Encryption key management: Best practices for federal agencies
Connecting state and local government leaders
When dealing with sensitive information, it's essential agencies ensure keys are accessible, under their control and available only to those who need them.
Government cloud adoption continues to increase steadily. According to a Bloomberg Government analysis, spending on cloud technology is expected to reach $8.5 billion by FY23. But as agencies consider their next steps towards the cloud, security remains a consistent concern. Efforts like the Cloud Smart Strategy and the Federal Risk and Authorization Management Program have helped agencies evolve their cloud security strategies, but there is still much consider, including approaches to encryption.
Basic practices like encryption of data stored in the cloud are critical, but they're not always enough for federal agencies. In addition to basic encryption techniques, agencies must also think about sophisticated internal and external threats: This where complete control over encryption keys becomes crucial.
Threats against agencies are becoming more advanced
Bad actors' techniques have advanced along with government cloud technologies, which means an extra layer of protection is necessary to match expanding threats. Encrypting data from end-to-end, in transit and at rest, ensures it stays protected at all times.
Beyond those basics, stringent security over the keys used to encrypt data can be crucial for sensitive applications and workloads. When employing a cloud solution, agencies may enlist multiple providers to create a multi- or hybrid-cloud environment, meaning encryption keys are stored in more than one location across various infrastructures, increasing the risk of the keys falling into the hands of a bad actor.
For agencies dealing with sensitive information, such as citizens’ personable identifiable information, it's essential they ensure keys are accessible, under their control and available only to those who need them. By keeping ownership over keys, agencies maintain complete control over their data and the encryption process.
The Cloud Security Alliance recommends encrypting data in the cloud and managing the encryption keys on premises within a FIPS-certified boundary. They should be secured and operated by a FIPS 140-2 certified key manager. Storing keys in tamper-resistant FIPS 140-2 Level 3 hardware security modules provides the highest level of security against internal and external threats.
Having full ownership of encryption keys gives agencies a layer of security to protect against sophisticated and persistent threats; however, offices must strictly limit and verify who has access to those keys.
The mobile perspective
Cloud-based applications often connect directly with mobile devices, which can also serve as entry points for bad actors via malware apps, mobile phishing and more. Cloud encryption is important, but agencies must also provide comprehensive security for the endpoints.
A dedicated mobile security solution is always essential to fully protect an agency and its information from phishing as well as app, device and network threats. The security platform should also adhere to zero-trust principles. Since government employees are working away from the office, administrators must ensure endpoint validation of all users before allowing access to organizational infrastructure.
As federal agencies increase their dependence on the cloud, they must consider a cybersecurity strategy that includes mobile devices and advanced encryption solutions.