by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : January 2014
Data encryption is not a new issue for federal agencies, but the act of housing applications and data in cloud environ- ments raises a new set of data encryption and key manage- ment considerations. The National Institute of Standards and Technology pub- lished a report in September titled "Cryptographic Key Man- agement Issues and Challenges in Cloud Services." "NIST researchers and the experts who joined our NIST Public Security Working Group further are investigating the key management challenges in a cloud environment to develop a road map for standards and technology research to handle those key management challeng- es," said Ramaswamy Chandramouli, one of the report's authors and a computer scientist in NIST's Computer Security Division. Why it matters NIST's report says key management is a tough assignment even in traditional data centers because of the volume of data, its distribution in different physical and local storage media, and the large number of cryptographic keys involved. The job gets even harder in the cloud. "This function becomes more complex in the case of a cloud environment, where the physical and logical control of resources...is split between cloud actors," the report states. The actors NIST refers to are cloud consumers, provid- ers and brokers. The latter category refers to companies that source cloud services from one or more providers and deliver them to customers. The cloud might complicate matters, but regardless of computing style, key management has been the perennial weak link in encryption. James Christiansen, chief information risk of cer at RiskyData, an information security and privacy manage- ment solutions rm, likened the situation to a person who installs an expensive car alarm but leaves the keys in the door. "It's the same thing in organizations," he said. "If I think about attacking a company and how I would attack it, I would always attack the key management system. Why attack AES-256 data when you can just attack the keys?" Yet he said his clients often neglect to discuss the challeng- es of key management with infrastruc- ture-as-a-service and platform-as-a-service providers before signing contracts. The main concerns are who owns the data and who has the keys, Christiansen said. In a multitenant public cloud, for example, a customer is served a slice of the cloud provider's total storage space. Christiansen said vendors will often tell customers that there is nothing to worry about because all the data is encrypted, but the problem is that all the data is encrypted with a single key. The cloud service provider, in effect, becomes the "one stop where the hackers or hacktivists would know to go to have a de ned place to look for where those keys are stored," said Rob Chee, security team lead at federal IT solutions provider Force 3. Christiansen said security is only as good as the cloud ser- vice provider's key management. Yet customers usually don't ask vendors the pertinent questions, such as whether their data is encrypted separately from other companies' data. The fundamentals As organizations protect more data through encryption, the keys they need to track proliferate. Security vendors say Encryption challenges move to the cloud BY JOHN MOORE Cloud computing is expanding the data encryption and key management issues agencies face 24 January 2014 FCW.COM ExecTe c h Why attack AES-256 data when you can just attack the keys? JAMES CHRISTIANSEN, RISKYDATA