Data Protection Challenges: A Data-Centric Approach to True Cyber Security

[p1faxlj0]

The most important Future State Objective outlined in the Report to the President is that the government must “Reduce the Federal attack surface through enhanced application and data-level protections.” It notes that Federal networks cannot be trusted, and that protections from exploitation must be placed closer to the applications and data. This paper addresses this issue by offering a solution for protecting the sensitive data that is created, resides and transits inside and outside of this untrustworthy network.

A key asset for Federal agencies is the information collected, stored and maintained to support a variety of functions necessary to ensure the safety and wellbeing of U.S. citizens, and the protection and security of the United States and its allies. It is vital to the security of the United States and its citizens that these agencies protect and secure all sensitive information in their possession against breaches that result in data theft. The approaches in the past of walls and moats have become ineffective against todays threats. We must assume the adversary is inside the gate. In every breach firewalls have been deployed, and once a credential is stolen the data is accessible.

Security managers agree that network and device protections are not enough to ensure data is protected and regulatory compliance is achieved. Focusing only on perimeter security is a battle better suited for bygone times. Nowadays, sensitive data regularly moves from platform to platform and from endpoint to endpoint, inside and outside the organization. Federal Regulations require agencies to protect sensitive data using FIPS 140-2 compliant technologies. A proper response to today’s threats is to provide persistent data protection from capture to glass at rest in motion. And further, to provide protection against vector type attacks by providing true random key generation.

It is reasonable to assume that most agencies have implemented at least some measures for data protection to achieve compliance and satisfy auditors. Most likely however, these implementations only target specific segments of data or functional areas within the IT infrastructure while leaving other data exposed. This behavior of implementing check box data security without addressing the broad scope of threats gives our adversaries the advantage.

If an agency has acted more aggressively to implement broader data protection safeguards, the effort has typically resulted in a combination of point-solutions implemented over time, each addressing data within functional areas. For example, the agency may have implemented a solution to protect databases, another to protect end-user data (documents, PDF’s, etc.), and possibly additional solutions to secure data in transport, back-ups, and/ or shares.

As each point-solution is implemented the burden increases in the organization to manage. A cohesive and comprehensive solution that all works in harmony to provide persistent data protection has been difficult to achieve. Many Agencies have deployed up to 4-6 different point products to address data at rest encryption. Data moves throughout those points but the protection drops as the data moves from archive to file system, between the file system and the application, and between the application and the endpoint. Adversaries wait for the decryption to occur to take the data, which explains why 95% of the exfiltration’s of data occur between the file system and the user.

However, Cyber-attacks have become very sophisticated. Typically, a breach begins when the intruder first gains access to the network, then will lay dormant for months before mapping the network and planning the attack. When point-solutions are in place the intruder begins by looking for the cracks where data is exposed in clear text as it is moved from point-solution to point-solution. Once the cracks are discovered they move quickly to steal the data and exit the network.

The desired data protection solution must be persistent, cohesive and comprehensive. It should protect data at rest and as it moves through the organization. It should protect the data regardless of the IT platforms point of origin or destination. It should meet or exceed mandates and compliance regulations (FISMA, HIPPA, PCI, etc.). Below is a list of must-haves for comprehensive data protection:

 Visibility & Reporting  Organizational control  Best practices/standards enforcement  Chain of Custody  Access control and revocation  Process integration (DLP, FLE, Virus/Malware Scan)  Discovery & Remediation (of sensitive information)  Key Management  Persistent Protection across the Enterprise

True information security requires persistent data-level protection, so that information remains inaccessible even after a security breach. A data-centric security approach also ensures data can move from platform to platform securely with minimal or no exposure to a breach.

These threats can be mitigated without a need to rip and replace current infrastructure or disrupt operations. The ROI post breach saves on the reallocation engineering resources, save hundreds of hours in post breach mitigation on data loss, because the data is protected with irrefutable chain of custody.

Specific answers to Key Questions

1. Major attributes that are missing from the targeted vision (Appendix A and B) a. Protection of data with true random generated FIPS 140-2 compliant means should be a “foundational” capability for all High Value Asset (HVA) data. The Appendix A suggests that encryption of data at rest and data in transit with true random number generator be “seriously considered” for HVAs by agencies; we recommend that true random encryption, capable over 10GBS of random per second be a “core component”, and thus “foundational” for all HVAs. b. “Persistent” data-level protection is also recommended for this HVA data. As described in the paper, above, only persistent data-level protection can protect sensitive data from the inevitable intruders lying in wait for data to be unencrypted inside the enterprise firewall, or in the virtual enterprise built in the cloud by the strategies recommended in Appendix B. c. “Persistent” data-level protection will also alleviate the “encrypted network” issues that DHS has as described in Appendix C. Understanding the provenance of all government initiated data with easily managed meta data and true random (the foundation of digital rights management) will allow DHS sensors to focus on data that is unknown, or known, but known to be tampered prior to it entering or exiting the government networks and applications.

[tseronis]

A very timely perspective, especially as our Nation's critical infrastructure protection sectors embrace the "Internet of Everything" to realize actionable intelligence. Information Sharing and, more importantly, Information Safeguarding underpin the R&D agenda globally.

[mjemery1]

p1faxlj0 - thanks for addressing this new way of thinking about how to protect the government's most valuable resource - its data! I'd like reviewers of the issue to also connect its importance with comments made under Issue #4. This paper points out a new way to think about cyber security, a re-engineering of the cyber risk management process. Rather than protecting the data from the outside-in (which all of the Appendix B recommendations do), a data-centric approach protects the data from the inside-out throughout its digital life cycle. By automatically (without user intervention) encrypting and tagging data from its moment of creation, based upon enterprise policies, and maintaining those tags throughout the data's lifecycle, the data is under the absolute control of the government enterprise and its authorized users. A "data rights management" capability is now created that everyone can recognize from their experience with the music industry"s "digital rights management" where only authenticated users can access the "data" and the ability to use and copy data is self controlled by the "data creation event" and policy. Just as the music industry protects its music from being pirated, the government can protect its data from being misused (although clearly with better encryption algorithms and protocols from FIPS 140-2). Implementing a data-centric approach will require new thinking by our cyber professionals and regulators, but it will save money while it addresses the fact that government networks are not and may never be made secure from intrusions, or insider threats.