged user ’s account, they might be able to access a large number of files. For maximum effectiveness, agencies should keep the number of privileged accounts to a minimum and use multifactor authentication to reduce the risk of outside access. Aberdeen Group research shows that 93 per- cent of breaches involving servers are caused by hacking, malware, misuse and error, which file- level encryption would be useful in preventing. 0530fcw_031-032.indd 31 5/3/16 2:05 PM
May 15, 2016
June 15, 2016