Defense Systems

Safeguarding data-filled devices requires sophisticated tools

Safeguarding an ever-expanding variety of data-filled devices requires sophisticated tools and methods.

John Edwards

|

Military data security initiatives are typically defensive strategies designed to protect information at and beyond the network perimeter. Yet such efforts omit a crucial vulnerability—sensitive data at rest.

“Data at rest” refers to any type of information stored inside a computer device, such as network servers, smart phones, tablet systems and various forms of removable storage, while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated.

Encryption Rules

Encryption remains the best way to secure information at rest, said Joseph Ford, a solutions engineer at Accuvant, a Denver-based company that provides information security services to the federal government. "But traditional full-disk encryption does little to enhance security on servers," he added. "File and folder solutions add advanced encryption and centralized key management."

For unclassified yet “sensitive” data, such as "For Official Use Only" or "Sensitive But Unclassified (SBU), Federal Information Processing Standard 140-2 validated cryptography and key management is required, said Eric Warden, vice president for national security solutions at consulting firm Accenture Federal Services, based in Arlington, Va. "For encryption, AES (Advanced Encryption Standard) is most commonly used with key sizes of 128, 192, or 256-bit," he added.

For classified data, Type 1 or Suite B cryptography is most commonly used, Warden said. "Type 1 products utilize cryptographic algorithms that are strictly controlled for use by U.S. government users/contractors and federally-sponsored non-U.S. government activities subject to International Traffic in Arms export restrictions," Warden explained. "Suite B products use well-known, standard algorithms, such as AES and Elliptic Curve Diffie–Hellman, hence also provide strong cryptographic protection, but are exportable, hence more interoperable with non-US partners/entities."

"I don't think encryption will ever go away," said Cedric Leighton, a retired Air Force colonel who until 2010 was deputy director for training at the National Security Agency. "For now, strong encryption is still the best way to secure data at rest," said Leighton, currently an independent security consultant.

Policies and Practices

Beyond encryption, locked doors and drawers can be used to secure systems containing at rest data. Yet this approach often isn't practical, Ford said. "Since most Defense Department systems require 24 x 7 x 365 availability, the idea of taking systems offline does not make sense," he observed.

Mobile devices can be even more difficult to physically protect. "By their very nature, mobile devices can easily fall into the possession of unfriendly parties," Warden said. "Many mobile devices have the ability to be cleansed remotely if possession of the device is lost; however, there is an inherent delay in using this capability, and there are ways to subvert the erasure while data stored on the device is accessed."

Both fixed and mobile systems should be designed with the goal of limiting the presence of data at rest, Warden said. "Many 'thin client' or 'zero client' solutions are available that enable sensitive data to persist on the server or in the cloud instead of on the device," he said. "The downside to these solutions is that near-constant network connectivity is required, which can present bandwidth challenges in a tactical/mission-oriented environment."

As with all technology challenges, it's vital to maintain a strong set of policies and procedures. "A data classification policy is critical ... as encrypted and protected storage should only be used for data that needs this level of security," Ford said. "Organizations end up over-deploying encryption solutions, which can lead to higher cost and administrative overhead."

New Challenges

As the military continues moving toward mobility-oriented devices, fresh challenges are arriving. "The number of operating systems and hardware platforms is growing," Ford observed. "[Yet] some of the emerging platforms are closed systems, and it is difficult to manage [such] native devices."

Protecting data on mobile devices, such as smart phones and tablets, poses the biggest data at rest security challenge, according to Warden. "This is due to the limited availability of Federal Information Processing Standard (FIPS) validated cryptography for platforms such as iOS and Android," he said. "Native cryptography provided with the OS for those platforms has not been validated, so vendors must use third-party libraries, which can limit portability, as well as raise the cost of their products due to license fees."

Verifying COTS devices for proper implementation of FIPS-validated cryptography can also be a challenge, Warden said. "The NIST Cryptographic Module Validation Program validates the implementation of cryptographic modules, but verification of module integration into COTS products is out-of-scope," he observed. "This makes it challenging for purchasers and end users to have confidence that data at rest is being protected as advertised."

Trusted operating systems, which allow information with multiple classification levels to be stored a device accessed by different users, promise enhanced data protection while maintaining system usability. "The trusted OS offers separation of data to provide access to information only to users or processes that have the appropriate clearance to access the data," Warden said. "This can be used in conjunction with thin-clients, encryption and physical protection to enhance the security profile of the overall system."

Educating staff on how to protect systems and devices is also important, since people are the first line of data defense. "Staff should be appropriately trained on how to protect data at rest from technical and physical security perspectives," Warden said.

"Not only do people have to be properly vetted to handle this type of information, but they must be able to 'zeroize' the data should it ever be at risk of being compromised," Leighton added.

NEXT STORY: ITT Exelis snares $217M Army contract for night vision equipment

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.