As a fundamental practice in protecting sensitive data, encryption has long been a focal point in cyber security development and implementation. However, in light of recent news on government surveillance efforts from agencies, as well as cyber espionage attempts by foreign governments, data encryption has been getting a lot of attention.
When effectively applied, strong encryption algorithms are trusted to keep prying eyes off of meaningful data. However, companies and government agencies continue to struggle to ensure their data is being adequately protected. Furthermore, cloud providers wishing to do business with the federal government often find themselves unable to offer the assurance that their encryption methods are up to the task.
There are a number of roadblocks to reliable encryption, but these challenges are some of the most common. And fortunately, each one has a viable solution.
1. Choosing the right configuration for encryption. According to Johns Hopkins cryptography researcher Matthew Green, many organizations rely on SSL to encrypt sensitive data. And although this protocol is effective, its keys are comparatively small and vulnerable to interception. Green suggests that certain configurations for SSL, such as DHE and ECDHE, can more effectively protect against successful decryption than the RSA configuration.
2. Covering the full lifecycle. For complete protection against surveillance, data needs to be encrypted not just during transfer, but also when it’s at rest and when it’s accessed by applications. Successfully managing encryption across the full lifecycle can mean rewriting software, planning cross-jurisdiction governance and adding processes. Organizations handling the full lifecycle of their data need to invest in methods to ensure encryption at all stages.
3. Key management. The high volume and wide distribution that organizations manage results in the generation of a large number of keys, which need effective management. In addition to wide-ranging governance considerations, this calls for consistent training to ensure privacy at all times.
4. Encryption in the cloud. Organizations employing cloud services for data management have additional challenges in applying encryption since the cloud service provider holds the key to that encrypted data. Solutions for using encryption in the cloud exist. However, getting everything right in the implementation of these solutions is best left to a cloud security expert.
5. FedRAMP. Cloud service providers looking to work with federal government agencies have a particular interest in meeting encryption standards, which by FedRAMP regulations means FIPS 140-2 validation. Since the inception of FedRAMP, this standard has been a major hurdle for many CSPs. However, specialists in the area of FedRAMP compliance have been successful in helping many CSPs gain certification.
For cloud services providers, organizations entrusting their data to the cloud, or organizations managing their own end-to-end encryption, Lunarline helps effectively implement encryption across the entire lifecycle. For more information about our products and services, visit Lunarline.com or contact us today.