Safeguarding data-filled devices requires sophisticated tools

Safeguarding an ever-expanding variety of data-filled devices requires sophisticated tools and methods.

Military data security initiatives are typically defensive strategies designed to protect information at and beyond the network perimeter. Yet such efforts omit a crucial vulnerability—sensitive data at rest.

“Data at rest” refers to any type of information stored inside a computer device, such as network servers, smart phones, tablet systems and various forms of removable storage, while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated.

Encryption Rules

Encryption remains the best way to secure information at rest, said Joseph Ford, a solutions engineer at Accuvant, a Denver-based company that provides information security services to the federal government. "But traditional full-disk encryption does little to enhance security on servers," he added. "File and folder solutions add advanced encryption and centralized key management."

For unclassified yet “sensitive” data, such as "For Official Use Only" or "Sensitive But Unclassified (SBU), Federal Information Processing Standard 140-2 validated cryptography and key management is required, said Eric Warden, vice president for national security solutions at consulting firm Accenture Federal Services, based in Arlington, Va. "For encryption, AES (Advanced Encryption Standard) is most commonly used with key sizes of 128, 192, or 256-bit," he added.

For classified data, Type 1 or Suite B cryptography is most commonly used, Warden said. "Type 1 products utilize cryptographic algorithms that are strictly controlled for use by U.S. government users/contractors and federally-sponsored non-U.S. government activities subject to International Traffic in Arms export restrictions," Warden explained. "Suite B products use well-known, standard algorithms, such as AES and Elliptic Curve Diffie–Hellman, hence also provide strong cryptographic protection, but are exportable, hence more interoperable with non-US partners/entities."

"I don't think encryption will ever go away," said Cedric Leighton, a retired Air Force colonel who until 2010 was deputy director for training at the National Security Agency. "For now, strong encryption is still the best way to secure data at rest," said Leighton, currently an independent security consultant.

Policies and Practices

Beyond encryption, locked doors and drawers can be used to secure systems containing at rest data. Yet this approach often isn't practical, Ford said. "Since most Defense Department systems require 24 x 7 x 365 availability, the idea of taking systems offline does not make sense," he observed.

Mobile devices can be even more difficult to physically protect. "By their very nature, mobile devices can easily fall into the possession of unfriendly parties," Warden said. "Many mobile devices have the ability to be cleansed remotely if possession of the device is lost; however, there is an inherent delay in using this capability, and there are ways to subvert the erasure while data stored on the device is accessed."

Both fixed and mobile systems should be designed with the goal of limiting the presence of data at rest, Warden said. "Many 'thin client' or 'zero client' solutions are available that enable sensitive data to persist on the server or in the cloud instead of on the device," he said. "The downside to these solutions is that near-constant network connectivity is required, which can present bandwidth challenges in a tactical/mission-oriented environment."

As with all technology challenges, it's vital to maintain a strong set of policies and procedures. "A data classification policy is critical ... as encrypted and protected storage should only be used for data that needs this level of security," Ford said. "Organizations end up over-deploying encryption solutions, which can lead to higher cost and administrative overhead."

New Challenges

As the military continues moving toward mobility-oriented devices, fresh challenges are arriving. "The number of operating systems and hardware platforms is growing," Ford observed. "[Yet] some of the emerging platforms are closed systems, and it is difficult to manage [such] native devices."

Protecting data on mobile devices, such as smart phones and tablets, poses the biggest data at rest security challenge, according to Warden. "This is due to the limited availability of Federal Information Processing Standard (FIPS) validated cryptography for platforms such as iOS and Android," he said. "Native cryptography provided with the OS for those platforms has not been validated, so vendors must use third-party libraries, which can limit portability, as well as raise the cost of their products due to license fees."

Verifying COTS devices for proper implementation of FIPS-validated cryptography can also be a challenge, Warden said. "The NIST Cryptographic Module Validation Program validates the implementation of cryptographic modules, but verification of module integration into COTS products is out-of-scope," he observed. "This makes it challenging for purchasers and end users to have confidence that data at rest is being protected as advertised."

Trusted operating systems, which allow information with multiple classification levels to be stored a device accessed by different users, promise enhanced data protection while maintaining system usability. "The trusted OS offers separation of data to provide access to information only to users or processes that have the appropriate clearance to access the data," Warden said. "This can be used in conjunction with thin-clients, encryption and physical protection to enhance the security profile of the overall system."

Educating staff on how to protect systems and devices is also important, since people are the first line of data defense. "Staff should be appropriately trained on how to protect data at rest from technical and physical security perspectives," Warden said.

"Not only do people have to be properly vetted to handle this type of information, but they must be able to 'zeroize' the data should it ever be at risk of being compromised," Leighton added.